Edit tour

Windows Analysis Report
9MgoW3Y1ti.exe

Overview

General Information

Sample name:	9MgoW3Y1ti.exe renamed because original name is a hash value
Original sample name:	b5782418b0d93145d5e7d5ff762c50e3.exe
Analysis ID:	1455413
MD5:	b5782418b0d93145d5e7d5ff762c50e3
SHA1:	8ad9d47fcd5cc8668c316f2ed8b9ce0f44b9adfb
SHA256:	2364f287be72dd7aa1f3cf19ff86314a02b62f4b19792e1e06abad3567d1900c
Tags:	exeSocks5Systemz
Infos:

Detection

Socks5Systemz

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Socks5Systemz

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

Machine Learning detection for dropped file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

9MgoW3Y1ti.exe (PID: 6528 cmdline: "C:\Users\user\Desktop\9MgoW3Y1ti.exe" MD5: B5782418B0D93145D5E7D5FF762C50E3)

9MgoW3Y1ti.tmp (PID: 5232 cmdline: "C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp" /SL5="$203EC,4916934,54272,C:\Users\user\Desktop\9MgoW3Y1ti.exe" MD5: 8EF7001015E126E74BC41268504CA1E2)

recordpadsoundrecorder32.exe (PID: 6724 cmdline: "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i MD5: 05231A29BF2470E3D5FEA74C5FD84462)

recordpadsoundrecorder32.exe (PID: 5068 cmdline: "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s MD5: 05231A29BF2470E3D5FEA74C5FD84462)

svchost.exe (PID: 5388 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["aadolui.ru"]}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-377H9.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.2196454307.0000000000401000.00000020.00000001.01000000.00000008.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000004.00000000.2199461093.0000000000401000.00000020.00000001.01000000.00000008.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000004.00000002.3438919346.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
Process Memory Space: recordpadsoundrecorder32.exe PID: 5068	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.recordpadsoundrecorder32.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
3.0.recordpadsoundrecorder32.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 5388, ProcessName: svchost.exe

Snort Signatures

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:04:05.022218
SID:	2049467
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:04:00.660933
SID:	2049467
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:20.999590
SID:	2049467
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:50.457825
SID:	2049467
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:33.060284
SID:	2049467
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:45.145687
SID:	2049467
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:42.718124
SID:	2049467
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:15.218492
SID:	2049467
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:55.568367
SID:	2049467
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:06.281713
SID:	2049467
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:04:09.182356
SID:	2049467
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:53.390046
SID:	2049467
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:58.405789
SID:	2049467
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:04:02.172905
SID:	2049467
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:48.061954
SID:	2049467
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:04:06.419496
SID:	2049467
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:37.431894
SID:	2049467
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:28.375163
SID:	2049467
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:34.520546
SID:	2049467
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:38.944323
SID:	2049467
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:43.506708
SID:	2049467
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:29.131237
SID:	2049467
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:00.558791
SID:	2049467
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:04:10.647905
SID:	2049467
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:17.343055
SID:	2049467
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:54.130080
SID:	2049467
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:12.287039
SID:	2049467
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:10.015867
SID:	2049467
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:23.984682
SID:	2049467
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:32.171182
SID:	2049467
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:04:07.773090
SID:	2049467
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:26.218000
SID:	2049467
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:07.068331
SID:	2049467
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:10.793000
SID:	2049467
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:59.145572
SID:	2049467
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:04:03.617994
SID:	2049467
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:35.977088
SID:	2049467
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:18.026242
SID:	2049467
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 - Source IP: 192.168.2.6 - Destination IP: 94.156.8.14

Timestamp:	06/11/24-20:03:48.957781
SID:	2049467
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 9MgoW3Y1ti.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp	Avira: detection malicious, Label: ADWARE/AVI.ICLoader.jwrbl
Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe	Avira: detection malicious, Label: HEUR/AGEN.1314993

Found malware configuration

Source: recordpadsoundrecorder32.exe.5068.4.memstrmin

Malware Configuration Extractor: Socks5Systemz {"C2 list": ["aadolui.ru"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: 9MgoW3Y1ti.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp	Joe Sandbox ML: detected
Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0045B864 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,	2_2_0045B864
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0045B918 ArcFourCrypt,	2_2_0045B918
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0045B930 ArcFourCrypt,	2_2_0045B930
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_10001000 ISCryptGetVersion,	2_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_10001130 ArcFourCrypt,	2_2_10001130

Source: is-39U3O.tmp.2.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_280956d0-c

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Unpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Unpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack

Source: 9MgoW3Y1ti.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: is-S4BNJ.tmp.2.dr
Source:	Binary string: msvcp120.amd64.pdb source: is-DL0CV.tmp.2.dr
Source:	Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-U97AK.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: is-823LG.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: is-823LG.tmp.2.dr
Source:	Binary string: msvcr120.amd64.pdb source: is-MH9PV.tmp.2.dr
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: is-HD7FV.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-3D4M0.tmp.2.dr
Source:	Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb source: is-TTPUD.tmp.2.dr
Source:	Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb## source: is-TTPUD.tmp.2.dr
Source:	Binary string: C:\msys64\home\--\src\openh264-2.0.0_x64\openh264.pdb source: is-1KIT8.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: is-3VSKS.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: is-J8S40.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb33 source: is-J8S40.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: is-3VSKS.tmp.2.dr
Source:	Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-U97AK.tmp.2.dr

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0047A964 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	2_2_0047A964
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00470C84 FindFirstFileA,FindNextFileA,FindClose,	2_2_00470C84
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00451668 FindFirstFileA,GetLastError,	2_2_00451668
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00460594 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	2_2_00460594
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00492760 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	2_2_00492760
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0047884C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	2_2_0047884C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00460A10 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	2_2_00460A10
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0045F008 FindFirstFileA,FindNextFileA,FindClose,	2_2_0045F008

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49720 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49721 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49723 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49725 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49726 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49729 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49730 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49731 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49732 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49733 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49734 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49735 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49736 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49737 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49738 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49739 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49740 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49741 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49742 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49743 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49744 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49746 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49747 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49748 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49749 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49750 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49751 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49752 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49753 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49754 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49755 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49756 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49757 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49758 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49759 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49760 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49761 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49762 -> 94.156.8.14:80
Source: Traffic	Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49763 -> 94.156.8.14:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: aadolui.ru

Source: global traffic

TCP traffic: 192.168.2.6:49722 -> 194.59.31.219:2023

Source: Joe Sandbox View	IP Address: 94.156.8.14 94.156.8.14
Source: Joe Sandbox View	IP Address: 194.59.31.219 194.59.31.219

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown	UDP traffic detected without corresponding DNS query: 91.211.247.248

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Code function: 4_2_00B472A7 Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,

4_2_00B472A7

Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Source: global traffic

DNS traffic detected: DNS query: aadolui.ru

Source: recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.8.14/
Source: recordpadsoundrecorder32.exe, 00000004.00000002.3445138665.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3445876972.0000000003410000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3445676449.0000000003354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.8.14/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f499
Source: recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.8.14/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d
Source: is-4KSHT.tmp.2.dr	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: is-4KSHT.tmp.2.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
Source: is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: is-4KSHT.tmp.2.dr	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: is-4KSHT.tmp.2.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: is-4KSHT.tmp.2.dr	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: is-PU0LK.tmp.2.dr	String found in binary or memory: http://lame.sf.net
Source: is-PU0LK.tmp.2.dr	String found in binary or memory: http://lame.sf.net32bits64bits
Source: is-PU0LK.tmp.2.dr	String found in binary or memory: http://lame.sf.netB
Source: is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: is-4KSHT.tmp.2.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: is-4KSHT.tmp.2.dr	String found in binary or memory: http://ocsps.ssl.com0?
Source: is-4KSHT.tmp.2.dr	String found in binary or memory: http://ocsps.ssl.com0Q
Source: is-3D4M0.tmp.2.dr	String found in binary or memory: http://qt-project.org/xml/features/report-start-end-entity
Source: is-3D4M0.tmp.2.dr	String found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharData
Source: is-U97AK.tmp.2.dr	String found in binary or memory: http://qtav.org2
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	String found in binary or memory: http://t2.symcb.com0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	String found in binary or memory: http://tl.symcd.com0&
Source: is-3D4M0.tmp.2.dr	String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
Source: is-3D4M0.tmp.2.dr	String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 9MgoW3Y1ti.tmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 9MgoW3Y1ti.tmp.0.dr, is-VS29P.tmp.2.dr	String found in binary or memory: http://www.innosetup.com/
Source: 9MgoW3Y1ti.exe, 00000000.00000003.2172810157.00000000020A1000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.exe, 00000000.00000002.3438960879.00000000020A1000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.exe, 00000000.00000003.2172716859.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000003.2175399806.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000003.2175492186.0000000002128000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3439045776.000000000061D000.00000004.00000020.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3439620387.0000000002128000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mpegla.com
Source: 9MgoW3Y1ti.exe, 00000000.00000003.2173371991.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.exe, 00000000.00000003.2173880239.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 9MgoW3Y1ti.tmp.0.dr, is-VS29P.tmp.2.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: 9MgoW3Y1ti.exe, 00000000.00000003.2173371991.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.exe, 00000000.00000003.2173880239.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 9MgoW3Y1ti.tmp.0.dr, is-VS29P.tmp.2.dr	String found in binary or memory: http://www.remobjects.com/psU
Source: is-4KSHT.tmp.2.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: is-3D4M0.tmp.2.dr	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: is-3D4M0.tmp.2.dr	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: is-3D4M0.tmp.2.dr	String found in binary or memory: http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech
Source: is-39U3O.tmp.2.dr	String found in binary or memory: https://curl.haxx.se/V
Source: is-39U3O.tmp.2.dr	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: is-39U3O.tmp.2.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: is-4KSHT.tmp.2.dr	String found in binary or memory: https://www.ssl.com/repository0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0042EEF4 NtdllDefWindowProc_A,	2_2_0042EEF4
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00423AF4 NtdllDefWindowProc_A,	2_2_00423AF4
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00412548 NtdllDefWindowProc_A,	2_2_00412548
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00455800 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	2_2_00455800
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00473F28 NtdllDefWindowProc_A,	2_2_00473F28

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Code function: 2_2_0042E6DC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

2_2_0042E6DC

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_0040936C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00453FD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		2_2_00453FD0

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_00408330	0_2_00408330
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0046C5C4	2_2_0046C5C4
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00434CFC	2_2_00434CFC
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0047B5CE	2_2_0047B5CE
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00463B8C	2_2_00463B8C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_004822A0	2_2_004822A0
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00488444	2_2_00488444
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_004444A4	2_2_004444A4
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0045C87C	2_2_0045C87C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_004308A0	2_2_004308A0
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00444B9C	2_2_00444B9C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00444FA8	2_2_00444FA8
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_004813C8	2_2_004813C8
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0043D784	2_2_0043D784
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00459850	2_2_00459850
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00465BDC	2_2_00465BDC
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0042FD30	2_2_0042FD30
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00443EFC	2_2_00443EFC
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00433FF8	2_2_00433FF8
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 3_2_00401051	3_2_00401051
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 3_2_00401C26	3_2_00401C26
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 3_2_00406C87	3_2_00406C87
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00401051	4_2_00401051
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00401C26	4_2_00401C26
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00406C87	4_2_00406C87
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00B4F028	4_2_00B4F028
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00B5E1FD	4_2_00B5E1FD
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00B584B2	4_2_00B584B2
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00B5ACAA	4_2_00B5ACAA
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00B65410	4_2_00B65410
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00B5DD09	4_2_00B5DD09
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00B64E99	4_2_00B64E99
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00B59EF4	4_2_00B59EF4
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00B62E24	4_2_00B62E24
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00B5E615	4_2_00B5E615

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy) 7623B596CFD989413FEA2FE355607B029EF8E64067275CBF81863688128738B0

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 00405964 appears 103 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 00406A2C appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 0045618C appears 68 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 00403400 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 00455F80 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 00451F4C appears 88 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 0040785C appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 00408B74 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 00445808 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 00445AD8 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 00403684 appears 211 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: String function: 00433F10 appears 32 times
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: String function: 00B653A0 appears 138 times
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: String function: 00B58B50 appears 37 times

Source: 9MgoW3Y1ti.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 9MgoW3Y1ti.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 9MgoW3Y1ti.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: 9MgoW3Y1ti.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: 9MgoW3Y1ti.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 9MgoW3Y1ti.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-VS29P.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-VS29P.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-VS29P.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-VS29P.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-VS29P.tmp.2.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-PU0LK.tmp.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 9MgoW3Y1ti.exe, 00000000.00000003.2173371991.0000000002350000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs 9MgoW3Y1ti.exe
Source: 9MgoW3Y1ti.exe, 00000000.00000003.2173880239.00000000020A8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs 9MgoW3Y1ti.exe

Source: 9MgoW3Y1ti.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: recordpadsoundrecorder32.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: _RegDLL.tmp.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: is-4KSHT.tmp.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: UID Finder 6.11.66.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/49@1/2

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Code function: 4_2_00B50870 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,

4_2_00B50870

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_0040936C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00453FD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		2_2_00453FD0

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Code function: 2_2_004547F8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

2_2_004547F8

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: CreateServiceA,		3_2_00402588
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: CreateServiceA,		4_2_0040D117

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe

Code function: 0_2_00409AD0 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409AD0

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Code function: 3_2_00402299 StartServiceCtrlDispatcherA,

3_2_00402299

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 3_2_00402299 StartServiceCtrlDispatcherA,		3_2_00402299
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: 4_2_00402299 StartServiceCtrlDispatcherA,		4_2_00402299

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder

Jump to behavior

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe

File created: C:\Users\user\AppData\Local\Temp\is-O879I.tmp

Jump to behavior

Source: Yara match	File source: 4.0.recordpadsoundrecorder32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.recordpadsoundrecorder32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.2196454307.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.2199461093.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-377H9.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 9MgoW3Y1ti.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe

File read: C:\Users\user\Desktop\9MgoW3Y1ti.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9MgoW3Y1ti.exe "C:\Users\user\Desktop\9MgoW3Y1ti.exe"
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Process created: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp "C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp" /SL5="$203EC,4916934,54272,C:\Users\user\Desktop\9MgoW3Y1ti.exe"
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Process created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Process created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Process created: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp "C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp" /SL5="$203EC,4916934,54272,C:\Users\user\Desktop\9MgoW3Y1ti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Process created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Process created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s	Jump to behavior

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 9MgoW3Y1ti.exe

Static file information: File size 5167185 > 1048576

Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: is-S4BNJ.tmp.2.dr
Source:	Binary string: msvcp120.amd64.pdb source: is-DL0CV.tmp.2.dr
Source:	Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-U97AK.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: is-823LG.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: is-823LG.tmp.2.dr
Source:	Binary string: msvcr120.amd64.pdb source: is-MH9PV.tmp.2.dr
Source:	Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: is-HD7FV.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-3D4M0.tmp.2.dr
Source:	Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb source: is-TTPUD.tmp.2.dr
Source:	Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb## source: is-TTPUD.tmp.2.dr
Source:	Binary string: C:\msys64\home\--\src\openh264-2.0.0_x64\openh264.pdb source: is-1KIT8.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: is-3VSKS.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: is-J8S40.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb33 source: is-J8S40.tmp.2.dr
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: is-3VSKS.tmp.2.dr
Source:	Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-U97AK.tmp.2.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Unpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack .text:ER;.bhead8:R;.data:W;.rsrc:R;.chead8:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Unpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack .text:ER;.bhead8:R;.data:W;.rsrc:R;.chead8:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Unpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Unpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Code function: 2_2_00447F60 LoadLibraryExA,LoadLibraryA,GetProcAddress,

2_2_00447F60

Source: recordpadsoundrecorder32.exe.2.dr	Static PE information: section name: .bhead8
Source: recordpadsoundrecorder32.exe.2.dr	Static PE information: section name: .chead8
Source: is-S4BNJ.tmp.2.dr	Static PE information: section name: .didat
Source: is-1KIT8.tmp.2.dr	Static PE information: section name: .rodata
Source: is-PU0LK.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-4KSHT.tmp.2.dr	Static PE information: section name: .vcp1208
Source: UID Finder 6.11.66.exe.3.dr	Static PE information: section name: .bhead8
Source: UID Finder 6.11.66.exe.3.dr	Static PE information: section name: .chead8

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_00406518 push 00406555h; ret	0_2_0040654D
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_0040C024 push cs; retn 0000h	0_2_0040C02F
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_00408028 push ecx; mov dword ptr [esp], eax	0_2_0040802D
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: 0_2_00408E5C push 00408E8Fh; ret	0_2_00408E87
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_004098B4 push 004098F1h; ret	2_2_004098E9
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00456228 push 00456260h; ret	2_2_00456258
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_004062CC push ecx; mov dword ptr [esp], eax	2_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0045C574 push ecx; mov dword ptr [esp], eax	2_2_0045C579
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00410640 push ecx; mov dword ptr [esp], edx	2_2_00410645
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0040A6C8 push esp; retf	2_2_0040A6D1
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0047E6EC push 0047E7CAh; ret	2_2_0047E7C2
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00412898 push 004128FBh; ret	2_2_004128F3
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_004308A0 push ecx; mov dword ptr [esp], eax	2_2_004308A5
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00442E74 push ecx; mov dword ptr [esp], ecx	2_2_00442E78
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00450F04 push 00450F37h; ret	2_2_00450F2F
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0040CF98 push ecx; mov dword ptr [esp], edx	2_2_0040CF9A
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0047323C push ecx; mov dword ptr [esp], edx	2_2_0047323D
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0040546D push eax; ret	2_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0040F4F8 push ecx; mov dword ptr [esp], edx	2_2_0040F4FA
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0040553D push 00405749h; ret	2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_004055BE push 00405749h; ret	2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0040563B push 00405749h; ret	2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_004056A0 push 00405749h; ret	2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00457A94 push 00457AD8h; ret	2_2_00457AD0
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00419B98 push ecx; mov dword ptr [esp], ecx	2_2_00419B9D

Source: recordpadsoundrecorder32.exe.2.dr	Static PE information: section name: .text entropy: 7.76464029877587
Source: is-4KSHT.tmp.2.dr	Static PE information: section name: .text entropy: 7.694137885769827
Source: UID Finder 6.11.66.exe.3.dr	Static PE information: section name: .text entropy: 7.76464029877587

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0	3_2_00401A4F
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0	4_2_00401A4F
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0	4_2_00B4F851

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VS29P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-S4BNJ.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	File created: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PU0LK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-3D4M0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-HD7FV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-U97AK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-MH9PV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-J8S40.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EMQ3A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-823LG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-TTPUD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	File created: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-39U3O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-3VSKS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-DL0CV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-1KIT8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

File created: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0	3_2_00401A4F
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0	4_2_00401A4F
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0	4_2_00B4F851

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Code function: 3_2_00402299 StartServiceCtrlDispatcherA,

3_2_00402299

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	2_2_00423B7C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	2_2_00423B7C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0047E0A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	2_2_0047E0A8
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0042414C IsIconic,SetActiveWindow,SetFocus,	2_2_0042414C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00424104 IsIconic,SetActiveWindow,	2_2_00424104
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_004182F4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	2_2_004182F4
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_004227CC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	2_2_004227CC
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00417508 IsIconic,GetCapture,	2_2_00417508
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00417C40 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	2_2_00417C40
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00417C3E IsIconic,SetWindowPos,	2_2_00417C3E

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Code function: 2_2_0044B08C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0044B08C

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,	3_2_00401B4B
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,	4_2_00401B4B
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,	4_2_00B4F955

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Window / User API: threadDelayed 1330			Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	Window / User API: threadDelayed 8571			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VS29P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-S4BNJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PU0LK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-3D4M0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-U97AK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-HD7FV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-MH9PV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-J8S40.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EMQ3A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-823LG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-TTPUD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-39U3O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-3VSKS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-DL0CV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-1KIT8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-6444

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_3-3205

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 4596	Thread sleep count: 1330 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 4596	Thread sleep time: -2660000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 4364	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 4364	Thread sleep time: -2460000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 4596	Thread sleep count: 8571 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 4596	Thread sleep time: -17142000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0047A964 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	2_2_0047A964
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00470C84 FindFirstFileA,FindNextFileA,FindClose,	2_2_00470C84
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00451668 FindFirstFileA,GetLastError,	2_2_00451668
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00460594 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	2_2_00460594
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00492760 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	2_2_00492760
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0047884C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	2_2_0047884C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_00460A10 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	2_2_00460A10
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: 2_2_0045F008 FindFirstFileA,FindNextFileA,FindClose,	2_2_0045F008

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe

Code function: 0_2_00409A14 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409A14

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	API call chain: ExitProcess graph end node	graph_0-6302
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	API call chain: ExitProcess graph end node	graph_3-3467
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe	API call chain: ExitProcess graph end node	graph_4-21885

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Code function: 4_2_00B6016E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

4_2_00B6016E

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

4_2_00B6016E

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Code function: 2_2_00447F60 LoadLibraryExA,LoadLibraryA,GetProcAddress,

2_2_00447F60

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Code function: 4_2_00B46487 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,

4_2_00B46487

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Code function: 4_2_00B594D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00B594D8

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Code function: 2_2_004739C4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

2_2_004739C4

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Code function: 2_2_0045B29C GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree,

2_2_0045B29C

Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Code function: 4_2_00B5801D cpuid

4_2_00B5801D

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: GetLocaleInfoA,	0_2_0040515C
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe	Code function: GetLocaleInfoA,	0_2_004051A8
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: GetLocaleInfoA,	2_2_004084D0
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	Code function: GetLocaleInfoA,	2_2_0040851C

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Code function: 2_2_00456D8C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

2_2_00456D8C

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Code function: 2_2_00453F88 GetUserNameA,

2_2_00453F88

Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe

Code function: 0_2_00405C44 GetVersionExA,

0_2_00405C44

Stealing of Sensitive Information

Yara detected Socks5Systemz

Source: Yara match	File source: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3438919346.00000000008B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: recordpadsoundrecorder32.exe PID: 5068, type: MEMORYSTR

Remote Access Functionality

Yara detected Socks5Systemz

Source: Yara match	File source: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3438919346.00000000008B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: recordpadsoundrecorder32.exe PID: 5068, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	4 Windows Service	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Bootkit	1 Access Token Manipulation	22 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	4 Windows Service	1 DLL Side-Loading	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	112 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	3 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bootkit	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9MgoW3Y1ti.exe	21%	ReversingLabs	Win32.Trojan.Privateloader
9MgoW3Y1ti.exe	100%	Avira	HEUR/AGEN.1332570

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp	100%	Avira	ADWARE/AVI.ICLoader.jwrbl
C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe	100%	Avira	HEUR/AGEN.1314993
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp	100%	Joe Sandbox ML
C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-1KIT8.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-39U3O.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-3D4M0.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-3VSKS.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp	88%	ReversingLabs	Win32.PUA.IcLoader
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-823LG.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-DL0CV.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EMQ3A.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-HD7FV.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-J8S40.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-MH9PV.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PU0LK.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-S4BNJ.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-TTPUD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-U97AK.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VS29P.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)	88%	ReversingLabs	Win32.PUA.IcLoader
C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy)	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_RegDLL.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp	3%	ReversingLabs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://94.156.8.14/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d	0%	Avira URL Cloud	safe
http://lame.sf.net32bits64bits	0%	Avira URL Cloud	safe
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	0%	Avira URL Cloud	safe
http://www.innosetup.com/	0%	Avira URL Cloud	safe
http://ocsps.ssl.com0?	0%	Avira URL Cloud	safe
http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech	0%	Avira URL Cloud	safe
http://aadolui.ru/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c	0%	Avira URL Cloud	safe
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0	0%	Avira URL Cloud	safe
http://xml.org/sax/features/namespaces	0%	Avira URL Cloud	safe
http://qt-project.org/xml/features/report-whitespace-only-CharData	0%	Avira URL Cloud	safe
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	0%	Avira URL Cloud	safe
http://ocsps.ssl.com0	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	Avira URL Cloud	safe
https://curl.haxx.se/docs/http-cookies.html	0%	Avira URL Cloud	safe
http://lame.sf.netB	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	Avira URL Cloud	safe
http://xml.org/sax/features/namespace-prefixes	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	Avira URL Cloud	safe
http://qtav.org2	0%	Avira URL Cloud	safe
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	0%	Avira URL Cloud	safe
http://www.remobjects.com/psU	0%	Avira URL Cloud	safe
http://lame.sf.net	0%	Avira URL Cloud	safe
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	0%	Avira URL Cloud	safe
http://94.156.8.14/	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	Avira URL Cloud	safe
aadolui.ru	0%	Avira URL Cloud	safe
https://www.thawte.com/cps0/	0%	Avira URL Cloud	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	Avira URL Cloud	safe
https://www.thawte.com/repository0W	0%	Avira URL Cloud	safe
http://qt-project.org/xml/features/report-start-end-entity	0%	Avira URL Cloud	safe
https://curl.haxx.se/docs/copyright.htmlD	0%	Avira URL Cloud	safe
https://curl.haxx.se/V	0%	Avira URL Cloud	safe
https://www.ssl.com/repository0	0%	Avira URL Cloud	safe
http://aadolui.ru/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791	0%	Avira URL Cloud	safe
http://trolltech.com/xml/features/report-start-end-entity	0%	Avira URL Cloud	safe
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0	0%	Avira URL Cloud	safe
http://www.mpegla.com	0%	Avira URL Cloud	safe
http://www.remobjects.com/ps	0%	Avira URL Cloud	safe
http://trolltech.com/xml/features/report-whitespace-only-CharData	0%	Avira URL Cloud	safe
http://ocsps.ssl.com0Q	0%	Avira URL Cloud	safe
http://94.156.8.14/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f499	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
aadolui.ru	94.156.8.14	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://aadolui.ru/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c	true	Avira URL Cloud: safe	unknown
aadolui.ru	true	Avira URL Cloud: safe	unknown
http://aadolui.ru/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	9MgoW3Y1ti.tmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 9MgoW3Y1ti.tmp.0.dr, is-VS29P.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0	is-4KSHT.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr	false	URL Reputation: safe	unknown
http://lame.sf.net32bits64bits	is-PU0LK.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	false	URL Reputation: safe	unknown
http://qt-project.org/xml/features/report-whitespace-only-CharData	is-3D4M0.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://xml.org/sax/features/namespaces	is-3D4M0.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://ocsps.ssl.com0?	is-4KSHT.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://94.156.8.14/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d	recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	is-4KSHT.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech	is-3D4M0.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	is-4KSHT.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://lame.sf.netB	is-PU0LK.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://ocsps.ssl.com0	is-4KSHT.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://xml.org/sax/features/namespace-prefixes	is-3D4M0.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://qtav.org2	is-U97AK.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/docs/http-cookies.html	is-39U3O.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	is-4KSHT.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/psU	9MgoW3Y1ti.exe, 00000000.00000003.2173371991.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.exe, 00000000.00000003.2173880239.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 9MgoW3Y1ti.tmp.0.dr, is-VS29P.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	is-4KSHT.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://lame.sf.net	is-PU0LK.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://94.156.8.14/	recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/cps0/	is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://qt-project.org/xml/features/report-start-end-entity	is-3D4M0.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/docs/copyright.htmlD	is-39U3O.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/V	is-39U3O.tmp.2.dr	false	Avira URL Cloud: safe	unknown
https://www.ssl.com/repository0	is-4KSHT.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://trolltech.com/xml/features/report-start-end-entity	is-3D4M0.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://www.mpegla.com	9MgoW3Y1ti.exe, 00000000.00000003.2172810157.00000000020A1000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.exe, 00000000.00000002.3438960879.00000000020A1000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.exe, 00000000.00000003.2172716859.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000003.2175399806.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000003.2175492186.0000000002128000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3439045776.000000000061D000.00000004.00000020.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3439620387.0000000002128000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/ps	9MgoW3Y1ti.exe, 00000000.00000003.2173371991.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.exe, 00000000.00000003.2173880239.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 9MgoW3Y1ti.tmp.0.dr, is-VS29P.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://trolltech.com/xml/features/report-whitespace-only-CharData	is-3D4M0.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0	is-4KSHT.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://ocsps.ssl.com0Q	is-4KSHT.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://94.156.8.14/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f499	recordpadsoundrecorder32.exe, 00000004.00000002.3445138665.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3445876972.0000000003410000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3445676449.0000000003354000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.8.14	aadolui.ru	Bulgaria		43561	NET1-ASBG	true
194.59.31.219	unknown	Germany		30823	COMBAHTONcombahtonGmbHDE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1455413
Start date and time:	2024-06-11 20:01:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9MgoW3Y1ti.exe renamed because original name is a hash value
Original Sample Name:	b5782418b0d93145d5e7d5ff762c50e3.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/49@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 193 Number of non-executed functions: 257
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 9MgoW3Y1ti.exe

Simulations

Behavior and APIs

Time	Type	Description
14:02:40	API Interceptor	515960x Sleep call for process: recordpadsoundrecorder32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.8.14	awb__document__invoice__2024__04__02__000000000000004320000000000000.vbs	Get hash	malicious	FormBook, GuLoader	Browse	94.156.8.14/tJWrHmlMQNR240.bin
94.156.8.14	awb_shipping_documents_bl_01_04_2024_0000000000.vbs	Get hash	malicious	FormBook, GuLoader, Remcos	Browse	94.156.8.14/gKMOUQth43.bin
194.59.31.219	tOniaJ21lj.exe	Get hash	malicious	Socks5Systemz	Browse
	asaTr3exz5.exe	Get hash	malicious	Socks5Systemz	Browse
	SvctlJEZsa.exe	Get hash	malicious	Socks5Systemz	Browse
	zcpLQDujv9.exe	Get hash	malicious	Socks5Systemz	Browse
	DMRSGfYa44.exe	Get hash	malicious	Socks5Systemz	Browse
	J459EO4HX3.exe	Get hash	malicious	Socks5Systemz	Browse
	6Xsre97JxM.exe	Get hash	malicious	Socks5Systemz	Browse
	7grn4ITCaM.exe	Get hash	malicious	Socks5Systemz	Browse
	UmMgwOUPt5.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse
	V90FqClRNT.exe	Get hash	malicious	Socks5Systemz	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COMBAHTONcombahtonGmbHDE	tOniaJ21lj.exe	Get hash	malicious	Socks5Systemz	Browse	194.59.31.219
	asaTr3exz5.exe	Get hash	malicious	Socks5Systemz	Browse	194.59.31.219
	SvctlJEZsa.exe	Get hash	malicious	Socks5Systemz	Browse	194.59.31.219
	zcpLQDujv9.exe	Get hash	malicious	Socks5Systemz	Browse	194.59.31.219
	DMRSGfYa44.exe	Get hash	malicious	Socks5Systemz	Browse	194.59.31.219
	J459EO4HX3.exe	Get hash	malicious	Socks5Systemz	Browse	194.59.31.219
	6Xsre97JxM.exe	Get hash	malicious	Socks5Systemz	Browse	194.59.31.219
	7grn4ITCaM.exe	Get hash	malicious	Socks5Systemz	Browse	194.59.31.219
	nerbianrat.bin	Get hash	malicious	Unknown	Browse	45.153.240.73
	SKGHM_PE_757583588358839538539599593BeoersKnucklehead.vbs	Get hash	malicious	Remcos, GuLoader	Browse	194.59.31.187
NET1-ASBG	tOniaJ21lj.exe	Get hash	malicious	Socks5Systemz	Browse	94.156.8.14
	asaTr3exz5.exe	Get hash	malicious	Socks5Systemz	Browse	94.156.8.14
	SvctlJEZsa.exe	Get hash	malicious	Socks5Systemz	Browse	94.156.8.14
	zcpLQDujv9.exe	Get hash	malicious	Socks5Systemz	Browse	94.156.8.14
	DMRSGfYa44.exe	Get hash	malicious	Socks5Systemz	Browse	94.156.8.14
	J459EO4HX3.exe	Get hash	malicious	Socks5Systemz	Browse	94.156.8.14
	Xwt4p7gzy1.exe	Get hash	malicious	Socks5Systemz	Browse	94.156.8.14
	6Xsre97JxM.exe	Get hash	malicious	Socks5Systemz	Browse	94.156.8.14
	UL09QPJEEX.exe	Get hash	malicious	Socks5Systemz	Browse	94.156.8.14
	91fJRSNjz3.exe	Get hash	malicious	Socks5Systemz	Browse	94.156.8.14

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)	tOniaJ21lj.exe	Get hash	malicious	Socks5Systemz	Browse
	asaTr3exz5.exe	Get hash	malicious	Socks5Systemz	Browse
	SvctlJEZsa.exe	Get hash	malicious	Socks5Systemz	Browse
	zcpLQDujv9.exe	Get hash	malicious	Socks5Systemz	Browse
	DMRSGfYa44.exe	Get hash	malicious	Socks5Systemz	Browse
	J459EO4HX3.exe	Get hash	malicious	Socks5Systemz	Browse
	Xwt4p7gzy1.exe	Get hash	malicious	Socks5Systemz	Browse
	6Xsre97JxM.exe	Get hash	malicious	Socks5Systemz	Browse
	UL09QPJEEX.exe	Get hash	malicious	Socks5Systemz	Browse
	91fJRSNjz3.exe	Get hash	malicious	Socks5Systemz	Browse
C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)	tOniaJ21lj.exe	Get hash	malicious	Socks5Systemz	Browse
	asaTr3exz5.exe	Get hash	malicious	Socks5Systemz	Browse
	SvctlJEZsa.exe	Get hash	malicious	Socks5Systemz	Browse
	zcpLQDujv9.exe	Get hash	malicious	Socks5Systemz	Browse
	DMRSGfYa44.exe	Get hash	malicious	Socks5Systemz	Browse
	J459EO4HX3.exe	Get hash	malicious	Socks5Systemz	Browse
	Xwt4p7gzy1.exe	Get hash	malicious	Socks5Systemz	Browse
	6Xsre97JxM.exe	Get hash	malicious	Socks5Systemz	Browse
	UL09QPJEEX.exe	Get hash	malicious	Socks5Systemz	Browse
	91fJRSNjz3.exe	Get hash	malicious	Socks5Systemz	Browse

Created / dropped Files

C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe

Download File

Process:	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3149260
Entropy (8bit):	6.90789109689728
Encrypted:	false
SSDEEP:	98304:ltFvpn2HjjeLN33Ltcq0L409R8dsZ0q1X:lt9pnAjyLN3JQR8dsp
MD5:	05231A29BF2470E3D5FEA74C5FD84462
SHA1:	18D4BF866691E6DEE2819367993761522E462933
SHA-256:	B6856AE9351FB50266F4803C7630ED195BCE9A0AF8C0D00CCEAC22B7250E1DDC
SHA-512:	DEDB877FB6A44D0E6E9485B2A00A555F0B3E9C12040C55744194BB4E270B25195B9517DA5F82E5A53B06A51F8ABB51D5D3874E70724D1A5BE8711833F9DF65D3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^..........&...............................@..........................00.........................................................@............................................................................................................text............................... ..`.bhead8.n*.......0..................@..@.data...xT...0...@...0..............@....rsrc................p..............@..@.chead8............................a.f.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\uit_66.dat

Download File

Process:	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:tn:t
MD5:	9F01D1BC20E8ACE51C7EC451D295E172
SHA1:	697B17C833729699A4747F819A4C6560B2097445
SHA-256:	1441F4A70397F6734F6F9E6691B4010B9E4374343D5B755FB9D022EFCC861AB3
SHA-512:	BB7E4B1EFF66620CD73EF3688A20C8D4BB4B02C785BABFD793D63AA0E7DCC299074B59B804C13D02F9E55B3D497FB98B03ABF892BB2CAC4A00F9F4BD54F7AD26
Malicious:	false
Reputation:	low
Preview:	[.hf....

C:\ProgramData\urc_66.dat

Download File

Process:	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:y:y
MD5:	D83A262FC46BD9C9D48FF14208EF17BC
SHA1:	D742C6B01FE4B5D54EE43A031637753232284E8B
SHA-256:	40D95A7C7F1655A0070DDF3CE81EB83C0E88AB92766B85E6A0BB98503896E036
SHA-512:	21C38C9D3047923AAF00A89E5824D8B3FD8C378710856293FC3C26B88D4B73F00D9EB4C857F66B12A5943CAE59EC7644DCD6B42D0FD4A240EC20425002EADF6C
Malicious:	false
Reputation:	low
Preview:	3...

C:\ProgramData\ures-a.dat

Download File

Process:	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	2.9545817380615236
Encrypted:	false
SSDEEP:	3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
MD5:	98DDA7FC0B3E548B68DE836D333D1539
SHA1:	D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
SHA-256:	870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
SHA-512:	E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

C:\ProgramData\ures-b.dat

Download File

Process:	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	1.2701231977328944
Encrypted:	false
SSDEEP:	3:WAmJuXDz8/:HHzc
MD5:	0D6174E4525CFDED5DD1C9440B9DC1E7
SHA1:	173EF30A035CE666278904625EADCFAE09233A47
SHA-256:	458677CDF0E1A4E87D32AB67D6A5EEA9E67CB3545D79A21A0624E6BB5E1087E7
SHA-512:	86DA96385985A1BA3D67A8676A041CA563838F474DF33D82B6ECD90C101703B30747121A6B7281E025A3C11CE28ACCEDFC94DB4E8D38E391199458056C2CD27A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	ccddf9e705966c2f471db9..........................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	320120
Entropy (8bit):	6.398399631689542
Encrypted:	false
SSDEEP:	6144:bSU6+JAfisltPzYzrIybvaEezwMckNI+STEDv4nk3ad04ZqhKTrg+COv:brAltbYzsOvaWJ
MD5:	DB19F6E0A1BB5DB1C8D87C3FE0891136
SHA1:	3B2DAB478A8268000EF5E4474D52CB71F9EB615E
SHA-256:	7623B596CFD989413FEA2FE355607B029EF8E64067275CBF81863688128738B0
SHA-512:	B328DC6D1ADE3061894BC5C50F437B732190DE3CEA6D2CDC147A9A8193EE73221937FBA24209B66226D5E4B05DFFF5A79DB8B134373D1218605BCBA6EE82A6B3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: tOniaJ21lj.exe, Detection: malicious, Browse Filename: asaTr3exz5.exe, Detection: malicious, Browse Filename: SvctlJEZsa.exe, Detection: malicious, Browse Filename: zcpLQDujv9.exe, Detection: malicious, Browse Filename: DMRSGfYa44.exe, Detection: malicious, Browse Filename: J459EO4HX3.exe, Detection: malicious, Browse Filename: Xwt4p7gzy1.exe, Detection: malicious, Browse Filename: 6Xsre97JxM.exe, Detection: malicious, Browse Filename: UL09QPJEEX.exe, Detection: malicious, Browse Filename: 91fJRSNjz3.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~@hB:!..:!..:!..3Y..2!...L..8!..aI..8!...L..,!...L..2!...L..9!...O..=!..:!..."...O../!...O..;!...O..;!..:!..;!...O..;!..Rich:!..........................PE..d....lP_.........." .....\...v......$_...................................................`..........................................5...........................,......x.......\|...P...T.......................(....................p..p............................text....[.......\.................. ..`.rdata..."...p...$...`..............@..@.data...8...........................@....pdata...,..........................@..@.rsrc...............................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	331384
Entropy (8bit):	6.387255143196498
Encrypted:	false
SSDEEP:	6144:cOjmvCPMfXfCsXL0hq+SNcFxkqSj1ZBtp:fcC05tp
MD5:	C3424F2D3D26632C341EF2F542AEA36B
SHA1:	30640EBFF046085DBA3BD0877DE8A90886BED945
SHA-256:	FB0BD60A7D0178C62CFD14D53B40AD47E8F68DB68B95C625723CADC1CD3A1A3E
SHA-512:	72D9A32433DA38CFB752A67C5F903F3480871FCBD16DC5999FB970313079652CF7AEB481DA6097879B641A0E76271118C6E82406DD14C9C90C7460BA6A71BDC7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: tOniaJ21lj.exe, Detection: malicious, Browse Filename: asaTr3exz5.exe, Detection: malicious, Browse Filename: SvctlJEZsa.exe, Detection: malicious, Browse Filename: zcpLQDujv9.exe, Detection: malicious, Browse Filename: DMRSGfYa44.exe, Detection: malicious, Browse Filename: J459EO4HX3.exe, Detection: malicious, Browse Filename: Xwt4p7gzy1.exe, Detection: malicious, Browse Filename: 6Xsre97JxM.exe, Detection: malicious, Browse Filename: UL09QPJEEX.exe, Detection: malicious, Browse Filename: 91fJRSNjz3.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........O...........8...................................W............W.....W.....W.T.....<....W.....Rich...........................PE..d...z.P_.........." .........................................................@....../.....`..................................................*....... ...........1......x....0..8....N..T...................XP..(...PO...............................................text............................... ..`.rdata.............................@..@.data...............................@....pdata...1.......2..................@..@.rsrc........ ......................@..@.reloc..8....0......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	469624
Entropy (8bit):	6.027128925039679
Encrypted:	false
SSDEEP:	6144:g814pr+wMrppkALmug7u7ozC/B4OvCH9UYHeAeBC:u9+wAkAS2j/B4BryC
MD5:	820FFF478DC5F2C2D5F03A5DB9187FBC
SHA1:	BD58AA8596345C837E1743617452EC7D73013F3A
SHA-256:	3DC976E86D64881E0F37A54B5A04E903235E94D858889B1261527F0048CFBC03
SHA-512:	1476919C5C133ACA519B9E9BE2684A85C7E669FA43942204ACDD9EC4A40577F966AD17D30A7EBD3A97A871E71178F0058966410A934822B96F0B2D7120AA43CB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m>W.)_9.)_9.)_9. '../_9..28.+_9..2<.?_9..2=.!_9..2:.*_9.r7=.(_9.r78.%_9..18.,_9.)_8.._9..1<.&_9..19.(_9..1.(_9.)_..(_9..1;.(_9.Rich)_9.........PE..d...G.P_.........." .................................................................[....`.........................................0d...:...................p...K......x.......h....B..T...................8D..(...0C...............0...............................text...t........................... ..`.rdata.......0....... ..............@..@.data..............................@....pdata...K...p...L..................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	213112
Entropy (8bit):	6.331143352918189
Encrypted:	false
SSDEEP:	3072:V7rtKxzN2HVkkNUq3uUw8SWrBEcsGhLec956+48G+ikgyOzk1kLrTzhvt3GyY:Vr2N253eUw81rBXVevrH+mk12rTlS
MD5:	63D91B407A350DA5CE19B5D79924B1F4
SHA1:	45886A4018B60A5EAB7D4B743F4DF2A9A4318EDC
SHA-256:	22B626313A535C85CE6A097571C53A6E6678A9D4BC5D0DB9F81660ADC7ED366E
SHA-512:	FA06AB2B1AE116BC7AE93EA64D4C258A7149A23C0171C077F0919956101A22A59DD8E3F975C64073319842F01D6183253F637A0EDB514F0C02C9D88B0E65E6CF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u..j...j...j.......j.......j.. ....j.. ....j.. ....j.. ....j..i....j...j...j..i....j..i....j..i...j...j...j..i....j..Rich.j..................PE..d....kP_.........." .........,...............................................`............`..........................................t..._...........@..........t"...*..x....P.......;..T...........................`;...............................................text............................... ..`.rdata..............................@..@.data...............................@....pdata..t".......$..................@..@.rsrc........@....... ..............@..@.reloc.......P.......&..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	248680
Entropy (8bit):	4.820760286569876
Encrypted:	false
SSDEEP:	6144:k6bBPHJr5r5C9Fg8Imnw5bR3Kklo7rbQox:kz
MD5:	60BAB1D197D91828ED25099968F7D8C5
SHA1:	FC8E1B3C2C98727D2D81A8E85420FA80EE655F19
SHA-256:	F682B5AA0AF3CEE93F890EC6717F94C1AC9B75EBFF512955C6531E7CEE05D196
SHA-512:	5B9CBB11E3FCB00FD76F595520DA4610FA37B0F1227D016D77350909846BA33AF9A32B650BB1CE9A73549DB5BF190C2205E28223D1745191B2424F6DC7327B38
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........e..6..6..6..`6..6...7..6...7..6...7..6...7..62..7..6J..7..62..7..6l..7..6..6...6l..7..6l..7..6l..6..6.d6..6l..7..6Rich..6........................PE..d...3N2c.........." ................................................................U....`..........................................&...0..(W..,.... ..................h!..............T...........................`...8............................................text...+........................... ..`.rdata..v'.......(..................@..@.data...x%....... ..................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	135016
Entropy (8bit):	5.674566205873397
Encrypted:	false
SSDEEP:	1536:GZU6fX6Kj693r/67BhRpsGmQhRJRVW8/mpI4Sx8K5aqEkmgcs8MYQJaqEkmgcs8o:GZU6qz3ERpNzhRvVoVDe1r0+
MD5:	61CF5C843D8A31162B59C074AE74A76E
SHA1:	123E0EACE3DD60FEF94DC96215468D22434C50FB
SHA-256:	F51BB73407C96E4A2E3016A96A870FA4B422A8B1851477048D122CCC2D523687
SHA-512:	AA1C3175D9A0E11341B8A2F1C5372E99E1164169C8FC71727A0FE6655878782E921FA046D6A83CA2E2C67DAE0609704442EBCFDBE985281F02DDB7E288DC718D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................2.&......<......>..................qY/....qY1....qY.....8<............8......8=.....8?....Rich............................PE..d...F..].........." ......................................................... ......S.....`.............................................d...............................h!......\...`...8...............................p............................................text............................... ..`.rdata..t...........................@..@.data...a...........................@....pdata..............................@..@.idata..8(.........................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-1KIT8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	869224
Entropy (8bit):	6.632387605957213
Encrypted:	false
SSDEEP:	24576:DJf34ppw4hjg401r+iTy2mmzuF3SJciti0ZIj8UoJwCR:Dl3ypw4yN/RiF3SJdO8xJv
MD5:	DAA904CE63B0A290111AED5E843B9368
SHA1:	6642AD5C2622D756EB3500E7C0420E9DA7A16BB1
SHA-256:	471BBC3FA0A98869F6791E0D1A55B38F5E360842A7CC219A6FF26030E62DBB1B
SHA-512:	CBFD06523F1855AAF4BE2D33EB3A3A324C8D7AF4871B314AC2C165FD17F8DA6CD2F465E9405412282AAC1ED247B811A4A73D91069A324A5AEC531253AE3A4D0B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.9d0.W70.W70.W7...73.W70.V7m.W7.M.71.W7v..7..W7v..7..W7v..7$.W7.s.7e.W70.W7'.W7.s.71.W7=..71.W7.s.71.W7Rich0.W7........PE..d......].........." .....8...........\...............................................$....`.................................................\|...(....`..........x]..."..h!...p.......R..8...............................p............P..H............................text...7+.......,.................. ..`.rodata......@.......0.............. ..`.rdata..FP...P...R...<..............@..@.data... K.......&..................@....pdata..x].......^..................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-377H9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	data
Category:	dropped
Size (bytes):	3149260
Entropy (8bit):	6.907890912986219
Encrypted:	false
SSDEEP:	98304:OtFvpn2HjjeLN33Ltcq0L409R8dsZ0q1X:Ot9pnAjyLN3JQR8dsp
MD5:	B8C44D1B376313ADD6A5EA0C87988C4A
SHA1:	65A4348DF2B3911B43F3AC97EC90A19CB18B1120
SHA-256:	93190F63155E68FC8BB929DE1FCDA76A799FC66EB803A20399C5D2CEE792FA54
SHA-512:	C2F47432062377AE0D6C7D7E04B985C13EEB3511744D2F05B8C1B870FF85F3A8B3AFBC8D6D49073FC008C71C9AC1D19F1B1B5E708B3B7CBD9AAB7238161273D4
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-377H9.tmp, Author: Joe Security
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^..........&...............................@..........................00.........................................................@............................................................................................................text............................... ..`.bhead8.n*.......0..................@..@.data...xT...0...@...0..............@....rsrc................p..............@..@.chead8............................a.f.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-39U3O.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	363880
Entropy (8bit):	6.3947346615222305
Encrypted:	false
SSDEEP:	6144:lieS4N0DdxBa72yNQuqped6c7Bv5ebr+U2pyQqsa3a8g+QTW:UeSyCVaiyNQAd6cV5K+Jp37W
MD5:	460B0576549FFD1F55D717BA6E265A05
SHA1:	65AB7E2109658102678C122D7DE603E64DCE7CC5
SHA-256:	AAB56C21B6CEC7065882A750BECB4526B4CB5815A4AC002C2594F84FB0F5955F
SHA-512:	666B16FF72CB847B8D141B0110BBB45AAE67D9BB01E2D6B48C7BDA61C5DC3126CCBC72627C1B93EC23B87E9427C39DC890F1E0A72E5077DC0071E5FEA1B1E3A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................7!.....;.....9...............>.;...Vh-.......>.......>.:....=...>.8...Rich....................PE..d.....%Y.........." .........d.......................................................L....`.........................................@........................P...7...l..h!......8.......................................p............ ...............................text...K........................... ..`.rdata....... ......................@..@.data...@....@.......(..............@....pdata...7...P...8...*..............@..@.rsrc................b..............@..@.reloc..8............h..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-3D4M0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	213112
Entropy (8bit):	6.331143352918189
Encrypted:	false
SSDEEP:	3072:V7rtKxzN2HVkkNUq3uUw8SWrBEcsGhLec956+48G+ikgyOzk1kLrTzhvt3GyY:Vr2N253eUw81rBXVevrH+mk12rTlS
MD5:	63D91B407A350DA5CE19B5D79924B1F4
SHA1:	45886A4018B60A5EAB7D4B743F4DF2A9A4318EDC
SHA-256:	22B626313A535C85CE6A097571C53A6E6678A9D4BC5D0DB9F81660ADC7ED366E
SHA-512:	FA06AB2B1AE116BC7AE93EA64D4C258A7149A23C0171C077F0919956101A22A59DD8E3F975C64073319842F01D6183253F637A0EDB514F0C02C9D88B0E65E6CF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u..j...j...j.......j.......j.. ....j.. ....j.. ....j.. ....j..i....j...j...j..i....j..i....j..i...j...j...j..i....j..Rich.j..................PE..d....kP_.........." .........,...............................................`............`..........................................t..._...........@..........t"...*..x....P.......;..T...........................`;...............................................text............................... ..`.rdata..............................@..@.data...............................@....pdata..t".......$..................@..@.rsrc........@....... ..............@..@.reloc.......P.......&..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-3VSKS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	331384
Entropy (8bit):	6.387255143196498
Encrypted:	false
SSDEEP:	6144:cOjmvCPMfXfCsXL0hq+SNcFxkqSj1ZBtp:fcC05tp
MD5:	C3424F2D3D26632C341EF2F542AEA36B
SHA1:	30640EBFF046085DBA3BD0877DE8A90886BED945
SHA-256:	FB0BD60A7D0178C62CFD14D53B40AD47E8F68DB68B95C625723CADC1CD3A1A3E
SHA-512:	72D9A32433DA38CFB752A67C5F903F3480871FCBD16DC5999FB970313079652CF7AEB481DA6097879B641A0E76271118C6E82406DD14C9C90C7460BA6A71BDC7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........O...........8...................................W............W.....W.....W.T.....<....W.....Rich...........................PE..d...z.P_.........." .........................................................@....../.....`..................................................*....... ...........1......x....0..8....N..T...................XP..(...PO...............................................text............................... ..`.rdata.............................@..@.data...............................@....pdata...1.......2..................@..@.rsrc........ ......................@..@.reloc..8....0......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2042352
Entropy (8bit):	7.085275197144553
Encrypted:	false
SSDEEP:	24576:OFZD9URlmDrgBrhEci8XhP3YLd44RS6+FNbqUzUxVvqKGTZnIzudBDFPjQAr10Fu:+ZeLrXFcL0YF7pvtHkfH
MD5:	876A839023B8F962A72D295DA7495734
SHA1:	62A7728679BC18784B1FBF1D013F7CECE18CBEC9
SHA-256:	A757D773DA406411FB977761F6E56F016D48D224AEDAF3D875ED4D4A9EDE6158
SHA-512:	E1B23A2F5EC0100FF874CA075BBD0F90E9065A90FEC66861F99DF603D7AAA9DB8E8EC326710FDC11AD41D01BEFE4EA3077136127ACF613614D0D12FF23BEC6C1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....^............................4.............@..........................@.......................................................p...3..............X............................................................................................text............................... ..`.rdata..x%.......0..................@..@.data....S.......0..................@....rsrc....@...p...@...@..............@..@.vcp1208............................a.G.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-823LG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	469624
Entropy (8bit):	6.027128925039679
Encrypted:	false
SSDEEP:	6144:g814pr+wMrppkALmug7u7ozC/B4OvCH9UYHeAeBC:u9+wAkAS2j/B4BryC
MD5:	820FFF478DC5F2C2D5F03A5DB9187FBC
SHA1:	BD58AA8596345C837E1743617452EC7D73013F3A
SHA-256:	3DC976E86D64881E0F37A54B5A04E903235E94D858889B1261527F0048CFBC03
SHA-512:	1476919C5C133ACA519B9E9BE2684A85C7E669FA43942204ACDD9EC4A40577F966AD17D30A7EBD3A97A871E71178F0058966410A934822B96F0B2D7120AA43CB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m>W.)_9.)_9.)_9. '../_9..28.+_9..2<.?_9..2=.!_9..2:.*_9.r7=.(_9.r78.%_9..18.,_9.)_8.._9..1<.&_9..19.(_9..1.(_9.)_..(_9..1;.(_9.Rich)_9.........PE..d...G.P_.........." .................................................................[....`.........................................0d...:...................p...K......x.......h....B..T...................8D..(...0C...............0...............................text...t........................... ..`.rdata.......0....... ..............@..@.data..............................@....pdata...K...p...L..................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-DL0CV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	660128
Entropy (8bit):	6.339798513733826
Encrypted:	false
SSDEEP:	12288:N2fus43uu43Ry4GHlT4xH2K+M+/i+WSpY+7YOzCaK9A3gS2EKZm+GWodEEwnyh:muJzCaK9AB2EKZm+GWodEEwnyh
MD5:	46060C35F697281BC5E7337AEE3722B1
SHA1:	D0164C041707F297A73ABB9EA854111953E99CF1
SHA-256:	2ABF0AAB5A3C5AE9424B64E9D19D9D6D4AEBC67814D7E92E4927B9798FEF2848
SHA-512:	2CF2ED4D45C79A6E6CEBFA3D332710A97F5CF0251DC194EEC8C54EA0CB85762FD19822610021CCD6A6904E80AFAE1590A83AF1FA45152F28CA56D862A3473F0A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;..h..h..h..[h..h..h..h..Mh..hIAWh..h..Oh..h..qh..h..ph..h..uh..h..Lh..h..Kh..h..Nh..hRich..h................PE..d.....OR.........." .....@...................................................`......a.....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EMQ3A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20840
Entropy (8bit):	6.3244920295043645
Encrypted:	false
SSDEEP:	384:rk3cFbdBtZHvagGFsGfZyGmGovy8ZpHEi+:rk0vHy9oyiRM
MD5:	D2BC90D6AF120A0643AD5DC5F3CE8D43
SHA1:	419C3246B08125754CCBB4323DD823F8DA0548CB
SHA-256:	BDED78571A2E60B3324AB9B4D3DDB6DE12FC08CB4BBE6A582A2C2292AA17CCE6
SHA-512:	F34C90E44F473A8CD62B75B6D531FDD47AD132A3F1BCE7AD5C0DDF30C61A2454BA214AA2B6CD50C2A1B6CD3AC85F2D9989775376A400D34EBBD2EFAB0FBECC7A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ovA{+./(+./(+./("o.(/./(yb.))./(yb)%./(yb+)#./(yb,)(./(?\|.)../(+..(../(.b)./(.b/)./(.b.(./(.b-)./(Rich+./(........................PE..d....z{c.........." ......... .......................................................7....`..........................................8..t...T;..x....p.......`.......0..h!......<....1...............................2..8............0..(............................text............................... ..`.rdata.......0......................@..@.data........P.......(..............@....pdata.......`.......*..............@..@.rsrc........p.......,..............@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-G6H1M.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	51
Entropy (8bit):	3.48286657951254
Encrypted:	false
SSDEEP:	3:cUoytoUD6MBomFUT:cUoQoUD6Qoyy
MD5:	034D89CD2C41EDFCEADA9F96A3C0A56A
SHA1:	92AB4E6FF98CA987D56EA3C1BA36D1C61EF23ACB
SHA-256:	44BBE94D481B106F00223DD406D015AEFD00CFA2DBA9428BEFC2B8F6A3FEB971
SHA-512:	6C3E701D2D0FD24FDB46C0E1B0EF5245F36E4A34A9D2340665A31F6331C2D6F08680399600FB02C3D51694F9BAFFB3E41A367CB4FE945D4836B669DA63EB6358
Malicious:	false
Preview:	1 1..4 3..3 2..16 9..6 5..468 60..728 90..2592 1936

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-HD7FV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31528
Entropy (8bit):	6.472533190412445
Encrypted:	false
SSDEEP:	384:R77JqjlI8icUYWhN5tWcS5gWZoMUekWi9pBj0HRN7RA5aWixHRN7osDhzlGs6N+E:R5D8icUlX5YYMLAWRAlypmPB
MD5:	7EE2B93A97485E6222C393BFA653926B
SHA1:	F4779CBFF235D21C386DA7276021F136CA233320
SHA-256:	BD57D8EEF0BC3A757C5CE5F486A547C79E12482AC8E694C47A6AB794AA745F1F
SHA-512:	4A4A3F56674B54683C88BD696AB5D02750E9A61F3089274FAA25E16A858805958E8BE1C391A257E73D889B1EEA30C173D0296509221D68A492A488D725C2B101
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..\4~.\4~.\4~...^4~.UL..X4~.Dz.[4~.D}.^4~.\4..v4~.D..Y4~.D{.O4~.D~.]4~.D..]4~.D\|.]4~.Rich\4~.........PE..d...W8.^.........." .........$............................................................`A.........................................>..L....?..x....p.......`..4....:..(A......p...@3..T............................3..0............0..0............................text...(........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..4....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-J8GD3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	1297
Entropy (8bit):	5.115489615345492
Encrypted:	false
SSDEEP:	24:CbUneZXof9+bOOrXqFT09+JYrXqFTzl796432s4EOkUs8QROJ32s3yxsITf+3t1e:Cn3OOrXqJ07rXqJzr6432sv832s3EsI/
MD5:	AAF4009F5963B1B270D8C3E697EBE442
SHA1:	F5A44235094DA0B8B5992C6112CB8C356EF22B93
SHA-256:	3988CDCCB878675B4AB8C11F21EF7F6301451F59E2E2BF3F07E963D36C8E9767
SHA-512:	BC30F4C5F17E4F0CDE2CDD5C36A6EC28271569E18808E736186D42409564E3E6FFA8AD23842912C90F39CE6264A698714A434092778C74CBDE6C330DD3969109
Malicious:	false
Preview:	Copyright (c) 2013, Cisco Systems.All rights reserved...Redistribution and use in source and binary forms, with or without modification,.are permitted provided that the following conditions are met:..* Redistributions of source code must retain the above copyright notice, this. list of conditions and the following disclaimer...* Redistributions in binary form must reproduce the above copyright notice, this. list of conditions and the following disclaimer in the documentation and/or. other materials provided with the distribution...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE.DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR.ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES.(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERV

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-J8S40.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	320120
Entropy (8bit):	6.398399631689542
Encrypted:	false
SSDEEP:	6144:bSU6+JAfisltPzYzrIybvaEezwMckNI+STEDv4nk3ad04ZqhKTrg+COv:brAltbYzsOvaWJ
MD5:	DB19F6E0A1BB5DB1C8D87C3FE0891136
SHA1:	3B2DAB478A8268000EF5E4474D52CB71F9EB615E
SHA-256:	7623B596CFD989413FEA2FE355607B029EF8E64067275CBF81863688128738B0
SHA-512:	B328DC6D1ADE3061894BC5C50F437B732190DE3CEA6D2CDC147A9A8193EE73221937FBA24209B66226D5E4B05DFFF5A79DB8B134373D1218605BCBA6EE82A6B3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~@hB:!..:!..:!..3Y..2!...L..8!..aI..8!...L..,!...L..2!...L..9!...O..=!..:!..."...O../!...O..;!...O..;!..:!..;!...O..;!..Rich:!..........................PE..d....lP_.........." .....\...v......$_...................................................`..........................................5...........................,......x.......\|...P...T.......................(....................p..p............................text....[.......\.................. ..`.rdata..."...p...$...`..............@..@.data...8...........................@....pdata...,..........................@..@.rsrc...............................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-MH9PV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	963232
Entropy (8bit):	6.634408584960502
Encrypted:	false
SSDEEP:	24576:FkZ+EUPoH5KTcAxt/qvRQdxQxO61kCS9mmWymzVPD:FkMAlM8ixQI5C6wl
MD5:	9C861C079DD81762B6C54E37597B7712
SHA1:	62CB65A1D79E2C5ADA0C7BFC04C18693567C90D0
SHA-256:	AD32240BB1DE55C3F5FCAC8789F583A17057F9D14914C538C2A7A5AD346B341C
SHA-512:	3AA770D6FBA8590FDCF5D263CB2B3D2FAE859E29D31AD482FBFBD700BCD602A013AC2568475999EF9FB06AE666D203D97F42181EC7344CBA023A8534FB13ACB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ck.."..".."..D...".."..-"...s..$ ...s.."...s.."...s.. "...s.."...s.."...s.."..Rich."..........................PE..d.....OR.........." .....h...:.......)..............................................].....`.................................................@...(............@...s...t...>......8...p................................2..p............................................text....g.......h.................. ..`.rdata...8.......:...l..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................^..............@..@.reloc..8............b..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PU0LK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	397672
Entropy (8bit):	6.4894894939696846
Encrypted:	false
SSDEEP:	12288:W8c9NNNNNNBgjcQFg7jaV95D3+wxech2KJ:tc9NNNNNN+jcQg7jMnD/xech2o
MD5:	B9F3C911728B17FE49BB217D799FCC1A
SHA1:	26F4A963E2F43F46323D8610FEC5E8CC8C4A8A16
SHA-256:	9CEB41F04B48CF7B419C95D03E227F593836D74A04625C0AD5AD2877D7229B65
SHA-512:	0A50270432E6E476D5B4DAF7D9D45053F821BEF02F1872EF598A9E66B2E6B75AE4A89AB97AE175C5143CE3C993D7A354F6389EB5A8BDDBFDE59522103535C403
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.{.%.{.%.{.%.=%.{.%.?%.{.%..%.{.%..%.{.%...%.{.%`.+%.{.%.{.%.{.%..<%.{.%.);%.{.%.{w%.{.%..>%.{.%Rich.{.%........................PE..d......].........." .....8..........................................................g,....`.........................................@...87..x...<.... ...........%......h!...........................................k..p............P...............................text...;6.......8.................. ..`.rdata.......P.......<..............@..@.data...............................@....pdata...%.......&..................@..@_RDATA..P/.......0..................@..@.rsrc........ ......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-S4BNJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	590632
Entropy (8bit):	6.463330275333709
Encrypted:	false
SSDEEP:	12288:Mt8MRN4gE4x4iTqwTQa6IUqXF7XyxpypsdUDqNSfbQEKZm+jWodEEV3Ho/:MCMm9pyp35bQEKZm+jWodEExg
MD5:	E74CAF5D94AA08D046A44ED6ED84A3C5
SHA1:	ED9F696FA0902A7C16B257DA9B22FB605B72B12E
SHA-256:	3DEDEF76C87DB736C005D06A8E0D084204B836AF361A6BD2EE4651D9C45675E8
SHA-512:	D3128587BC8D62E4D53F8B5F95EB687BC117A6D5678C08DC6B59B72EA9178A7FD6AE8FAA9094D21977C406739D6C38A440134C1C1F6F9A44809E80D162723254
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n..............w.(...#...<........../.....".................+.....g.+.....+...Rich*...................PE..d...R8.^.........." .....>..........p"....................................................`A........................................ m..h....G..,...............(;......(A......4.......T...............................0............P......Ti..@....................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data....:...`..."...P..............@....pdata..(;.......<...r..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-TTPUD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	135016
Entropy (8bit):	5.674566205873397
Encrypted:	false
SSDEEP:	1536:GZU6fX6Kj693r/67BhRpsGmQhRJRVW8/mpI4Sx8K5aqEkmgcs8MYQJaqEkmgcs8o:GZU6qz3ERpNzhRvVoVDe1r0+
MD5:	61CF5C843D8A31162B59C074AE74A76E
SHA1:	123E0EACE3DD60FEF94DC96215468D22434C50FB
SHA-256:	F51BB73407C96E4A2E3016A96A870FA4B422A8B1851477048D122CCC2D523687
SHA-512:	AA1C3175D9A0E11341B8A2F1C5372E99E1164169C8FC71727A0FE6655878782E921FA046D6A83CA2E2C67DAE0609704442EBCFDBE985281F02DDB7E288DC718D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................2.&......<......>..................qY/....qY1....qY.....8<............8......8=.....8?....Rich............................PE..d...F..].........." ......................................................... ......S.....`.............................................d...............................h!......\...`...8...............................p............................................text............................... ..`.rdata..t...........................@..@.data...a...........................@....pdata..............................@..@.idata..8(.........................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-U97AK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	248680
Entropy (8bit):	4.820760286569876
Encrypted:	false
SSDEEP:	6144:k6bBPHJr5r5C9Fg8Imnw5bR3Kklo7rbQox:kz
MD5:	60BAB1D197D91828ED25099968F7D8C5
SHA1:	FC8E1B3C2C98727D2D81A8E85420FA80EE655F19
SHA-256:	F682B5AA0AF3CEE93F890EC6717F94C1AC9B75EBFF512955C6531E7CEE05D196
SHA-512:	5B9CBB11E3FCB00FD76F595520DA4610FA37B0F1227D016D77350909846BA33AF9A32B650BB1CE9A73549DB5BF190C2205E28223D1745191B2424F6DC7327B38
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........e..6..6..6..`6..6...7..6...7..6...7..6...7..62..7..6J..7..62..7..6l..7..6..6...6l..7..6l..7..6l..6..6.d6..6l..7..6Rich..6........................PE..d...3N2c.........." ................................................................U....`..........................................&...0..(W..,.... ..................h!..............T...........................`...8............................................text...+........................... ..`.rdata..v'.......(..................@..@.data...x%....... ..................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VS29P.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	707354
Entropy (8bit):	6.470926417661749
Encrypted:	false
SSDEEP:	12288:D0QfKb7nH5lrPo37AzHTA63I0ihE4UEQrrNtIECORGv95ELAfXExy8z:nfKbT5lrPo37AzHTA63/cfU9IEU953fo
MD5:	F2E1861AB7EFD6358283CF101045A727
SHA1:	15F34DC254FE02A84F2F8AD4D5495D7E799F2F9B
SHA-256:	35A50C7721675C5422D5F7979912FB1B2BE5811CBBAFBA60FEA36D2DBBC87190
SHA-512:	C92F41CEFDEC7305C526F5903509760512F9DC152AFC2969F40B40ACABDAD41CF40273BAC8CEECBA47C4BC0DACDA14D0DA74B8312AFFF37CFADBD8EF8933C685
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................&...........1.......@....@..............................................@...............................%...`...>..........................................................................................................CODE.....$.......&.................. ..`DATA....<....@.....................@...BSS..........`.......<...................idata...%.......&...<..............@....tls.................b...................rdata...............b..............@..P.reloc..............................@..P.rsrc....>...`...>...d..............@..P.....................*..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	363880
Entropy (8bit):	6.3947346615222305
Encrypted:	false
SSDEEP:	6144:lieS4N0DdxBa72yNQuqped6c7Bv5ebr+U2pyQqsa3a8g+QTW:UeSyCVaiyNQAd6cV5K+Jp37W
MD5:	460B0576549FFD1F55D717BA6E265A05
SHA1:	65AB7E2109658102678C122D7DE603E64DCE7CC5
SHA-256:	AAB56C21B6CEC7065882A750BECB4526B4CB5815A4AC002C2594F84FB0F5955F
SHA-512:	666B16FF72CB847B8D141B0110BBB45AAE67D9BB01E2D6B48C7BDA61C5DC3126CCBC72627C1B93EC23B87E9427C39DC890F1E0A72E5077DC0071E5FEA1B1E3A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................7!.....;.....9...............>.;...Vh-.......>.......>.:....=...>.8...Rich....................PE..d.....%Y.........." .........d.......................................................L....`.........................................@........................P...7...l..h!......8.......................................p............ ...............................text...K........................... ..`.rdata....... ......................@..@.data...@....@.......(..............@....pdata...7...P...8...*..............@..@.rsrc................b..............@..@.reloc..8............h..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2042352
Entropy (8bit):	7.085275197144553
Encrypted:	false
SSDEEP:	24576:OFZD9URlmDrgBrhEci8XhP3YLd44RS6+FNbqUzUxVvqKGTZnIzudBDFPjQAr10Fu:+ZeLrXFcL0YF7pvtHkfH
MD5:	876A839023B8F962A72D295DA7495734
SHA1:	62A7728679BC18784B1FBF1D013F7CECE18CBEC9
SHA-256:	A757D773DA406411FB977761F6E56F016D48D224AEDAF3D875ED4D4A9EDE6158
SHA-512:	E1B23A2F5EC0100FF874CA075BBD0F90E9065A90FEC66861F99DF603D7AAA9DB8E8EC326710FDC11AD41D01BEFE4EA3077136127ACF613614D0D12FF23BEC6C1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....^............................4.............@..........................@.......................................................p...3..............X............................................................................................text............................... ..`.rdata..x%.......0..................@..@.data....S.......0..................@....rsrc....@...p...@...@..............@..@.vcp1208............................a.G.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	397672
Entropy (8bit):	6.4894894939696846
Encrypted:	false
SSDEEP:	12288:W8c9NNNNNNBgjcQFg7jaV95D3+wxech2KJ:tc9NNNNNN+jcQg7jMnD/xech2o
MD5:	B9F3C911728B17FE49BB217D799FCC1A
SHA1:	26F4A963E2F43F46323D8610FEC5E8CC8C4A8A16
SHA-256:	9CEB41F04B48CF7B419C95D03E227F593836D74A04625C0AD5AD2877D7229B65
SHA-512:	0A50270432E6E476D5B4DAF7D9D45053F821BEF02F1872EF598A9E66B2E6B75AE4A89AB97AE175C5143CE3C993D7A354F6389EB5A8BDDBFDE59522103535C403
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.{.%.{.%.{.%.=%.{.%.?%.{.%..%.{.%..%.{.%...%.{.%`.+%.{.%.{.%.{.%..<%.{.%.);%.{.%.{w%.{.%..>%.{.%Rich.{.%........................PE..d......].........." .....8..........................................................g,....`.........................................@...87..x...<.... ...........%......h!...........................................k..p............P...............................text...;6.......8.................. ..`.rdata.......P.......<..............@..@.data...............................@....pdata...%.......&..................@..@_RDATA..P/.......0..................@..@.rsrc........ ......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20840
Entropy (8bit):	6.3244920295043645
Encrypted:	false
SSDEEP:	384:rk3cFbdBtZHvagGFsGfZyGmGovy8ZpHEi+:rk0vHy9oyiRM
MD5:	D2BC90D6AF120A0643AD5DC5F3CE8D43
SHA1:	419C3246B08125754CCBB4323DD823F8DA0548CB
SHA-256:	BDED78571A2E60B3324AB9B4D3DDB6DE12FC08CB4BBE6A582A2C2292AA17CCE6
SHA-512:	F34C90E44F473A8CD62B75B6D531FDD47AD132A3F1BCE7AD5C0DDF30C61A2454BA214AA2B6CD50C2A1B6CD3AC85F2D9989775376A400D34EBBD2EFAB0FBECC7A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ovA{+./(+./(+./("o.(/./(yb.))./(yb)%./(yb+)#./(yb,)(./(?\|.)../(+..(../(.b)./(.b/)./(.b.(./(.b-)./(Rich+./(........................PE..d....z{c.........." ......... .......................................................7....`..........................................8..t...T;..x....p.......`.......0..h!......<....1...............................2..8............0..(............................text............................... ..`.rdata.......0......................@..@.data........P.......(..............@....pdata.......`.......*..............@..@.rsrc........p.......,..............@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	660128
Entropy (8bit):	6.339798513733826
Encrypted:	false
SSDEEP:	12288:N2fus43uu43Ry4GHlT4xH2K+M+/i+WSpY+7YOzCaK9A3gS2EKZm+GWodEEwnyh:muJzCaK9AB2EKZm+GWodEEwnyh
MD5:	46060C35F697281BC5E7337AEE3722B1
SHA1:	D0164C041707F297A73ABB9EA854111953E99CF1
SHA-256:	2ABF0AAB5A3C5AE9424B64E9D19D9D6D4AEBC67814D7E92E4927B9798FEF2848
SHA-512:	2CF2ED4D45C79A6E6CEBFA3D332710A97F5CF0251DC194EEC8C54EA0CB85762FD19822610021CCD6A6904E80AFAE1590A83AF1FA45152F28CA56D862A3473F0A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;..h..h..h..[h..h..h..h..Mh..hIAWh..h..Oh..h..qh..h..ph..h..uh..h..Lh..h..Kh..h..Nh..hRich..h................PE..d.....OR.........." .....@...................................................`......a.....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	590632
Entropy (8bit):	6.463330275333709
Encrypted:	false
SSDEEP:	12288:Mt8MRN4gE4x4iTqwTQa6IUqXF7XyxpypsdUDqNSfbQEKZm+jWodEEV3Ho/:MCMm9pyp35bQEKZm+jWodEExg
MD5:	E74CAF5D94AA08D046A44ED6ED84A3C5
SHA1:	ED9F696FA0902A7C16B257DA9B22FB605B72B12E
SHA-256:	3DEDEF76C87DB736C005D06A8E0D084204B836AF361A6BD2EE4651D9C45675E8
SHA-512:	D3128587BC8D62E4D53F8B5F95EB687BC117A6D5678C08DC6B59B72EA9178A7FD6AE8FAA9094D21977C406739D6C38A440134C1C1F6F9A44809E80D162723254
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n..............w.(...#...<........../.....".................+.....g.+.....+...Rich*...................PE..d...R8.^.........." .....>..........p"....................................................`A........................................ m..h....G..,...............(;......(A......4.......T...............................0............P......Ti..@....................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data....:...`..."...P..............@....pdata..(;.......<...r..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31528
Entropy (8bit):	6.472533190412445
Encrypted:	false
SSDEEP:	384:R77JqjlI8icUYWhN5tWcS5gWZoMUekWi9pBj0HRN7RA5aWixHRN7osDhzlGs6N+E:R5D8icUlX5YYMLAWRAlypmPB
MD5:	7EE2B93A97485E6222C393BFA653926B
SHA1:	F4779CBFF235D21C386DA7276021F136CA233320
SHA-256:	BD57D8EEF0BC3A757C5CE5F486A547C79E12482AC8E694C47A6AB794AA745F1F
SHA-512:	4A4A3F56674B54683C88BD696AB5D02750E9A61F3089274FAA25E16A858805958E8BE1C391A257E73D889B1EEA30C173D0296509221D68A492A488D725C2B101
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..\4~.\4~.\4~...^4~.UL..X4~.Dz.[4~.D}.^4~.\4..v4~.D..Y4~.D{.O4~.D~.]4~.D..]4~.D\|.]4~.Rich\4~.........PE..d...W8.^.........." .........$............................................................`A.........................................>..L....?..x....p.......`..4....:..(A......p...@3..T............................3..0............0..0............................text...(........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..4....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	963232
Entropy (8bit):	6.634408584960502
Encrypted:	false
SSDEEP:	24576:FkZ+EUPoH5KTcAxt/qvRQdxQxO61kCS9mmWymzVPD:FkMAlM8ixQI5C6wl
MD5:	9C861C079DD81762B6C54E37597B7712
SHA1:	62CB65A1D79E2C5ADA0C7BFC04C18693567C90D0
SHA-256:	AD32240BB1DE55C3F5FCAC8789F583A17057F9D14914C538C2A7A5AD346B341C
SHA-512:	3AA770D6FBA8590FDCF5D263CB2B3D2FAE859E29D31AD482FBFBD700BCD602A013AC2568475999EF9FB06AE666D203D97F42181EC7344CBA023A8534FB13ACB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ck.."..".."..D...".."..-"...s..$ ...s.."...s.."...s.. "...s.."...s.."...s.."..Rich."..........................PE..d.....OR.........." .....h...:.......)..............................................].....`.................................................@...(............@...s...t...>......8...p................................2..p............................................text....g.......h.................. ..`.rdata...8.......:...l..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................^..............@..@.reloc..8............b..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	869224
Entropy (8bit):	6.632387605957213
Encrypted:	false
SSDEEP:	24576:DJf34ppw4hjg401r+iTy2mmzuF3SJciti0ZIj8UoJwCR:Dl3ypw4yN/RiF3SJdO8xJv
MD5:	DAA904CE63B0A290111AED5E843B9368
SHA1:	6642AD5C2622D756EB3500E7C0420E9DA7A16BB1
SHA-256:	471BBC3FA0A98869F6791E0D1A55B38F5E360842A7CC219A6FF26030E62DBB1B
SHA-512:	CBFD06523F1855AAF4BE2D33EB3A3A324C8D7AF4871B314AC2C165FD17F8DA6CD2F465E9405412282AAC1ED247B811A4A73D91069A324A5AEC531253AE3A4D0B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.9d0.W70.W70.W7...73.W70.V7m.W7.M.71.W7v..7..W7v..7..W7v..7$.W7.s.7e.W70.W7'.W7.s.71.W7=..71.W7.s.71.W7Rich0.W7........PE..d......].........." .....8...........\...............................................$....`.................................................\|...(....`..........x]..."..h!...p.......R..8...............................p............P..H............................text...7+.......,.................. ..`.rodata......@.......0.............. ..`.rdata..FP...P...R...<..............@..@.data... K.......&..................@....pdata..x].......^..................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264_license.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	1297
Entropy (8bit):	5.115489615345492
Encrypted:	false
SSDEEP:	24:CbUneZXof9+bOOrXqFT09+JYrXqFTzl796432s4EOkUs8QROJ32s3yxsITf+3t1e:Cn3OOrXqJ07rXqJzr6432sv832s3EsI/
MD5:	AAF4009F5963B1B270D8C3E697EBE442
SHA1:	F5A44235094DA0B8B5992C6112CB8C356EF22B93
SHA-256:	3988CDCCB878675B4AB8C11F21EF7F6301451F59E2E2BF3F07E963D36C8E9767
SHA-512:	BC30F4C5F17E4F0CDE2CDD5C36A6EC28271569E18808E736186D42409564E3E6FFA8AD23842912C90F39CE6264A698714A434092778C74CBDE6C330DD3969109
Malicious:	false
Preview:	Copyright (c) 2013, Cisco Systems.All rights reserved...Redistribution and use in source and binary forms, with or without modification,.are permitted provided that the following conditions are met:..* Redistributions of source code must retain the above copyright notice, this. list of conditions and the following disclaimer...* Redistributions in binary form must reproduce the above copyright notice, this. list of conditions and the following disclaimer in the documentation and/or. other materials provided with the distribution...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE.DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR.ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES.(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERV

C:\Users\user\AppData\Local\RecordPad Sound Recorder\proportions.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	51
Entropy (8bit):	3.48286657951254
Encrypted:	false
SSDEEP:	3:cUoytoUD6MBomFUT:cUoQoUD6Qoyy
MD5:	034D89CD2C41EDFCEADA9F96A3C0A56A
SHA1:	92AB4E6FF98CA987D56EA3C1BA36D1C61EF23ACB
SHA-256:	44BBE94D481B106F00223DD406D015AEFD00CFA2DBA9428BEFC2B8F6A3FEB971
SHA-512:	6C3E701D2D0FD24FDB46C0E1B0EF5245F36E4A34A9D2340665A31F6331C2D6F08680399600FB02C3D51694F9BAFFB3E41A367CB4FE945D4836B669DA63EB6358
Malicious:	false
Preview:	1 1..4 3..3 2..16 9..6 5..468 60..728 90..2592 1936

C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	3149260
Entropy (8bit):	6.90789109689728
Encrypted:	false
SSDEEP:	98304:ltFvpn2HjjeLN33Ltcq0L409R8dsZ0q1X:lt9pnAjyLN3JQR8dsp
MD5:	05231A29BF2470E3D5FEA74C5FD84462
SHA1:	18D4BF866691E6DEE2819367993761522E462933
SHA-256:	B6856AE9351FB50266F4803C7630ED195BCE9A0AF8C0D00CCEAC22B7250E1DDC
SHA-512:	DEDB877FB6A44D0E6E9485B2A00A555F0B3E9C12040C55744194BB4E270B25195B9517DA5F82E5A53B06A51F8ABB51D5D3874E70724D1A5BE8711833F9DF65D3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^..........&...............................@..........................00.........................................................@............................................................................................................text............................... ..`.bhead8.n*.......0..................@..@.data...xT...0...@...0..............@....rsrc................p..............@..@.chead8............................a.f.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	InnoSetup Log RecordPad Sound Recorder, version 0x30, 5497 bytes, 648351\user, "C:\Users\user\AppData\Local\RecordPad Sound Recorder"
Category:	dropped
Size (bytes):	5497
Entropy (8bit):	4.793236525860416
Encrypted:	false
SSDEEP:	96:aH2H89dWL4888pgUm95+eOIhFhlEo4cVSQs0LoXEMVyd9vHzctJotZo2DJcKCwF5:aH2H89dWL48XpgYHIhFjEdcVSQ1oXEMq
MD5:	DA05920EBD63F7ECC7B421F12A7B9B3F
SHA1:	666F57783C0A3961E24F9F9E8722464F0C2B774E
SHA-256:	DD0FC5F8F11EA73A29EA8675CE2B8D1287659B19FF745F2C8A106FA462CC4890
SHA-512:	E806636E49DA2D9BBDAC300383DAAC02A22A1A4F73E6BB4D8101A71C6E0F6416C3060A6E744B75B5B2742926F3E7D342C336AB001426800ECCE7BB127A4DE324
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................RecordPad Sound Recorder........................................................................................................RecordPad Sound Recorder........................................................................................................0.......y...%...............................................................................................................-...........}4.......[....648351.user8C:\Users\user\AppData\Local\RecordPad Sound Recorder.................. .....S......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%..

C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	707354
Entropy (8bit):	6.470926417661749
Encrypted:	false
SSDEEP:	12288:D0QfKb7nH5lrPo37AzHTA63I0ihE4UEQrrNtIECORGv95ELAfXExy8z:nfKbT5lrPo37AzHTA63/cfU9IEU953fo
MD5:	F2E1861AB7EFD6358283CF101045A727
SHA1:	15F34DC254FE02A84F2F8AD4D5495D7E799F2F9B
SHA-256:	35A50C7721675C5422D5F7979912FB1B2BE5811CBBAFBA60FEA36D2DBBC87190
SHA-512:	C92F41CEFDEC7305C526F5903509760512F9DC152AFC2969F40B40ACABDAD41CF40273BAC8CEECBA47C4BC0DACDA14D0DA74B8312AFFF37CFADBD8EF8933C685
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................&...........1.......@....@..............................................@...............................%...`...>..........................................................................................................CODE.....$.......&.................. ..`DATA....<....@.....................@...BSS..........`.......<...................idata...%.......&...<..............@....tls.................b...................rdata...............b..............@..P.reloc..............................@..P.rsrc....>...`...>...d..............@..P.....................*..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_RegDLL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.026670007889822
Encrypted:	false
SSDEEP:	48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
MD5:	0EE914C6F0BB93996C75941E1AD629C6
SHA1:	12E2CB05506EE3E82046C41510F39A258A5E5549
SHA-256:	4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
SHA-512:	A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................\|.......\|.......\|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp

Download File

Process:	C:\Users\user\Desktop\9MgoW3Y1ti.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	696832
Entropy (8bit):	6.462782329218102
Encrypted:	false
SSDEEP:	12288:L0QfKb7nH5lrPo37AzHTA63I0ihE4UEQrrNtIECORGv95ELAfXExy8:ffKbT5lrPo37AzHTA63/cfU9IEU953f0
MD5:	8EF7001015E126E74BC41268504CA1E2
SHA1:	B30C0FA54ECB63C735407144A3297E0B9D881E27
SHA-256:	E06E234073AE4A9DF232AA1D535F02429A371748E164606C1B1A4C74BD98C56C
SHA-512:	122DF0A13F2D0C3103F0F686863CFAB46114A417C5D6A4382410C2CCF0AA3E9859D8E760B5C1860C776B1064F5BCCBF1E8AA50108F948F9240A5DD80D31CF17B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................&...........1.......@....@..............................................@...............................%...`...>..........................................................................................................CODE.....$.......&.................. ..`DATA....<....@.....................@...BSS..........`.......<...................idata...%.......&...<..............@....tls.................b...................rdata...............b..............@..P.reloc..............................@..P.rsrc....>...`...>...d..............@..P.....................*..............@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.998877824602786
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	9MgoW3Y1ti.exe
File size:	5'167'185 bytes
MD5:	b5782418b0d93145d5e7d5ff762c50e3
SHA1:	8ad9d47fcd5cc8668c316f2ed8b9ce0f44b9adfb
SHA256:	2364f287be72dd7aa1f3cf19ff86314a02b62f4b19792e1e06abad3567d1900c
SHA512:	0bad50e78ba51de7721dbe2a68918f0f36bb9ccab267e23db9e1287228ef907d5c498876e1fb27955979867853d32a868e7385a9f6ae5714c472dee889621906
SSDEEP:	98304:m+FTWMmIv6waA32fkYBYSIQIBgEs0UmB12pCZMzCVThs0+sourcZuxKwYYvq:BXmI532fkYKSIQIBWmBkqICVThsWour+
TLSH:	8C363343E1E495B0C50656FCCEE194895839AAA0FAFE5C08376CE80C3DB35DB986F359
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x409b24
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	884310b1928934402ea6fec1dbd3cf5e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007F2308CD7857h
call 00007F2308CD8A5Eh
call 00007F2308CDAC89h
call 00007F2308CDACD0h
call 00007F2308CDD5C3h
call 00007F2308CDD72Ah
xor eax, eax
push ebp
push 0040A1DBh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040A1A4h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040C014h]
call 00007F2308CDE150h
call 00007F2308CDDCB7h
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F2308CDB2B9h
mov edx, dword ptr [ebp-10h]
mov eax, 0040CDE4h
call 00007F2308CD7908h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040CDE4h]
mov dl, 01h
mov eax, 004072ECh
call 00007F2308CDBB48h
mov dword ptr [0040CDE8h], eax
xor edx, edx
push ebp
push 0040A15Ch
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F2308CDE1C0h
mov dword ptr [0040CDF0h], eax
mov eax, dword ptr [0040CDF0h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F2308CDE2FAh
mov eax, dword ptr [0040CDF0h]
mov edx, 00000028h
call 00007F2308CDBF49h
mov edx, dword ptr [0040CDF0h]
cmp eax, dword ptr [edx+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x950	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x9244	0x9400	00d95da090f9b045cc52199c7b36d118	False	0.6099820523648649	data	6.529731839731562	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xb000	0x24c	0x400	05e73e67429288e06500812b62979d5f	False	0.3076171875	data	2.734223999371757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xc000	0xe48	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x950	0xa00	bb5485bf968b970e5ea81292af2acdba	False	0.414453125	data	4.430733069799036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x18	0x200	9ba824905bf9c7922b6fc87a38b74366	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x8b4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x2c00	0x2c00	e3fe84aa938d47d18defad03819903c4	False	0.3229758522727273	data	4.464866638398271	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x11354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1147c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x119e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x11ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x12574	0x2f2	data			0.35543766578249336
RT_STRING	0x12868	0x30c	data			0.3871794871794872
RT_STRING	0x12b74	0x2ce	data			0.42618384401114207
RT_STRING	0x12e44	0x68	data			0.75
RT_STRING	0x12eac	0xb4	data			0.6277777777777778
RT_STRING	0x12f60	0xae	data			0.5344827586206896
RT_RCDATA	0x13010	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x1303c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1307c	0x4b8	COM executable for DOS	English	United States	0.2781456953642384
RT_MANIFEST	0x13534	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4251453488372093

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/11/24-20:04:05.022218	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49759	80	192.168.2.6	94.156.8.14
06/11/24-20:04:00.660933	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49756	80	192.168.2.6	94.156.8.14
06/11/24-20:03:20.999590	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49733	80	192.168.2.6	94.156.8.14
06/11/24-20:03:50.457825	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49750	80	192.168.2.6	94.156.8.14
06/11/24-20:03:33.060284	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49739	80	192.168.2.6	94.156.8.14
06/11/24-20:03:45.145687	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49747	80	192.168.2.6	94.156.8.14
06/11/24-20:03:42.718124	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49744	80	192.168.2.6	94.156.8.14
06/11/24-20:03:15.218492	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49730	80	192.168.2.6	94.156.8.14
06/11/24-20:03:55.568367	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49753	80	192.168.2.6	94.156.8.14
06/11/24-20:03:06.281713	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49721	80	192.168.2.6	94.156.8.14
06/11/24-20:04:09.182356	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49762	80	192.168.2.6	94.156.8.14
06/11/24-20:03:53.390046	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49751	80	192.168.2.6	94.156.8.14
06/11/24-20:03:58.405789	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49754	80	192.168.2.6	94.156.8.14
06/11/24-20:04:02.172905	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49757	80	192.168.2.6	94.156.8.14
06/11/24-20:03:48.061954	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49748	80	192.168.2.6	94.156.8.14
06/11/24-20:04:06.419496	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49760	80	192.168.2.6	94.156.8.14
06/11/24-20:03:37.431894	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49742	80	192.168.2.6	94.156.8.14
06/11/24-20:03:28.375163	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49736	80	192.168.2.6	94.156.8.14
06/11/24-20:03:34.520546	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49740	80	192.168.2.6	94.156.8.14
06/11/24-20:03:38.944323	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49743	80	192.168.2.6	94.156.8.14
06/11/24-20:03:43.506708	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49746	80	192.168.2.6	94.156.8.14
06/11/24-20:03:29.131237	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49737	80	192.168.2.6	94.156.8.14
06/11/24-20:03:00.558791	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49720	80	192.168.2.6	94.156.8.14
06/11/24-20:04:10.647905	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49763	80	192.168.2.6	94.156.8.14
06/11/24-20:03:17.343055	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49731	80	192.168.2.6	94.156.8.14
06/11/24-20:03:54.130080	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49752	80	192.168.2.6	94.156.8.14
06/11/24-20:03:12.287039	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49729	80	192.168.2.6	94.156.8.14
06/11/24-20:03:10.015867	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49725	80	192.168.2.6	94.156.8.14
06/11/24-20:03:23.984682	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49734	80	192.168.2.6	94.156.8.14
06/11/24-20:03:32.171182	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49738	80	192.168.2.6	94.156.8.14
06/11/24-20:04:07.773090	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49761	80	192.168.2.6	94.156.8.14
06/11/24-20:03:26.218000	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49735	80	192.168.2.6	94.156.8.14
06/11/24-20:03:07.068331	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49723	80	192.168.2.6	94.156.8.14
06/11/24-20:03:10.793000	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49726	80	192.168.2.6	94.156.8.14
06/11/24-20:03:59.145572	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49755	80	192.168.2.6	94.156.8.14
06/11/24-20:04:03.617994	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49758	80	192.168.2.6	94.156.8.14
06/11/24-20:03:35.977088	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49741	80	192.168.2.6	94.156.8.14
06/11/24-20:03:18.026242	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49732	80	192.168.2.6	94.156.8.14
06/11/24-20:03:48.957781	TCP	2049467	ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	49749	80	192.168.2.6	94.156.8.14

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2024 20:03:00.552073002 CEST	49720	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:00.557869911 CEST	80	49720	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:00.557956934 CEST	49720	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:00.558790922 CEST	49720	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:00.564320087 CEST	80	49720	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:01.954236031 CEST	80	49720	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:01.954392910 CEST	49720	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:02.077717066 CEST	49720	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:02.078216076 CEST	49721	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:02.083112955 CEST	80	49720	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:02.083170891 CEST	80	49721	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:02.083205938 CEST	49720	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:02.083259106 CEST	49721	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:02.083472967 CEST	49721	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:02.088304996 CEST	80	49721	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:03.446904898 CEST	80	49721	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:03.447148085 CEST	49721	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:03.448534966 CEST	49722	2023	192.168.2.6	194.59.31.219
Jun 11, 2024 20:03:03.453507900 CEST	2023	49722	194.59.31.219	192.168.2.6
Jun 11, 2024 20:03:03.453645945 CEST	49722	2023	192.168.2.6	194.59.31.219
Jun 11, 2024 20:03:03.453721046 CEST	49722	2023	192.168.2.6	194.59.31.219
Jun 11, 2024 20:03:03.458834887 CEST	2023	49722	194.59.31.219	192.168.2.6
Jun 11, 2024 20:03:03.459033966 CEST	49722	2023	192.168.2.6	194.59.31.219
Jun 11, 2024 20:03:03.464202881 CEST	2023	49722	194.59.31.219	192.168.2.6
Jun 11, 2024 20:03:04.272751093 CEST	2023	49722	194.59.31.219	192.168.2.6
Jun 11, 2024 20:03:04.325320005 CEST	49722	2023	192.168.2.6	194.59.31.219
Jun 11, 2024 20:03:06.281713009 CEST	49721	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:06.286988974 CEST	80	49721	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:06.944936991 CEST	80	49721	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:06.945261955 CEST	49721	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:07.062683105 CEST	49721	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:07.062964916 CEST	49723	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:07.068028927 CEST	80	49723	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:07.068149090 CEST	49723	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:07.068331003 CEST	49723	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:07.068439007 CEST	80	49721	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:07.068506956 CEST	49721	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:07.073206902 CEST	80	49723	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:08.408154011 CEST	80	49723	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:08.408242941 CEST	49723	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:08.409513950 CEST	49724	2023	192.168.2.6	194.59.31.219
Jun 11, 2024 20:03:08.414345980 CEST	2023	49724	194.59.31.219	192.168.2.6
Jun 11, 2024 20:03:08.414619923 CEST	49724	2023	192.168.2.6	194.59.31.219
Jun 11, 2024 20:03:08.414710045 CEST	49724	2023	192.168.2.6	194.59.31.219
Jun 11, 2024 20:03:08.414813042 CEST	49724	2023	192.168.2.6	194.59.31.219
Jun 11, 2024 20:03:08.419605970 CEST	2023	49724	194.59.31.219	192.168.2.6
Jun 11, 2024 20:03:08.467492104 CEST	2023	49724	194.59.31.219	192.168.2.6
Jun 11, 2024 20:03:08.531480074 CEST	49723	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:08.531793118 CEST	49725	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:08.537024021 CEST	80	49725	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:08.537142992 CEST	49725	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:08.537349939 CEST	49725	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:08.540684938 CEST	80	49723	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:08.540776968 CEST	49723	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:08.542501926 CEST	80	49725	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:09.005702019 CEST	2023	49724	194.59.31.219	192.168.2.6
Jun 11, 2024 20:03:09.005829096 CEST	49724	2023	192.168.2.6	194.59.31.219
Jun 11, 2024 20:03:09.904525995 CEST	80	49725	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:09.904882908 CEST	49725	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:10.015866995 CEST	49725	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:10.021575928 CEST	80	49725	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:10.662127972 CEST	80	49725	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:10.662266016 CEST	49725	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:10.787486076 CEST	49725	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:10.787800074 CEST	49726	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:10.792593002 CEST	80	49725	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:10.792669058 CEST	80	49726	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:10.792692900 CEST	49725	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:10.792790890 CEST	49726	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:10.792999983 CEST	49726	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:10.797800064 CEST	80	49726	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:12.164022923 CEST	80	49726	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:12.164159060 CEST	49726	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:12.281514883 CEST	49726	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:12.281910896 CEST	49729	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:12.286753893 CEST	80	49729	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:12.286767960 CEST	80	49726	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:12.286834955 CEST	49729	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:12.286868095 CEST	49726	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:12.287039042 CEST	49729	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:12.291812897 CEST	80	49729	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:13.642710924 CEST	80	49729	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:13.642781973 CEST	49729	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:13.765727043 CEST	49729	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:13.766223907 CEST	49730	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:13.771025896 CEST	80	49729	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:13.771092892 CEST	49729	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:13.771176100 CEST	80	49730	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:13.771262884 CEST	49730	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:13.771404982 CEST	49730	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:13.776810884 CEST	80	49730	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:15.109380960 CEST	80	49730	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:15.109556913 CEST	49730	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:15.218492031 CEST	49730	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:15.223495960 CEST	80	49730	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:15.846194983 CEST	80	49730	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:15.848818064 CEST	49730	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:15.975450039 CEST	49730	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:15.975888014 CEST	49731	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:15.980953932 CEST	80	49730	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:15.981039047 CEST	80	49731	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:15.981154919 CEST	49730	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:15.981204033 CEST	49731	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:15.981359959 CEST	49731	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:15.986162901 CEST	80	49731	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:17.235989094 CEST	80	49731	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:17.236133099 CEST	49731	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:17.343055010 CEST	49731	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:17.348066092 CEST	80	49731	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:17.896166086 CEST	80	49731	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:17.896265984 CEST	49731	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:18.015284061 CEST	49731	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:18.015574932 CEST	49732	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:18.020522118 CEST	80	49732	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:18.020634890 CEST	49732	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:18.021038055 CEST	80	49731	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:18.021110058 CEST	49731	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:18.026242018 CEST	49732	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:18.031064034 CEST	80	49732	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:19.383019924 CEST	80	49732	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:19.383323908 CEST	49732	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:19.500879049 CEST	49732	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:19.501627922 CEST	49733	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:19.506556988 CEST	80	49732	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:19.506752014 CEST	80	49733	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:19.506762028 CEST	49732	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:19.506836891 CEST	49733	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:19.507042885 CEST	49733	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:19.512383938 CEST	80	49733	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:20.887610912 CEST	80	49733	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:20.887968063 CEST	49733	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:20.999589920 CEST	49733	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:21.005023956 CEST	80	49733	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:21.650306940 CEST	80	49733	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:21.650588036 CEST	49733	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:21.765944004 CEST	49733	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:21.766277075 CEST	49734	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:21.771629095 CEST	80	49733	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:21.771675110 CEST	80	49734	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:21.771739960 CEST	49733	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:21.771809101 CEST	49734	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:21.772011995 CEST	49734	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:21.776779890 CEST	80	49734	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:23.126228094 CEST	80	49734	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:23.126626015 CEST	49734	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:23.234594107 CEST	49734	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:23.239825010 CEST	80	49734	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:23.874078989 CEST	80	49734	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:23.874289036 CEST	49734	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:23.984682083 CEST	49734	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:23.989655018 CEST	80	49734	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:24.616264105 CEST	80	49734	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:24.616575956 CEST	49734	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:24.735186100 CEST	49734	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:24.735497952 CEST	49735	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:24.740474939 CEST	80	49735	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:24.740504980 CEST	80	49734	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:24.740897894 CEST	49735	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:24.741000891 CEST	49734	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:24.741077900 CEST	49735	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:24.745913982 CEST	80	49735	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:26.104337931 CEST	80	49735	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:26.106930017 CEST	49735	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:26.217999935 CEST	49735	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:26.222946882 CEST	80	49735	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:26.839590073 CEST	80	49735	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:26.840321064 CEST	49735	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:26.952142000 CEST	49735	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:26.952553034 CEST	49736	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:26.957607031 CEST	80	49736	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:26.957724094 CEST	49736	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:26.957935095 CEST	49736	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:26.958214998 CEST	80	49735	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:26.958282948 CEST	49735	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:26.962738037 CEST	80	49736	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:28.262629032 CEST	80	49736	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:28.262691021 CEST	49736	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:28.375163078 CEST	49736	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:28.380278111 CEST	80	49736	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:29.005793095 CEST	80	49736	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:29.005933046 CEST	49736	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:29.125207901 CEST	49736	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:29.125648022 CEST	49737	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:29.130836964 CEST	80	49736	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:29.130878925 CEST	80	49737	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:29.130944967 CEST	49736	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:29.131031990 CEST	49737	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:29.131237030 CEST	49737	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:29.136015892 CEST	80	49737	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:30.504712105 CEST	80	49737	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:30.504839897 CEST	49737	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:30.671422005 CEST	49737	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:30.671988964 CEST	49738	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:30.676918983 CEST	80	49737	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:30.676939964 CEST	80	49738	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:30.676980019 CEST	49737	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:30.677020073 CEST	49738	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:30.677237988 CEST	49738	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:30.681957960 CEST	80	49738	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:32.062359095 CEST	80	49738	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:32.062479019 CEST	49738	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:32.171181917 CEST	49738	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:32.176632881 CEST	80	49738	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:32.819355965 CEST	80	49738	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:32.819535017 CEST	49738	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:33.051060915 CEST	49738	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:33.054855108 CEST	49739	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:33.056875944 CEST	80	49738	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:33.057090998 CEST	49738	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:33.059971094 CEST	80	49739	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:33.060033083 CEST	49739	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:33.060283899 CEST	49739	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:33.065289021 CEST	80	49739	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:34.400517941 CEST	80	49739	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:34.400661945 CEST	49739	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:34.515139103 CEST	49739	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:34.515558004 CEST	49740	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:34.520241022 CEST	80	49739	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:34.520304918 CEST	49739	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:34.520354033 CEST	80	49740	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:34.520420074 CEST	49740	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:34.520545959 CEST	49740	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:34.525533915 CEST	80	49740	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:35.848656893 CEST	80	49740	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:35.848746061 CEST	49740	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:35.968816042 CEST	49740	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:35.969173908 CEST	49741	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:35.975831032 CEST	80	49740	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:35.975915909 CEST	49740	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:35.976859093 CEST	80	49741	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:35.977016926 CEST	49741	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:35.977087975 CEST	49741	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:35.983360052 CEST	80	49741	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:37.306004047 CEST	80	49741	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:37.306103945 CEST	49741	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:37.424871922 CEST	49741	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:37.425610065 CEST	49742	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:37.431432962 CEST	80	49742	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:37.431539059 CEST	49742	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:37.431687117 CEST	80	49741	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:37.431756020 CEST	49741	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:37.431894064 CEST	49742	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:37.437804937 CEST	80	49742	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:38.817058086 CEST	80	49742	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:38.818922043 CEST	49742	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:38.936888933 CEST	49742	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:38.937283993 CEST	49743	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:38.944091082 CEST	80	49743	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:38.944222927 CEST	49743	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:38.944323063 CEST	49743	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:38.944387913 CEST	80	49742	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:38.944430113 CEST	49742	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:38.952910900 CEST	80	49743	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:40.339371920 CEST	80	49743	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:40.339565039 CEST	49743	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:40.452744961 CEST	49743	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:40.453228951 CEST	49744	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:40.458070993 CEST	80	49743	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:40.458102942 CEST	80	49744	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:40.458149910 CEST	49743	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:40.458218098 CEST	49744	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:40.458370924 CEST	49744	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:40.463172913 CEST	80	49744	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:41.842921972 CEST	80	49744	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:41.843024969 CEST	49744	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:41.953237057 CEST	49744	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:41.958138943 CEST	80	49744	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:42.610620975 CEST	80	49744	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:42.610713959 CEST	49744	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:42.718123913 CEST	49744	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:42.723126888 CEST	80	49744	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:43.382011890 CEST	80	49744	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:43.382157087 CEST	49744	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:43.499787092 CEST	49744	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:43.500343084 CEST	49746	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:43.505944967 CEST	80	49744	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:43.506057024 CEST	49744	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:43.506445885 CEST	80	49746	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:43.506531954 CEST	49746	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:43.506707907 CEST	49746	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:43.511499882 CEST	80	49746	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:45.020930052 CEST	80	49746	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:45.021047115 CEST	49746	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:45.140285969 CEST	49746	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:45.140670061 CEST	49747	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:45.145411968 CEST	80	49746	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:45.145445108 CEST	80	49747	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:45.145487070 CEST	49746	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:45.145545006 CEST	49747	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:45.145687103 CEST	49747	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:45.150420904 CEST	80	49747	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:46.507627964 CEST	80	49747	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:46.507739067 CEST	49747	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:46.624378920 CEST	49747	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:46.624744892 CEST	49748	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:46.629513025 CEST	80	49748	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:46.629528999 CEST	80	49747	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:46.629606009 CEST	49747	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:46.629621029 CEST	49748	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:46.629803896 CEST	49748	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:46.634515047 CEST	80	49748	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:47.950431108 CEST	80	49748	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:47.950493097 CEST	49748	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:48.061954021 CEST	49748	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:48.066831112 CEST	80	49748	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:48.839855909 CEST	80	49748	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:48.840054035 CEST	49748	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:48.952352047 CEST	49748	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:48.952677965 CEST	49749	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:48.957593918 CEST	80	49749	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:48.957688093 CEST	49749	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:48.957781076 CEST	49749	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:48.957798958 CEST	80	49748	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:48.957856894 CEST	49748	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:48.962635994 CEST	80	49749	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:50.333686113 CEST	80	49749	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:50.333759069 CEST	49749	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:50.452334881 CEST	49749	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:50.452676058 CEST	49750	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:50.457576990 CEST	80	49750	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:50.457699060 CEST	49750	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:50.457824945 CEST	49750	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:50.457885981 CEST	80	49749	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:50.457942963 CEST	49749	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:50.462615967 CEST	80	49750	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:51.840065002 CEST	80	49750	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:51.840192080 CEST	49750	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:51.952506065 CEST	49750	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:51.952841997 CEST	49751	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:51.957809925 CEST	80	49751	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:51.957891941 CEST	49751	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:51.958070993 CEST	49751	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:51.959284067 CEST	80	49750	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:51.959337950 CEST	49750	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:51.963536024 CEST	80	49751	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:53.279793024 CEST	80	49751	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:53.279871941 CEST	49751	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:53.390045881 CEST	49751	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:53.394942045 CEST	80	49751	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:54.003155947 CEST	80	49751	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:54.003242016 CEST	49751	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:54.124646902 CEST	49751	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:54.124982119 CEST	49752	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:54.129817009 CEST	80	49752	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:54.129906893 CEST	49752	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:54.130079985 CEST	49752	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:54.137296915 CEST	80	49751	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:54.137351990 CEST	49751	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:54.137429953 CEST	80	49752	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:55.447046995 CEST	80	49752	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:55.447146893 CEST	49752	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:55.561741114 CEST	49752	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:55.562104940 CEST	49753	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:55.568099976 CEST	80	49752	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:55.568115950 CEST	80	49753	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:55.568170071 CEST	49752	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:55.568206072 CEST	49753	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:55.568367004 CEST	49753	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:55.574716091 CEST	80	49753	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:56.880307913 CEST	80	49753	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:56.880367041 CEST	49753	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:56.999926090 CEST	49753	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:57.000238895 CEST	49754	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:57.005100012 CEST	80	49754	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:57.005114079 CEST	80	49753	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:57.005196095 CEST	49753	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:57.005227089 CEST	49754	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:57.005323887 CEST	49754	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:57.010157108 CEST	80	49754	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:58.296247959 CEST	80	49754	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:58.296452045 CEST	49754	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:58.405788898 CEST	49754	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:58.410687923 CEST	80	49754	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:59.020684004 CEST	80	49754	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:59.020881891 CEST	49754	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:59.140242100 CEST	49754	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:59.140580893 CEST	49755	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:59.145395994 CEST	80	49755	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:59.145486116 CEST	49755	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:59.145571947 CEST	49755	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:59.145817041 CEST	80	49754	94.156.8.14	192.168.2.6
Jun 11, 2024 20:03:59.145898104 CEST	49754	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:03:59.154050112 CEST	80	49755	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:00.526153088 CEST	80	49755	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:00.526228905 CEST	49755	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:00.655651093 CEST	49755	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:00.655874014 CEST	49756	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:00.660727978 CEST	80	49756	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:00.660842896 CEST	49756	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:00.660933018 CEST	49756	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:00.660948038 CEST	80	49755	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:00.661006927 CEST	49755	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:00.665661097 CEST	80	49756	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:02.043059111 CEST	80	49756	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:02.043143988 CEST	49756	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:02.161530972 CEST	49756	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:02.165234089 CEST	49757	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:02.166796923 CEST	80	49756	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:02.166871071 CEST	49756	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:02.170049906 CEST	80	49757	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:02.170126915 CEST	49757	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:02.172904968 CEST	49757	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:02.177624941 CEST	80	49757	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:03.500586033 CEST	80	49757	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:03.500703096 CEST	49757	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:03.610784054 CEST	49757	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:03.611068964 CEST	49758	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:03.617706060 CEST	80	49757	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:03.617774010 CEST	49757	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:03.617801905 CEST	80	49758	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:03.617862940 CEST	49758	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:03.617994070 CEST	49758	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:03.623231888 CEST	80	49758	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:04.907944918 CEST	80	49758	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:04.908004999 CEST	49758	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:05.016891956 CEST	49758	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:05.017242908 CEST	49759	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:05.021995068 CEST	80	49759	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:05.022054911 CEST	80	49758	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:05.022067070 CEST	49759	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:05.022126913 CEST	49758	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:05.022217989 CEST	49759	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:05.026938915 CEST	80	49759	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:06.283169031 CEST	80	49759	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:06.283240080 CEST	49759	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:06.413537979 CEST	49759	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:06.413984060 CEST	49760	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:06.418724060 CEST	80	49759	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:06.418786049 CEST	49759	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:06.418858051 CEST	80	49760	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:06.418914080 CEST	49760	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:06.419496059 CEST	49760	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:06.424240112 CEST	80	49760	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:07.647169113 CEST	80	49760	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:07.648874044 CEST	49760	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:07.767342091 CEST	49761	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:07.767344952 CEST	49760	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:07.772234917 CEST	80	49761	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:07.772901058 CEST	80	49760	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:07.772964954 CEST	49761	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:07.773089886 CEST	49761	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:07.773221016 CEST	49760	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:07.777834892 CEST	80	49761	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:09.038383007 CEST	80	49761	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:09.040910006 CEST	49761	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:09.175491095 CEST	49761	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:09.175491095 CEST	49762	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:09.180825949 CEST	80	49762	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:09.181540012 CEST	80	49761	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:09.182154894 CEST	49761	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:09.182154894 CEST	49762	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:09.182356119 CEST	49762	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:09.187129974 CEST	80	49762	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:10.528445005 CEST	80	49762	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:10.528512001 CEST	49762	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:10.642657042 CEST	49762	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:10.642915010 CEST	49763	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:10.647705078 CEST	80	49763	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:10.647763968 CEST	49763	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:10.647789955 CEST	80	49762	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:10.647830009 CEST	49762	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:10.647905111 CEST	49763	80	192.168.2.6	94.156.8.14
Jun 11, 2024 20:04:10.652648926 CEST	80	49763	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:12.029968977 CEST	80	49763	94.156.8.14	192.168.2.6
Jun 11, 2024 20:04:12.030086994 CEST	49763	80	192.168.2.6	94.156.8.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2024 20:02:59.666649103 CEST	52234	53	192.168.2.6	91.211.247.248
Jun 11, 2024 20:02:59.704720020 CEST	53	52234	91.211.247.248	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 11, 2024 20:02:59.666649103 CEST	192.168.2.6	91.211.247.248	0x8959	Standard query (0)	aadolui.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 11, 2024 20:02:59.704720020 CEST	91.211.247.248	192.168.2.6	0x8959	No error (0)	aadolui.ru		94.156.8.14	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

aadolui.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49720	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:00.558790922 CEST	317	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:01.954236031 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49721	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:02.083472967 CEST	317	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:03.446904898 CEST	1230	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 33 66 65 0d 0a 36 37 62 36 38 61 38 61 33 32 30 33 61 37 37 62 30 34 31 38 66 35 35 66 36 37 37 35 38 31 64 65 34 36 66 62 38 37 64 32 65 38 31 65 30 31 65 39 61 32 35 64 66 63 35 32 39 31 62 64 64 33 38 32 64 37 63 30 31 34 63 34 31 34 64 65 65 35 63 38 36 35 37 32 65 33 31 34 39 31 38 64 38 34 31 34 32 37 65 31 36 39 35 63 61 62 36 62 66 35 36 34 62 37 33 32 35 30 63 61 66 64 64 33 30 38 63 62 34 37 63 38 36 33 62 31 31 35 66 61 32 64 38 38 32 32 65 64 30 65 61 37 36 37 63 31 35 39 62 38 65 33 34 65 65 64 35 31 37 65 34 62 65 39 33 61 36 36 39 37 33 63 37 39 38 63 66 39 30 66 63 35 65 39 39 66 39 39 33 62 63 64 36 34 39 37 31 35 64 64 34 65 38 65 32 32 62 37 34 37 62 32 65 64 35 66 33 66 65 66 37 66 64 34 66 37 37 38 62 39 38 66 65 66 64 65 34 62 65 66 33 61 64 37 31 37 33 34 35 64 34 34 32 35 65 31 33 62 37 35 30 30 36 63 62 38 65 63 38 64 66 35 38 37 32 34 35 34 66 38 35 65 36 35 32 37 66 39 33 34 35 66 66 34 66 61 65 64 38 66 66 61 33 65 37 30 61 35 65 39 34 36 38 63 38 35 66 38 37 63 33 39 31 [TRUNCATED] Data Ascii: 3fe67b68a8a3203a77b0418f55f677581de46fb87d2e81e01e9a25dfc5291bdd382d7c014c414dee5c86572e314918d841427e1695cab6bf564b73250cafdd308cb47c863b115fa2d8822ed0ea767c159b8e34eed517e4be93a66973c798cf90fc5e99f993bcd649715dd4e8e22b747b2ed5f3fef7fd4f778b98fefde4bef3ad717345d4425e13b75006cb8ec8df5872454f85e6527f9345ff4faed8ffa3e70a5e9468c85f87c391bb476ee9bcdb866d16b0e293961b255cbdeb33a2ca4c80abe0ab8a232b3ccce2e762b08cd31eb0defd6be0d4ad23f18c55ddeed659d33b6955dbce3d9a8ca3a26be78b6ec029ebebd735cbe8ef63faffc808c1eed14e251884472c7b5dffcdc4d79a09feb30ad74890f37a02ad626dc9e07d55fb0341a1d59c0d66e5c3b596482fa902b2c7e4e11cedcb0121af7d7b8e9dd3f7773f93785dc040f4583a3c0094f44d47d7e5b3448fdd0d2d2f1cb52823d6e47f479348223b7c796618c57de8d281515609bff94e8180fa62489d90c7102d929cdf19616773478973702ed5c4d766f9844daa6a2e234bdd6c812528d2dc8495785b7c967d35825b56ae23327b5678a561dcfa4a4a567afde049250d7dbcb55ac10b549f7adb0659ba52faa262b0d35c79d7914efbfcd4978ea2e382a140e8e6bee1fca43cd1684fec5851abc05d1eff091684ddf3b75f8df0d9a5c050744d [TRUNCATED]
Jun 11, 2024 20:03:06.281713009 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:06.944936991 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49723	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:07.068331003 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:08.408154011 CEST	1088	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 33 37 30 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 39 38 36 64 32 65 66 31 39 30 31 65 38 61 30 34 61 65 62 30 36 64 65 66 61 38 62 65 64 39 66 38 33 34 38 39 65 34 64 64 36 65 30 63 30 33 36 33 33 61 65 35 32 66 66 64 35 63 30 31 33 32 33 65 39 37 37 35 38 61 36 37 34 66 65 36 32 62 37 33 32 35 37 63 37 65 30 64 31 30 65 64 65 34 36 63 62 37 37 62 33 31 30 66 66 33 38 38 62 32 35 65 31 30 65 61 37 36 65 63 34 34 64 62 61 65 37 34 65 66 33 35 38 37 62 34 35 65 36 32 35 36 37 39 35 33 62 36 63 38 66 66 36 31 35 64 65 65 65 39 34 39 61 32 35 63 38 36 64 38 38 31 31 64 30 35 61 38 65 32 61 62 36 35 32 62 32 65 30 35 61 33 66 65 66 36 35 64 34 66 61 36 37 62 62 38 63 65 39 64 66 34 39 65 36 33 65 63 32 31 37 33 31 35 63 34 34 32 31 65 30 32 33 36 63 30 30 36 66 61 37 65 64 38 65 66 38 38 63 32 65 35 31 65 36 35 37 37 61 32 39 66 62 33 34 35 66 66 32 66 66 66 39 38 66 66 38 32 30 37 61 61 30 65 62 34 64 39 33 38 34 66 62 37 31 32 65 31 [TRUNCATED] Data Ascii: 37067b69c953804b26b565fe95b321bd19a55f986d2ef1901e8a04aeb06defa8bed9f83489e4dd6e0c03633ae52ffd5c01323e97758a674fe62b73257c7e0d10ede46cb77b310ff388b25e10ea76ec44dbae74ef3587b45e62567953b6c8ff615deee949a25c86d8811d05a8e2ab652b2e05a3fef65d4fa67bb8ce9df49e63ec217315c4421e0236c006fa7ed8ef88c2e51e6577a29fb345ff2fff98ff8207aa0eb4d9384fb712e16a36aee9ed5b365cf6a02283b61ac57c5dca53c30bcc910b903babc33b1c5c131712a0ed831e316f0d0be0151db3d0dc657def9629d2db79d56aafcd8a8de3a27b966bceb0f91a2bc735aa08cfc23b3ff848101ef11e744814466ceb5c1fdd34b60a787ef3ab175880e29aa20dd32dc9f00cb56bd391a1451d4d66a59255b618fff8e2a2c6b4e17c9dcb0100dfcd7b9f7dc367671e23f85c904034583acc71d4d4cdd63745c3b44e1d1d2ccfbc952823e6d4ae07d318536b7ce9a758854c08c2b14037f95f780eb1d0fb82880da127303dd3ccdfc9416743478833700ed424778648c4edab8a3e73fabd9dc1852932ccd42488cb2d56fd0513bb768e92c26ba7a81561dd1a5aca871a1c406904ed6decb7b0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49725	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:08.537349939 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:09.904525995 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:10.015866995 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:10.662127972 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49726	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:10.792999983 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:12.164022923 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49729	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:12.287039042 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:13.642710924 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49730	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:13.771404982 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:15.109380960 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:15.218492031 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:15.846194983 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49731	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:15.981359959 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:17.235989094 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:17.343055010 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:17.896166086 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49732	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:18.026242018 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:19.383019924 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49733	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:19.507042885 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:20.887610912 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:20.999589920 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:21.650306940 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49734	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:21.772011995 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:23.126228094 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:23.234594107 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:23.874078989 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:23.984682083 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:24.616264105 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49735	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:24.741077900 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:26.104337931 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:26.217999935 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:26.839590073 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49736	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:26.957935095 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:28.262629032 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:28.375163078 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:29.005793095 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49737	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:29.131237030 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:30.504712105 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49738	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:30.677237988 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:32.062359095 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:32.171181917 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:32.819355965 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49739	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:33.060283899 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:34.400517941 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49740	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:34.520545959 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:35.848656893 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49741	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:35.977087975 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:37.306004047 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49742	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:37.431894064 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:38.817058086 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49743	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:38.944323063 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:40.339371920 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49744	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:40.458370924 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:41.842921972 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:41.953237057 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:42.610620975 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:42.718123913 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:43.382011890 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49746	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:43.506707907 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:45.020930052 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49747	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:45.145687103 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:46.507627964 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49748	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:46.629803896 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:47.950431108 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:48.061954021 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:48.839855909 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49749	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:48.957781076 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:50.333686113 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49750	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:50.457824945 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:51.840065002 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49751	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:51.958070993 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:53.279793024 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:53.390045881 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:54.003155947 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49752	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:54.130079985 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:55.447046995 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	49753	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:55.568367004 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:56.880307913 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	49754	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:57.005323887 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:58.296247959 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20
Jun 11, 2024 20:03:58.405788898 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:03:59.020684004 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:03:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	49755	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:03:59.145571947 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:04:00.526153088 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:04:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	49756	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:04:00.660933018 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:04:02.043059111 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:04:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	49757	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:04:02.172904968 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:04:03.500586033 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:04:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	49758	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:04:03.617994070 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:04:04.907944918 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:04:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	49759	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:04:05.022217989 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:04:06.283169031 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:04:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	49760	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:04:06.419496059 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:04:07.647169113 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:04:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	49761	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:04:07.773089886 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:04:09.038383007 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:04:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	49762	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:04:09.182356119 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:04:10.528445005 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:04:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	49763	94.156.8.14	80	5068	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

Timestamp	Bytes transferred	Direction	Data
Jun 11, 2024 20:04:10.647905111 CEST	323	OUT	GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1 Host: aadolui.ru User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Jun 11, 2024 20:04:12.029968977 CEST	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 11 Jun 2024 18:04:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a Data Ascii: e67b680813008c20

Target ID:	0
Start time:	14:02:03
Start date:	11/06/2024
Path:	C:\Users\user\Desktop\9MgoW3Y1ti.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9MgoW3Y1ti.exe"
Imagebase:	0x400000
File size:	5'167'185 bytes
MD5 hash:	B5782418B0D93145D5E7D5FF762C50E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:02:04
Start date:	11/06/2024
Path:	C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp" /SL5="$203EC,4916934,54272,C:\Users\user\Desktop\9MgoW3Y1ti.exe"
Imagebase:	0x400000
File size:	696'832 bytes
MD5 hash:	8EF7001015E126E74BC41268504CA1E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:02:06
Start date:	11/06/2024
Path:	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i
Imagebase:	0x400000
File size:	3'149'260 bytes
MD5 hash:	05231A29BF2470E3D5FEA74C5FD84462
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.2196454307.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:02:06
Start date:	11/06/2024
Path:	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s
Imagebase:	0x400000
File size:	3'149'260 bytes
MD5 hash:	05231A29BF2470E3D5FEA74C5FD84462
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.2199461093.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000004.00000002.3438919346.00000000008B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	14:02:49
Start date:	11/06/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.3%
Total number of Nodes:	1514
Total number of Limit Nodes:	21

Executed Functions

Function 00409A14 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 00409A26
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409A31
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409A72
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409AA4
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409AB4

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: c2769086b94dacb7810d1409196c7497058a42c32b70979fc979e51038c0ff67
Instruction ID: 05782b2e5a8588c9c74d05110837466633af9a4b7a19298b20ab433fd050a55e
Opcode Fuzzy Hash: c2769086b94dacb7810d1409196c7497058a42c32b70979fc979e51038c0ff67
Instruction Fuzzy Hash: D0216FB13003846BD6309A698C85E67B7DC9F85360F18492AFA85E62C3D73DED40CB59

Function 0040515C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
Instruction ID: b78bf48cff894a3999656c5243e329942f020ab22272e2e872fdbeeaebf0035e
Opcode Fuzzy Hash: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
Instruction Fuzzy Hash: EDE09271B0021426D711A9699C86AEB735DDB58310F0006BFB904EB3C6EDB49E8046ED

Function 00408FC8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409061,?,?,?,?,00000000,?,00409B53), ref: 00408FE8
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408FEE
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00409061,?,?,?,?,00000000,?,00409B53), ref: 00409002
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409008

Strings

kernel32.dll, xrefs: 00408FE3, 00408FFD
shell32.dll, xrefs: 00409034
Wow64DisableWow64FsRedirection, xrefs: 00408FDE
Wow64RevertWow64FsRedirection, xrefs: 00408FF8

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 17e7db4c528402608d9f53e260f8b79ce616995abb8d95c1af2dd02ed3ed6c5c
Instruction ID: 9fcc65c531327f2d7efb14c601a25e4e420c6304718e48176e9e04a6a3b299d5
Opcode Fuzzy Hash: 17e7db4c528402608d9f53e260f8b79ce616995abb8d95c1af2dd02ed3ed6c5c
Instruction Fuzzy Hash: 6701DF70208300AEEB10AB76DC47B563AA8E782714F60843BF504B22C3CA7C5C44CA2E

Function 00409FB4 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A010
SetWindowLongA.USER32(000203EC,000000FC,004097FC), ref: 0040A027

Part of subcall function 00406ADC: GetCommandLineA.KERNEL32(00000000,00406B20,?,?,?,?,00000000,?,0040A098,?), ref: 00406AF4

Part of subcall function 00409888: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02091650,00409974,00000000,0040995B), ref: 004098F8
Part of subcall function 00409888: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02091650,00409974,00000000), ref: 0040990C
Part of subcall function 00409888: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409925
Part of subcall function 00409888: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409937
Part of subcall function 00409888: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02091650,00409974), ref: 00409940

RemoveDirectoryA.KERNEL32(00000000,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A113
73EA5CF0.USER32(000203EC,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A127

Strings

/SL5="$%x,%d,%d,, xrefs: 0040A067
InnoSetupLdrWindow, xrefs: 0040A004
STATIC, xrefs: 0040A009

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 978128352-3001827809
Opcode ID: f35d8c1ce23740e5e47570a4a7ea1aa6b0c7a4e1336b706dbfad7c34b6de0a74
Instruction ID: 994b03bd5abc72cbe06dd2c14f0861f5fc0fad0f3ad24bd21fe84be6bde737e4
Opcode Fuzzy Hash: f35d8c1ce23740e5e47570a4a7ea1aa6b0c7a4e1336b706dbfad7c34b6de0a74
Instruction Fuzzy Hash: 57411A70A00205DFD715EBA9EE86B9A7BA5EB84304F10427BF510B73E2DB789801DB5D

Function 00409FD8 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00409460: GetLastError.KERNEL32(00000000,00409503,?,0040B240,?,02091650), ref: 00409484

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A010
SetWindowLongA.USER32(000203EC,000000FC,004097FC), ref: 0040A027

Part of subcall function 00406ADC: GetCommandLineA.KERNEL32(00000000,00406B20,?,?,?,?,00000000,?,0040A098,?), ref: 00406AF4

Part of subcall function 00409888: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02091650,00409974,00000000,0040995B), ref: 004098F8
Part of subcall function 00409888: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02091650,00409974,00000000), ref: 0040990C
Part of subcall function 00409888: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409925
Part of subcall function 00409888: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409937
Part of subcall function 00409888: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02091650,00409974), ref: 00409940

RemoveDirectoryA.KERNEL32(00000000,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A113
73EA5CF0.USER32(000203EC,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A127

Strings

/SL5="$%x,%d,%d,, xrefs: 0040A067
InnoSetupLdrWindow, xrefs: 0040A004
STATIC, xrefs: 0040A009

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryErrorExitLastLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 240127915-3001827809
Opcode ID: 41e9b17cc1901837085009e7774581f9f675215498936b1d5fec870b95540319
Instruction ID: cbbd3698a6e5ddb8e812fa6c760aedb007618753dcf5685e5a94b93d1743052f
Opcode Fuzzy Hash: 41e9b17cc1901837085009e7774581f9f675215498936b1d5fec870b95540319
Instruction Fuzzy Hash: 04412B70A00205DBC715EBA9EE86B9E3BA5EB84304F10427BF510B73E2DB789801DB5D

Function 00409888 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02091650,00409974,00000000,0040995B), ref: 004098F8
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02091650,00409974,00000000), ref: 0040990C
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409925
GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409937
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02091650,00409974), ref: 00409940

Part of subcall function 00409460: GetLastError.KERNEL32(00000000,00409503,?,0040B240,?,02091650), ref: 00409484

Strings

D, xrefs: 004098D2

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: 3e364823df46f41b243604843b678d585e88c5cad38ef85377b023b87dae9783
Instruction ID: 0c6d97fba1df7b16fba7b9ed0c132cba9133a3324ac8f072eb64155fee6ae1b7
Opcode Fuzzy Hash: 3e364823df46f41b243604843b678d585e88c5cad38ef85377b023b87dae9783
Instruction Fuzzy Hash: AC1130B16142086EDB10FBE68C52F9EBBACEF49718F50013EB614F62C7DA785D048669

Function 00409D26 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409D8A

Strings

.tmp, xrefs: 00409DD0
$u@, xrefs: 00409E3E

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Message
String ID: $u@$.tmp
API String ID: 2030045667-236237750
Opcode ID: 76a7687ccf1c1f3f155fed8792e4b2e0c469f7c74cc7371f2538726c547644a2
Instruction ID: fbeaf51a7290a35b1d20cf1acd7fffd14229a7cea4ec7fe779b7d8bf1d8f9ef0
Opcode Fuzzy Hash: 76a7687ccf1c1f3f155fed8792e4b2e0c469f7c74cc7371f2538726c547644a2
Instruction Fuzzy Hash: 7041A170604201DFD311EF19DE92A5A7BA6FB49304B11453AF801B73E2CB79AC01DAAD

Function 00409D41 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409D8A

Strings

.tmp, xrefs: 00409DD0
$u@, xrefs: 00409E3E

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Message
String ID: $u@$.tmp
API String ID: 2030045667-236237750
Opcode ID: 4be92c8e37dddd0a3a50cfadddd3e7ce3c10b6794e32ae209eae1f209508f25f
Instruction ID: 7aabf0afbc79ebbbc3d3aa4d6af75c8ddef5afe13af9357e4f9bebdf666c2db7
Opcode Fuzzy Hash: 4be92c8e37dddd0a3a50cfadddd3e7ce3c10b6794e32ae209eae1f209508f25f
Instruction Fuzzy Hash: 66418070600201DFC711EF69DE92A5A7BB6FB49304B11457AF801B73E2CB79AC01DAAD

Function 00409254 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00409343,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040929A
GetLastError.KERNEL32(00000000,00000000,?,00000000,00409343,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004092A3

Strings

.tmp, xrefs: 00409283

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 7647810fba1c1a7df54c129ecd6d2966c744d5805a6f131b99297333171aebfe
Instruction ID: 381de743b5e558d6c5ac88c9815bc56a2e764fefa580558ac3af8d983805238d
Opcode Fuzzy Hash: 7647810fba1c1a7df54c129ecd6d2966c744d5805a6f131b99297333171aebfe
Instruction Fuzzy Hash: 3C214975A002089BDB01EFE1C9429DEB7B9EB48304F10457BE901B73C2DA7CAF058AA5

Function 00401430 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Strings

da, xrefs: 0040146E

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: da
API String ID: 2087232378-1065653613
Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9

Function 00401658 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2

Strings

da, xrefs: 00401687, 004016C7

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FreeVirtual
String ID: da
API String ID: 1263568516-1065653613
Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8

Function 00406F00 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008000), ref: 00406F0A
LoadLibraryA.KERNEL32(00000000,00000000,00406F54,?,00000000,00406F72,?,00008000), ref: 00406F39

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 280b78466cfb49ac5d1a4d8de4e82968344a77d2278ba686a31885ea79f0a63b
Instruction ID: 61c75ae37e4b7eabf140846b9e9d3e90831ba1beb5fed57b889ca027c52d2016
Opcode Fuzzy Hash: 280b78466cfb49ac5d1a4d8de4e82968344a77d2278ba686a31885ea79f0a63b
Instruction Fuzzy Hash: 49F08270614704BEDB029FB69C6282BBBFCE749B0475348B6F904A26D2E53C5D208568

Function 004075CC Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 004075EB
GetLastError.KERNEL32(?,?,?,00000000), ref: 004075F3

Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,020903AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 4b4e93de333a3cce642c2996d73c93b1535ff8d1f0695df8178d397978e57373
Instruction ID: cda5b13584bb414d1d7c0d7cef5a43535e1b929ad68122291bf656bee98e9d77
Opcode Fuzzy Hash: 4b4e93de333a3cce642c2996d73c93b1535ff8d1f0695df8178d397978e57373
Instruction Fuzzy Hash: A0E092766081016FD601D55EC881B9B33DCDFC5365F00453ABA54EB2D1D675AC0087B6

Function 0040758C Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 004075A3
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004075B2

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 60e63bc2ff5526e1bd28c8a7098a19329bed0093cf160d1b5924f83231400461
Instruction ID: 6d0e635579d8ef6deec62af0acb898b5effba2491802df9b0589d4017bc118ea
Opcode Fuzzy Hash: 60e63bc2ff5526e1bd28c8a7098a19329bed0093cf160d1b5924f83231400461
Instruction Fuzzy Hash: 4FE012B1A181147AEB24965A9CC5FAB6BDCCBC5314F14847BF904DB282D678DC04877B

Function 00407524 Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 0040753B
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00407547

Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,020903AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 0dd762855ce75d8d861d21fe55c1929f9bb0fd02210f0b496c114b023f039fab
Instruction ID: cd7afd6369a15af5fc7b0f7528e30ca6696358c0ea2e6c45e94f6e0b4d50a73a
Opcode Fuzzy Hash: 0dd762855ce75d8d861d21fe55c1929f9bb0fd02210f0b496c114b023f039fab
Instruction Fuzzy Hash: 0EE04FB1600210AFEB10EEB98C81B9672DC9F48364F048576EA14DF2C6D274DC00C766

Function 004051D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00405306), ref: 004051EF

Part of subcall function 00404C2C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404C49

Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
Instruction ID: c760dbbb10683706500036a577470844d35ac6ab0c013c9c95042e4326961867
Opcode Fuzzy Hash: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
Instruction Fuzzy Hash: 3B313D75E00119ABCB00EF95C8C19EEB779FF84304F158977E815BB285E739AE058B98

Function 004074D6 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407518

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ce86d0b46b6749cbb1c8065cdd94f6338fa023cacd1506a2c152e65e14b54ccf
Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
Opcode Fuzzy Hash: ce86d0b46b6749cbb1c8065cdd94f6338fa023cacd1506a2c152e65e14b54ccf
Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8

Function 004074D8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407518

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5c7f1f50133f8918f9d70925a1da877e635501982028b62cfe689d085d452769
Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
Opcode Fuzzy Hash: 5c7f1f50133f8918f9d70925a1da877e635501982028b62cfe689d085d452769
Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8

Function 0040693C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00406984,?,?,?,?,00000000,?,00406999,00406CC7,00000000,00406D0C,?,?,?), ref: 00406967

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 53f9965764e037d0eade91fd77cfc00c47722664131d9e88e47f7f2d0abdeb71
Instruction ID: a5d31a369ac9c1460ce21b6bb4ed2cb839aeaeb50f5f76e03c39097c5263300d
Opcode Fuzzy Hash: 53f9965764e037d0eade91fd77cfc00c47722664131d9e88e47f7f2d0abdeb71
Instruction Fuzzy Hash: A9E065712043047FD701EA629C52959B7ACDB89708B924476B501A6682D5785E108568

Function 00407628 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040763F

Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,020903AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 2449abf237b154253dcf2b231e0da589e0eb2b5517b9a23d8c49629d5bbf5411
Instruction ID: 68b513bd5595dc6b38f1d245c0222f257f742b1e6f06676187839ef0e6677733
Opcode Fuzzy Hash: 2449abf237b154253dcf2b231e0da589e0eb2b5517b9a23d8c49629d5bbf5411
Instruction Fuzzy Hash: 93E01A727081106BEB10E65EDCC0EABA7DCDFC5764F04547BBA08EB291D674AC049676

Function 004071E4 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0040904B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00409061), ref: 00407203

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 606059c89ae6d8e8cf07aa2f3a49422b1cb7a18355834490beef1a35ac41266b
Instruction ID: 095b59eb22c1ada42cfe979e419102ec0d22498c88dfceb067fba30b4837873c
Opcode Fuzzy Hash: 606059c89ae6d8e8cf07aa2f3a49422b1cb7a18355834490beef1a35ac41266b
Instruction Fuzzy Hash: 8DE0D8A0B8830125F22514544C87B77110E53C0700F50847EB710ED3D3D6BEA90641AF

Function 0040760C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,020A8000,00409F6B,00000000), ref: 00407613

Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,020903AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 2ff8edb08080e924c2b395f282aa3d8258573adb5ced5672aaac345b41159427
Instruction ID: 5d9383f6f08d3e81a9fa52c4aba0b6319cc61be016c813106cdb36ce464f185a
Opcode Fuzzy Hash: 2ff8edb08080e924c2b395f282aa3d8258573adb5ced5672aaac345b41159427
Instruction Fuzzy Hash: 39C04CB1A0450047DB40A6BE99C1A0662DC5A483157045576BA08DB297D679E8009665

Function 00406F5B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00406F79), ref: 00406F6C

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b3342c3bee8ef6d4bfebdffece25c86b3cab89117035339c57c774ddff03cb9f
Instruction ID: 754ecbd0d3eeca534395493226652c0236480d823d7569c9efe771d01927bad3
Opcode Fuzzy Hash: b3342c3bee8ef6d4bfebdffece25c86b3cab89117035339c57c774ddff03cb9f
Instruction Fuzzy Hash: 97B09B7661C2015DE705D6D5745193863F4D7C47103A1457BF104D25C0D57CD4144518

Function 00406F77 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00406F79), ref: 00406F6C

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8c0feaa3b8caa60bdda2d34a80aa64328f40d718bb3766066fe9d436f42a4d4e
Instruction ID: 7c61e226393e4972c06343dd54fa3db727d2c771c967085a02b7622724de7152
Opcode Fuzzy Hash: 8c0feaa3b8caa60bdda2d34a80aa64328f40d718bb3766066fe9d436f42a4d4e
Instruction Fuzzy Hash: BAA022A8C00002B2CE00E2F08080A3C23282A8C3003C00AAA322EB20C0C03CC000822A

Function 004068D0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,004068CC,?,004065A9,?,?,00406CE7,00000000,00406D0C,?,?,?,?,00000000,00000000), ref: 004068D2

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 17375083e06acd4281245791c958798094bb343357575ce1856f87173c3dc77f
Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
Opcode Fuzzy Hash: 17375083e06acd4281245791c958798094bb343357575ce1856f87173c3dc77f
Instruction Fuzzy Hash:

Function 00407DFC Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407E8C

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173b8e8880a2d8bc8916495ece18949fbab6e5abf9cd9f38168eb99c200b7a3e
Instruction ID: 2791b199587b26d82634b85145401aad68464bde91e43c5b6ac1b5c6de7462a2
Opcode Fuzzy Hash: 173b8e8880a2d8bc8916495ece18949fbab6e5abf9cd9f38168eb99c200b7a3e
Instruction Fuzzy Hash: 7A1172716042449BDB00EE19C881B5B3794AF84359F1484BAF958AB2C6DB38EC04CBAA

Function 004074A8 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 004074B8

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e9d4eabf3352258034a438adb9f93a7799ac96b59790047b66948ab7235a5e89
Instruction ID: 0172511661962fd54a17c381567595eb1d39a1afdb2a9088c563811225ee2893
Opcode Fuzzy Hash: e9d4eabf3352258034a438adb9f93a7799ac96b59790047b66948ab7235a5e89
Instruction Fuzzy Hash: FDD05E81B00A6017D215E2BE498864696C85F88745B08847AFA84E73D1D67CAC008399

Function 00407DA4 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00407E82), ref: 00407DBB

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5b9bfc86dfec920811477731d59a81a0154f8da7388717baf7e2e0d063c75e3e
Instruction ID: 99ab645fda39969175de1cb99313e8e2edaeef7f3c7532f72142fb74a6686f70
Opcode Fuzzy Hash: 5b9bfc86dfec920811477731d59a81a0154f8da7388717baf7e2e0d063c75e3e
Instruction Fuzzy Hash: 0AD0E9B17553055BDB90EEB95CC5B123BD87B48601F5044B66904EB29AE674E8109614

Non-executed Functions

Function 0040936C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0040937B
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409381
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040939A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004093C1
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004093C6
ExitWindowsEx.USER32(00000002,00000000), ref: 004093D7

Strings

SeShutdownPrivilege, xrefs: 00409393

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 2b7c2d1c4f590a8974f253569f8503172d2d606641626e35aa9b2bf4c08caf06
Instruction ID: 611fb1cec5075bd7f6e538fe0f9c98e62950726bb4ce6d0bef13c3fa82a74cfd
Opcode Fuzzy Hash: 2b7c2d1c4f590a8974f253569f8503172d2d606641626e35aa9b2bf4c08caf06
Instruction Fuzzy Hash: 95F0627068430276E610A6718C47F67228C5B88B08F50483ABE51FA1C3D7BCCC044A6F

Function 00409AD0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409ADA
SizeofResource.KERNEL32(00000000,00000000,?,00409BC5,00000000,0040A15C,?,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 00409AED
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409BC5,00000000,0040A15C,?,00000001,00000000,00000002,00000000,0040A1A4,?,00000000), ref: 00409AFF
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409BC5,00000000,0040A15C,?,00000001,00000000,00000002,00000000,0040A1A4), ref: 00409B10

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 400a5822642c04a340576dade1617737d9942a0be047b9803f81a1d9eeffe18d
Instruction ID: bd400d834a0aeaf6767d0a45abc69bca8fb82328816d2df24890c915d48f9c17
Opcode Fuzzy Hash: 400a5822642c04a340576dade1617737d9942a0be047b9803f81a1d9eeffe18d
Instruction Fuzzy Hash: 87E05AD035434625EA6036E718D2B2B62085FA471DF00013FBB00792D3DDBC8C04452E

Function 004051A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
Instruction ID: dec8dcb9893e8432c944e1b70884c8cc40709e939aac0c2d0d2241257bb7fc31
Opcode Fuzzy Hash: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
Instruction Fuzzy Hash: D3D05EB631E6502AE210519B2D85EBB4EACCAC57A4F14443BF648DB242D2248C069776

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748

Function 00405C44 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00406540,00000000,0040654E,?,?,?,?,?,00409B44), ref: 00405C52

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
Instruction ID: 6a84e84a5bdb2c7c5b206d002f2a3fc227ad50a79849cf1aa773f1ea3c1cbc6a
Opcode Fuzzy Hash: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
Instruction Fuzzy Hash: 5AC0126040470186E7109B319C42B1672D4A744310F4805396DA4953C2E73C81018A5A

Function 00408330 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 956cfbd081f07b2254a6d3089f19d76ceb57970edf417c817245e325156cd300
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: 4432E875E04219DFCB14CF99CA80AADB7B2BF88314F24816AD845B7385DB34AE42CF55

Function 00406F84 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407089), ref: 00406FAD
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406FB3
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407089), ref: 00407001

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00407010
.DEFAULT\Control Panel\International, xrefs: 00406FD8
kernel32.dll, xrefs: 00406FA8
Locale, xrefs: 00406FF0
GetUserDefaultUILanguage, xrefs: 00406FA3

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 60a9e4a616bde9d3650d5374f7b0e792bef98a6345d6610fa7bc99ac1ec5f133
Instruction ID: 4848c3cc747176469ce0ef08a48ea257d9f62360c4c8e5a9f2e1a14c28c6fa3b
Opcode Fuzzy Hash: 60a9e4a616bde9d3650d5374f7b0e792bef98a6345d6610fa7bc99ac1ec5f133
Instruction Fuzzy Hash: C3217370E04209ABDB10EBB5CD51B9F77A8EB44304F60857BA500F72C1DB7CAA05879E

Function 004019DC Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(0060F730,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(?,00000000,00008000,0060F730,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(00610730,?,00000000,00008000,0060F730,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE

Strings

Ta, xrefs: 00401A53
da, xrefs: 00401A27, 00401A41, 00401A49
$a, xrefs: 00401A5D

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: $a$Ta$da
API String ID: 3782394904-3202075603
Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Function 00401918 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Strings

Ta, xrefs: 00401950
da, xrefs: 00401946
$a, xrefs: 0040195A

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: $a$Ta$da
API String ID: 730355536-3202075603
Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

Function 00405314 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040555C,?,?,?,?,00000000,00000000,00000000,?,0040653B,00000000,0040654E), ref: 0040532E

Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A

Part of subcall function 004051A8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB

Strings

AMPM, xrefs: 004054F9
:mm:ss, xrefs: 0040552A
:mm, xrefs: 00405510
m/d/yy, xrefs: 004053FD
mmmm d, yyyy, xrefs: 0040541F

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
Instruction ID: f22f4b18e1885e1925b87b286fa486de3d96a381b4aec2b7527aff107c54c5fa
Opcode Fuzzy Hash: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
Instruction Fuzzy Hash: 8E514234B00648ABDB00EBA59C91B9F776ADB89304F50957BB514BB3C6CA3DCA058B5C

Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

Error, xrefs: 00403D91
Runtime error at 00000000, xrefs: 00403D96, 00403DA9
9@, xrefs: 00403D29

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000$9@
API String ID: 1220098344-1503883590
Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: e5c78b39f57021be2b84baee447ab27339ef0409ceaef8bd5dd3a85dcd2f6a98
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: e5c78b39f57021be2b84baee447ab27339ef0409ceaef8bd5dd3a85dcd2f6a98
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Function 00401494 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,Ta,?,?,?,00401800), ref: 004014B2
VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,Ta,?,?,?,00401800), ref: 004014D7
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,Ta,?,?,?,00401800), ref: 004014FD

Strings

Ta, xrefs: 00401497
da, xrefs: 004014E5

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Virtual$Alloc$Free
String ID: Ta$da
API String ID: 3668210933-3182373871
Opcode ID: 53fb4fb4dead2bf9bf87b2a1222c08a4795459efffcdd9b971e00269c0061a0c
Instruction ID: d5dc587d839e3be782c9b7b9e1ff5a952950f17ebcccd457e3de013d7af40e21
Opcode Fuzzy Hash: 53fb4fb4dead2bf9bf87b2a1222c08a4795459efffcdd9b971e00269c0061a0c
Instruction Fuzzy Hash: 7CF0C8717403106AEB316E694CC5F533AD89F85754F1040BAFA0DFF3DAD6745800826C

Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00409B3A), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,00409B3A), ref: 004030EE

Strings

h'_, xrefs: 004030F3
U1hd.@, xrefs: 00403103

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@$h'_
API String ID: 2123368496-3076631442
Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD

Function 004093FC Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 0040941B
Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 0040942B
GetLastError.KERNEL32(?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 0040943E
GetLastError.KERNEL32(?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 00409448

Memory Dump Source

Source File: 00000000.00000002.3436798907.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3436754399.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436844550.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3436923335.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: fb2155ff6e4859bec8591c3fde2b363a3ebb44483e144ae34e4cc697df15f474
Instruction ID: 2c3041558bff2c9731999a3fdaa5bf7f611e1c5313eca5e15d372d414c244bd5
Opcode Fuzzy Hash: fb2155ff6e4859bec8591c3fde2b363a3ebb44483e144ae34e4cc697df15f474
Instruction Fuzzy Hash: 32F0B472A0811457CB34B5EF9981A6F638DEAD1368751813BF904F3383D578CD0392AD

Analysis Process: 9MgoW3Y1ti.tmpPID: 5232, Parent PID: 6528COMMON

Execution Graph

Execution Coverage:	16.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	50

Executed Functions

Function 0046C5C4 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 959COMMON

Download Yara Rule

Strings

Skipping due to "onlyifdoesntexist" flag., xrefs: 0046C8EA
IF, xrefs: 0046D613
Non-default bitness: 64-bit, xrefs: 0046C7CB
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046CDB2
InUn, xrefs: 0046D061
Non-default bitness: 32-bit, xrefs: 0046C7D7
Time stamp of existing file: %s, xrefs: 0046C947
Dest file exists., xrefs: 0046C8D7
Same time stamp. Skipping., xrefs: 0046CC71
Version of existing file: (none), xrefs: 0046CC16
-- File entry --, xrefs: 0046C617
Version of our file: (none), xrefs: 0046CA18
Existing file is protected by Windows File Protection. Skipping., xrefs: 0046CD08
Will register the file (a DLL/OCX) later., xrefs: 0046D41E
Failed to strip read-only attribute., xrefs: 0046CDEF
Existing file's MD5 sum matches our file. Skipping., xrefs: 0046CBD1
Existing file's MD5 sum is different from our file. Proceeding., xrefs: 0046CBE0
Time stamp of existing file: (failed to read), xrefs: 0046C953
Skipping due to "onlyifdestfileexists" flag., xrefs: 0046CE16
Incrementing shared file count (64-bit)., xrefs: 0046D48B
Couldn't read time stamp. Skipping., xrefs: 0046CC51
Installing the file., xrefs: 0046CE25
Dest filename: %s, xrefs: 0046C7B0
Version of our file: %u.%u.%u.%u, xrefs: 0046CA0C
User opted not to overwrite the existing file. Skipping., xrefs: 0046CD69
@, xrefs: 0046C6CC
Existing file is a newer version. Skipping., xrefs: 0046CB1E
Time stamp of our file: %s, xrefs: 0046C8B7
Same version. Skipping., xrefs: 0046CC01
.tmp, xrefs: 0046CED3
Existing file has a later time stamp. Skipping., xrefs: 0046CCEB
Will register the file (a type library) later., xrefs: 0046D412
, xrefs: 0046CAEB, 0046CCBC, 0046CD3A
Failed to read existing file's MD5 sum. Proceeding., xrefs: 0046CBEC
Stripped read-only attribute., xrefs: 0046CDE3
Dest file is protected by Windows File Protection., xrefs: 0046C809
Incrementing shared file count (32-bit)., xrefs: 0046D4A4
Uninstaller requires administrator: %s, xrefs: 0046D091
Version of existing file: %u.%u.%u.%u, xrefs: 0046CA98
Time stamp of our file: (failed to read), xrefs: 0046C8C3

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID:
String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's MD5 sum is different from our file. Proceeding.$Existing file's MD5 sum matches our file. Skipping.$Failed to read existing file's MD5 sum. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$IF$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
API String ID: 0-3571605357
Opcode ID: c331ed72d788f652b5d8a0e231ec5862484b2ca6a8e1fb95928deca83195554c
Instruction ID: bbba4ebc422fcc932ed0245fa1df0834f4a6a16cbc4990aadff4421ccbeeb5a2
Opcode Fuzzy Hash: c331ed72d788f652b5d8a0e231ec5862484b2ca6a8e1fb95928deca83195554c
Instruction Fuzzy Hash: 54928630E042889FCB11DFA5C485BEDBBB5AF05308F5440ABE844B7392D7789E45DB5A

Function 00423B7C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3425962c5664b7636b89eb7a729afb539010c318ec026ce06c6a7b4d19c74a
Instruction ID: 08d2eb01bbb0ed60fc7aa7cee5e011afdc801c2d0a550085eeb8675b0aa62de6
Opcode Fuzzy Hash: 3f3425962c5664b7636b89eb7a729afb539010c318ec026ce06c6a7b4d19c74a
Instruction Fuzzy Hash: ACE19A30B00124EBC710DF69E585A5EB7B0FF48704FA441AAE645AB352CB7DEE81DB09

Function 00463B8C Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1645
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00490078: GetWindowRect.USER32(00000000), ref: 0049008E

LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00463F5B

Part of subcall function 0041D620: GetObjectA.GDI32(?,00000018,00463F75), ref: 0041D64B

Part of subcall function 004639E8: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00463A85
Part of subcall function 004639E8: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00463AAB
Part of subcall function 004639E8: SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00463B07
Part of subcall function 004639E8: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00463B2D

Part of subcall function 004633A4: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00464010,00000000,00000000,00000000,0000000C,00000000), ref: 004633BC

Part of subcall function 004902D4: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 004902DE

Part of subcall function 0048FFC8: 73E9A570.USER32(00000000,?,?,?), ref: 0048FFEA
Part of subcall function 0048FFC8: SelectObject.GDI32(?,00000000), ref: 00490010
Part of subcall function 0048FFC8: 73E9A480.USER32(00000000,?,0049006E,00490067,?,00000000,?,?,?), ref: 00490061

Part of subcall function 004902C4: MulDiv.KERNEL32(0000004B,?,00000006), ref: 004902CE

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0212ECFC,021307DC,?,?,0213080C,?,?,0213085C,?), ref: 00464BD3
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00464BE4
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00464BFC

Part of subcall function 00429FCC: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 00429FE2

Strings

(Default), xrefs: 004651E7
STOPIMAGE, xrefs: 00463F50
, xrefs: 0046401D

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Menu$AppendExtractFileIconInfoObject$A480A570BitmapCallbackDispatcherLoadMessageRectSelectSendSystemUserWindow
String ID: $(Default)$STOPIMAGE
API String ID: 1965080796-770201673
Opcode ID: 80f7aee92de1e31dca4f16c75dc9a4f5f3520f9015eb7726ec2554a956d9f7b2
Instruction ID: 9b804f360638e7ec9479bb78d72ee5234d78dd0d5496d892e29c920f99ca9afd
Opcode Fuzzy Hash: 80f7aee92de1e31dca4f16c75dc9a4f5f3520f9015eb7726ec2554a956d9f7b2
Instruction Fuzzy Hash: 7DF2C6386105218FCB00EF69D8D9F9973F5BF89304F1541B6E9049B36ADB78AC46CB4A

Function 0047A964 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,13I,?,00000000,00000000,?,?,0047BCC8,?,?,00000000), ref: 0047A9C4
FindNextFileA.KERNEL32(000000FF,?,00000000,?,?,00000000,?,00000000,13I,?,00000000,00000000,?,?,0047BCC8,?), ref: 0047AA0D
FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,?,00000000,?,00000000,13I,?,00000000,00000000,?,?,0047BCC8), ref: 0047AA1A
FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,13I,?,00000000,00000000,?,?,0047BCC8,?), ref: 0047AA66
FindNextFileA.KERNEL32(000000FF,?,00000000,0047AB33,?,00000000,?,00000000,?,?,00000000,?,00000000,13I,?,00000000), ref: 0047AB0F
FindClose.KERNEL32(000000FF,0047AB3A,0047AB33,?,00000000,?,00000000,?,?,00000000,?,00000000,13I,?,00000000,00000000), ref: 0047AB2D

Strings

13I, xrefs: 0047A98E

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: 13I
API String ID: 3541575487-562285233
Opcode ID: 14a22c9b19f9f593fc8f290ef9588bdea0a1845b81f46d5d148d05f04d7c5859
Instruction ID: 4e67e333ed9d0cc1fab42887fed5e7c2c21fb1f12194a2671a08295e0f582913
Opcode Fuzzy Hash: 14a22c9b19f9f593fc8f290ef9588bdea0a1845b81f46d5d148d05f04d7c5859
Instruction Fuzzy Hash: C7517E71900648AFCB11EFA6CC45ADEB7BCEB88315F1084BAA508E7341D6389F95CF19

Function 00470C84 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00470DEE,?,?,00000001,00497154), ref: 00470CDD
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00470DEE,?,?,00000001,00497154), ref: 00470DBA
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00470DEE,?,?,00000001,00497154), ref: 00470DC8

Strings

unins???.*, xrefs: 00470CC7
unins, xrefs: 00470D30

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: b8508960964e18f228b5b6a455ee562c9244d5bac447fc9a6e43c63091bc2de7
Instruction ID: efef7a00cc11a416bc55dd6669f4c7d8ef89bbc17b889cc882c0d169e59b9d03
Opcode Fuzzy Hash: b8508960964e18f228b5b6a455ee562c9244d5bac447fc9a6e43c63091bc2de7
Instruction Fuzzy Hash: A63113756012489FCB50EB65C981BDE77B9AF44304F5084B6A448AB3A2D738AF818B58

Function 00447F60 Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,0044813D), ref: 00448080
GetProcAddress.KERNEL32(00000000,00000000), ref: 00448101

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: d9787b66ae215e656ee415771d480fc3d32ddb8ef1add214a3308f413d75a1a6
Instruction ID: 5c6eebc632780948e30306f747c70913dfebb380d33768fd88d962b889412947
Opcode Fuzzy Hash: d9787b66ae215e656ee415771d480fc3d32ddb8ef1add214a3308f413d75a1a6
Instruction Fuzzy Hash: CD515170A00105AFDB00EFA5C481AAFB7F9EB54315F10817FE814BB392DB389E458B99

Function 00451668 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004516CB,?,?,-00000001,00000000), ref: 004516A5
GetLastError.KERNEL32(00000000,?,00000000,004516CB,?,?,-00000001,00000000), ref: 004516AD

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 2ccb38690e6aaf115f3138c94c71e4fbb344a9e4605e64161c765321e8b078e6
Instruction ID: 1035efb27f9b4b466a521b4d59d966f000d53702a43f221aaee312fb08fd4d5a
Opcode Fuzzy Hash: 2ccb38690e6aaf115f3138c94c71e4fbb344a9e4605e64161c765321e8b078e6
Instruction Fuzzy Hash: 9EF04931A00304BB8B10EB769C5159EB7ECDB4532571046BBFC14D32A2DA784D048458

Function 004084D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004964C0,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: db4c94cdf382ee3399fd393310c0d3b07f3e4771964ce669c16d021a31866df8
Instruction ID: 1ce02aaae6ec4ade8b295bae84213e8e13784b7c216e354617812bc232f4da8b
Opcode Fuzzy Hash: db4c94cdf382ee3399fd393310c0d3b07f3e4771964ce669c16d021a31866df8
Instruction Fuzzy Hash: 59E0D87170021467D711E95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE4046ED

Function 00423AF4 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,004240C1,?,00000000,004240CC), ref: 00423B1E

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: f78a68ed826797f4bf69a42243cc74bd686c7ff48922d06499da9bfac42a5011
Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
Opcode Fuzzy Hash: f78a68ed826797f4bf69a42243cc74bd686c7ff48922d06499da9bfac42a5011
Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94

Function 00453F88 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 00453F9E

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: e5c4147ce8d30c90c427c53b97d0de2aa7d796d22412cffb07543fa3924af9c1
Instruction ID: 1680b636b72d7d7da35d26ad3489112d7b5719c0f4c6eb10b1da13dd6a5c5f2b
Opcode Fuzzy Hash: e5c4147ce8d30c90c427c53b97d0de2aa7d796d22412cffb07543fa3924af9c1
Instruction Fuzzy Hash: CAD0C2B260420053C300AEA9AC82697769C8B84316F10483F7C85CA3C3E67CDB4C569A

Function 0042EEF4 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042EF10

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 526567439b164cf8a1cedbeebbc24c6bfdc41ebf56c0565ee429dfc079ee367e
Instruction ID: 914d3360e1f6a3e7d3a1e305f80b88d129d6a01b97e8a9d2bd08e0dbdb8f1123
Opcode Fuzzy Hash: 526567439b164cf8a1cedbeebbc24c6bfdc41ebf56c0565ee429dfc079ee367e
Instruction Fuzzy Hash: 16D0A77120010C7FCB00DE99D940C6F33AC9B88700BA0C805F508C7205C734EC1087B4

Function 0046AF80 Relevance: 68.7, APIs: 1, Strings: 38, Instructions: 412
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0046AD6C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,00497154,?,0046B06F,?,00000000,0046B4F7,?,_is1), ref: 0046AD8F

RegCloseKey.ADVAPI32(?,0046B4FE,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046B549,?,?,00000001,00497154), ref: 0046B4F1

Strings

InstallLocation, xrefs: 0046B0B2
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0046AFC2
Inno Setup: Deselected Components, xrefs: 0046B15B
Inno Setup: User Info: Serial, xrefs: 0046B1E4
Inno Setup: Icon Group, xrefs: 0046B0C1
DisplayVersion, xrefs: 0046B2E1
Inno Setup: No Icons, xrefs: 0046B0DF
Inno Setup: Setup Version, xrefs: 0046B05D
" /SILENT, xrefs: 0046B2B7
ModifyPath, xrefs: 0046B3E9
Contact, xrefs: 0046B3AC
Inno Setup: User, xrefs: 0046B0FE
Inno Setup: Deselected Tasks, xrefs: 0046B1A2
Publisher, xrefs: 0046B2FE
NoRepair, xrefs: 0046B411
_is1, xrefs: 0046AFC8
Inno Setup: User Info: Organization, xrefs: 0046B1CF
Inno Setup: Setup Type, xrefs: 0046B11D
QuietUninstallString, xrefs: 0046B2C4
UninstallString, xrefs: 0046B28A
Readme, xrefs: 0046B38F
RegisterPreviousData, xrefs: 0046B4A7
HelpLink, xrefs: 0046B355
MajorVersion, xrefs: 0046B45C
5.3.5 (a), xrefs: 0046B062
Inno Setup: User Info: Name, xrefs: 0046B1BA
MinorVersion, xrefs: 0046B46E
DisplayIcon, xrefs: 0046B250
HelpTelephone, xrefs: 0046B338
URLUpdateInfo, xrefs: 0046B372
Comments, xrefs: 0046B3C9
InstallDate, xrefs: 0046B430
DisplayName, xrefs: 0046B233
URLInfoAbout, xrefs: 0046B31B
Inno Setup: Selected Components, xrefs: 0046B13C
Inno Setup: App Path, xrefs: 0046B092
Inno Setup: Selected Tasks, xrefs: 0046B183
NoModify, xrefs: 0046B3FD

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseValue
String ID: " /SILENT$5.3.5 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
API String ID: 3132538880-4162757603
Opcode ID: 74ada5f7f4b3b84f6d30dbb7f605c502c19f4e02ec6191c5605d87bebef11242
Instruction ID: 6b8bd6052d7011f0313b6456d796e8b41d00091cb6ba677f30044cb60bcfab9c
Opcode Fuzzy Hash: 74ada5f7f4b3b84f6d30dbb7f605c502c19f4e02ec6191c5605d87bebef11242
Instruction Fuzzy Hash: DBF14374A001099BCB14EB55D8819AEB7B9EB44304F60C07BEC11AB7A5EB7CBD41CB5E

Function 0048CEA0 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000000,0048D395,?,?,?,?,00000000,00000000,00000000), ref: 0048CEE0
FindWindowA.USER32(00000000,00000000), ref: 0048CF11

Strings

FINDWINDOWBYWINDOWNAME, xrefs: 0048CF29
CALLDLLPROC, xrefs: 0048D205
CREATEMUTEX, xrefs: 0048D2C1
LOADDLL, xrefs: 0048D1A3
SENDBROADCASTMESSAGE, xrefs: 0048D0AD
SLEEP, xrefs: 0048CECA
POSTMESSAGE, xrefs: 0048CFBB
POSTBROADCASTMESSAGE, xrefs: 0048D0FB
OEMTOCHARBUFF, xrefs: 0048D2F3
SENDNOTIFYMESSAGE, xrefs: 0048D017
CHARTOOEMBUFF, xrefs: 0048D336
FINDWINDOWBYCLASSNAME, xrefs: 0048CEED
FREEDLL, xrefs: 0048D28C
REGISTERWINDOWMESSAGE, xrefs: 0048D073
SENDMESSAGE, xrefs: 0048CF65
SENDBROADCASTNOTIFYMESSAGE, xrefs: 0048D14F

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: fab8a4fe477002bc53f13639ab52b518f0439af39f0fe01b7890694e2865f2f1
Instruction ID: b0d844213b24b695988cfb35ecebf8c704e926cd3cc1ee44f2907765548c277e
Opcode Fuzzy Hash: fab8a4fe477002bc53f13639ab52b518f0439af39f0fe01b7890694e2865f2f1
Instruction Fuzzy Hash: 36C161A0B0461067D714BE3E9C4261E569A9F89704B11D93FB406EB7CACE7DDC06439E

Function 0047E1E8 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0047E1F9
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0047E206
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047E214
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0047E21C
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0047E228
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0047E249
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 0047E25C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0047E262
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047E279

Strings

RegDeleteKeyExA, xrefs: 0047E252
GetNativeSystemInfo, xrefs: 0047E200
GetSystemWow64DirectoryA, xrefs: 0047E243
IsWow64Process, xrefs: 0047E216
kernel32.dll, xrefs: 0047E1F4
advapi32.dll, xrefs: 0047E257

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: 4e477b3967b851c9eac5dc78f32453af4a94d1867c0ed92fe90c0839294704c9
Instruction ID: 2d47f8cf15d4e27fa0f1176fe36efced94cd1240a4270aaae3bb705869ea135a
Opcode Fuzzy Hash: 4e477b3967b851c9eac5dc78f32453af4a94d1867c0ed92fe90c0839294704c9
Instruction Fuzzy Hash: 6E11B155104741A4DA1073B79D45FEB164C8B09718F188BFB6C8CA62D3D67CC84996BF

Function 00465560 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

RegCloseKey.ADVAPI32(?,0046577A,?,?,00000001,00000000,00000000,00465795,?,00000000,00000000,?), ref: 00465763

Strings

Inno Setup: Deselected Components, xrefs: 004656A4
Inno Setup: User Info: Name, xrefs: 0046571F
Inno Setup: No Icons, xrefs: 0046564B
Inno Setup: Setup Type, xrefs: 00465672
Inno Setup: User Info: Serial, xrefs: 00465745
Inno Setup: User Info: Organization, xrefs: 00465732
Inno Setup: App Path, xrefs: 00465622
Inno Setup: Selected Components, xrefs: 00465682
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 004655BF
Inno Setup: Icon Group, xrefs: 0046563E
Inno Setup: Selected Tasks, xrefs: 004656CF
Inno Setup: Deselected Tasks, xrefs: 004656F1
%s\%s_is1, xrefs: 004655DD

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: 94c9d62fb1d7e435db0e42792cab2a1aa0121b794f6c09036552146ff74fe873
Instruction ID: 8cdb4376706b2a9b24b9b35df1ecfc56159c4b319484bfede528e66c14f5fdf6
Opcode Fuzzy Hash: 94c9d62fb1d7e435db0e42792cab2a1aa0121b794f6c09036552146ff74fe873
Instruction Fuzzy Hash: 4951B630A00B04DBCB11EB65D951BDEBBF5EF84304F5084BAE845A7391E738AE05CB59

Function 004237E4 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F334: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED14,?,004237FF,00423B7C,0041ED14), ref: 0041F352

GetClassInfoA.USER32(00400000,004235EC), ref: 0042380F
RegisterClassA.USER32(00494630), ref: 00423827
GetSystemMetrics.USER32(00000000), ref: 00423849
GetSystemMetrics.USER32(00000001), ref: 00423858
SetWindowLongA.USER32(004105C0,000000FC,004235FC), ref: 004238B4
SendMessageA.USER32(004105C0,00000080,00000001,00000000), ref: 004238D5
GetSystemMenu.USER32(004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C,0041ED14), ref: 004238E0
DeleteMenu.USER32(00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C,0041ED14), ref: 004238EF
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 004238FC
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000), ref: 00423912

Strings

5B, xrefs: 00423803, 00423884

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID: 5B
API String ID: 183575631-3738334870
Opcode ID: e5b5147e0e34996107640ab488c5a955b3283bc40e3e9afea641ea9dff5fb6f0
Instruction ID: 4eea79998965153292ad411f177aff7c9d901da1d54039d3c3496ec011b6d66c
Opcode Fuzzy Hash: e5b5147e0e34996107640ab488c5a955b3283bc40e3e9afea641ea9dff5fb6f0
Instruction Fuzzy Hash: C53161B17402106AEB10AF65EC82F6A36989715709F11017BBA41AF2D7C67DED04876C

Function 00477ECC Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(6E7B0000,SHGetFolderPathA), ref: 00477FCE

Strings

Failed to load DLL "%s", xrefs: 00477FB1
] I, xrefs: 00477F15, 00477F5A, 00477F42, 00477F4A
SHFOLDERDLL, xrefs: 00477F0B
_isetup\_shfoldr.dll, xrefs: 00477EFE
shfolder.dll, xrefs: 00477F31, 00477F6A
SHGetFolderPathA, xrefs: 00477FC3
Failed to get version numbers of _shfoldr.dll, xrefs: 00477F24
shell32.dll, xrefs: 00477F79
Failed to get address of SHGetFolderPath function, xrefs: 00477FDF

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$] I$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 190572456-953201679
Opcode ID: 39e346f91b0b191ca7c9d4b76c1215527ff936a439ab04cc6e1b4ee361ca35d9
Instruction ID: be8cea5b208f70f3497dc675e9b67cc11d28b3b7ca4846f22d5268085fe32373
Opcode Fuzzy Hash: 39e346f91b0b191ca7c9d4b76c1215527ff936a439ab04cc6e1b4ee361ca35d9
Instruction Fuzzy Hash: D5312530A04249DBCB00EB95D9859DEB7B4EB54308F51C87BE508E7351DB789E08CBAD

Function 00477BA0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00477D13,?,?,00000000,00496628,00000000,00000000,?,00492BF5,00000000,00492D9E,?,00000000), ref: 00477C33
GetLastError.KERNEL32(00000000,00000000,00000000,00477D13,?,?,00000000,00496628,00000000,00000000,?,00492BF5,00000000,00492D9E,?,00000000), ref: 00477C3C

Strings

REGDLL_EXE, xrefs: 00477CB0
e1I, xrefs: 00477CF8, 00477C6A, 00477C74
\_RegDLL.tmp, xrefs: 00477CA0
o1I, xrefs: 00477C47, 00477C54
\_setup64.tmp, xrefs: 00477CCB
Created temporary directory: , xrefs: 00477BD5
_isetup, xrefs: 00477C1E

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup$e1I$o1I
API String ID: 1375471231-477672290
Opcode ID: 4c75ab1de06e94221e890cf111cb2a76886db217d149b9edc6180f5924f9a91e
Instruction ID: 656792ce42a3b8ee986284f240f9f7d4df8ffa0b35947b5a09b08d7327d2a589
Opcode Fuzzy Hash: 4c75ab1de06e94221e890cf111cb2a76886db217d149b9edc6180f5924f9a91e
Instruction Fuzzy Hash: 89412674A042099FCB11EF95D882ADEB7B5EF48309F50857BE81477392D738AE05CB58

Function 0042EF34 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 0042EF63
GetFocus.USER32 ref: 0042EF6B
RegisterClassA.USER32(004947AC), ref: 0042EF8C
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F060,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042EFCA
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F010
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F021
SetFocus.USER32(00000000,00000000,0042F043,?,?,?,00000001,00000000,?,00456ACA,00000000,00496628), ref: 0042F028

Strings

TWindowDisabler-Window, xrefs: 0042EFC3, 0042F009
(fI, xrefs: 0042F03A, 0042EFF3, 0042F000

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: (fI$TWindowDisabler-Window
API String ID: 3167913817-2792019125
Opcode ID: 8c16546f9a585749c763ac640097901552d234e7c9639c2d0d67cc4ae301c64c
Instruction ID: 77e24118650528b8c543fe6d0d23e90f8f7024fb04e3d66e63b834f41b798fd0
Opcode Fuzzy Hash: 8c16546f9a585749c763ac640097901552d234e7c9639c2d0d67cc4ae301c64c
Instruction Fuzzy Hash: 35219571740710BAE220EF62DD02F1A76A4EB05B04FA2453BF604BB2D2D7BC6D54C6AD

Function 00451DF8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451E91,?,?,?,?,00000000,?,00493224), ref: 00451E18
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451E1E
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451E91,?,?,?,?,00000000,?,00493224), ref: 00451E32
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451E38

Strings

kernel32.dll, xrefs: 00451E13, 00451E2D
Wow64RevertWow64FsRedirection, xrefs: 00451E28
Wow64DisableWow64FsRedirection, xrefs: 00451E0E
shell32.dll, xrefs: 00451E64

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: dad4633167d2715cc0ebda844063a592ad4074400e663550045590e6248a3f3e
Instruction ID: bff3e1d123b44789eb661b74cfa9bb81be17ee1d1842bcd010c9e5766072ccdb
Opcode Fuzzy Hash: dad4633167d2715cc0ebda844063a592ad4074400e663550045590e6248a3f3e
Instruction Fuzzy Hash: E4018470200744AED701AB62AC03B6B3A98D754B5AF91447BFC04A61A3D7BC5D089E2D

Function 0046E048 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 263
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0046E219,?,00000000,?,00000001,00000000,0046E3E7,?,00000000,?,00000000,?,0046E5A2), ref: 0046E1F5
FindClose.KERNEL32(000000FF,0046E220,0046E219,?,00000000,?,00000001,00000000,0046E3E7,?,00000000,?,00000000,?,0046E5A2,?), ref: 0046E213
FindNextFileA.KERNEL32(000000FF,?,00000000,0046E33B,?,00000000,?,00000001,00000000,0046E3E7,?,00000000,?,00000000,?,0046E5A2), ref: 0046E317
FindClose.KERNEL32(000000FF,0046E342,0046E33B,?,00000000,?,00000001,00000000,0046E3E7,?,00000000,?,00000000,?,0046E5A2,?), ref: 0046E335

Strings

sF, xrefs: 0046E29F, 0046E2A2
IF, xrefs: 0046E3D9, 0046E357, 0046E381, 0046E38F, 0046E3A7, 0046E36E, 0046E121, 0046E1C4, 0046E15C, 0046E173, 0046E181, 0046E138, 0046E141, 0046E1C7
sF, xrefs: 0046E08E, 0046E0A5

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Find$CloseFileNext
String ID: IF$sF$sF
API String ID: 2066263336-2713198477
Opcode ID: 6a7a0da7ad197dfdba6f926028919c8a572ec1f5835758eec4f6d61e2094463d
Instruction ID: 1230aeaf309185c7ec03d96dbdc6ad6414d2784c2265a1c5d62d22ef3a6f047c
Opcode Fuzzy Hash: 6a7a0da7ad197dfdba6f926028919c8a572ec1f5835758eec4f6d61e2094463d
Instruction Fuzzy Hash: 51B13D3490425D9FCF11DFA6C881ADEBBF9BF49304F5081AAE808A7391D7389A46CF55

Function 00430314 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 0043031C
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0043032B
GetCurrentThreadId.KERNEL32 ref: 00430345
GlobalAddAtomA.KERNEL32(00000000), ref: 00430366

Strings

commdlg_help, xrefs: 00430317
commdlg_FindReplace, xrefs: 00430326
WndProcPtr%.8X%.8X, xrefs: 00430357

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: d957c5322606f91c3a63daffd078634db936568746c689a8806e8aa63a5fc16b
Instruction ID: 0713c644b5c0c2c8d9555e19a872e1a2a1cf9f6f22ed51b2a28eccd68185566a
Opcode Fuzzy Hash: d957c5322606f91c3a63daffd078634db936568746c689a8806e8aa63a5fc16b
Instruction Fuzzy Hash: 9CF082704483808BD700EB75C842B197AE0EB98708F01467FB898A62E1D77A8500CB5F

Function 00453A04 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00453C20,00453C20,00000031,00453C20,00000000), ref: 00453BAC
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,00453C20,00453C20,00000031,00453C20), ref: 00453BB9

Part of subcall function 00453970: WaitForInputIdle.USER32(00000001,00000032), ref: 0045399C
Part of subcall function 00453970: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004539BE
Part of subcall function 00453970: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 004539CD
Part of subcall function 00453970: CloseHandle.KERNEL32(00000001,004539FA,004539F3,?,00000031,00000080,00000000,?,?,00453D4B,00000080,0000003C,00000000,00453D61), ref: 004539ED

Strings

cmd.exe" /C ", xrefs: 00453AE1
.bat, xrefs: 00453A94
D, xrefs: 00453B4C
.cmd, xrefs: 00453AAF
COMMAND.COM" /C , xrefs: 00453B18

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: 969602a1eac1dd91b4af2a32f62313c77e3a40ceb3341a8b7a3818eab434afd5
Instruction ID: 0d4c244814a61e6a9f40f8d6579175ec88b371b5f0bc4768c512e06936e56e52
Opcode Fuzzy Hash: 969602a1eac1dd91b4af2a32f62313c77e3a40ceb3341a8b7a3818eab434afd5
Instruction Fuzzy Hash: 0D51767460035DABCB01EFA5C842B9EBBB9AF44346F50443BB844B7283D7789F098B58

Function 004235FC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0042368C
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 004236B9
OemToCharA.USER32(?,?), ref: 004236CC
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 0042370C

Strings

MAINICON, xrefs: 00423681
2, xrefs: 0042365A

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: b8e4f3de8f6e7962c855b1bbff0a6ea575b20ad32e9f870a500b7efad52da8d9
Instruction ID: d7f5d394b2ec06d520cb0a4b60bf3498b9d8aa77ab50e693133e7ce4a757069a
Opcode Fuzzy Hash: b8e4f3de8f6e7962c855b1bbff0a6ea575b20ad32e9f870a500b7efad52da8d9
Instruction Fuzzy Hash: DC31A2B0A042559ADF10EF29D8C57C67BE8AF14308F4441BAE844DB393D7BED988CB65

Function 00418EA8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00418EAD
GlobalAddAtomA.KERNEL32(00000000), ref: 00418ECE
GetCurrentThreadId.KERNEL32 ref: 00418EE9
GlobalAddAtomA.KERNEL32(00000000), ref: 00418F0A

Part of subcall function 00423038: 73E9A570.USER32(00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 0042308E
Part of subcall function 00423038: EnumFontsA.GDI32(00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 004230A1
Part of subcall function 00423038: 73EA4620.GDI32(00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230A9
Part of subcall function 00423038: 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230B4

Part of subcall function 004235FC: LoadIconA.USER32(00400000,MAINICON), ref: 0042368C
Part of subcall function 004235FC: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 004236B9
Part of subcall function 004235FC: OemToCharA.USER32(?,?), ref: 004236CC
Part of subcall function 004235FC: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 0042370C

Part of subcall function 0041F088: GetVersion.KERNEL32(?,00418F60,00000000,?,?,?,00000001), ref: 0041F096
Part of subcall function 0041F088: SetErrorMode.KERNEL32(00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0B2
Part of subcall function 0041F088: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0BE
Part of subcall function 0041F088: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0CC
Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F0FC
Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F125
Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F13A
Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F14F
Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F164
Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F179
Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F18E
Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1A3
Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1B8
Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F1CD

Strings

Delphi%.8X, xrefs: 00418EBF
ControlOfs%.8X%.8X, xrefs: 00418EFB

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A4620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 1580766901-2767913252
Opcode ID: 1c5da02b922e4aac06326fd948070b9cb60db65944391413fb0283cc291dbe50
Instruction ID: b4a2cca2d4326696562d23f03e9beb5cdbbc64ba536a620a3ee3ba5bc66bdef7
Opcode Fuzzy Hash: 1c5da02b922e4aac06326fd948070b9cb60db65944391413fb0283cc291dbe50
Instruction Fuzzy Hash: 9A1160B06142409AC700FF2A984274A7AE0EB64309F41843FF448DB2A1DB3D9945CB5E

Function 004135AC Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 004135D4
GetWindowLongA.USER32(?,000000F0), ref: 004135DF
GetWindowLongA.USER32(?,000000F4), ref: 004135F1
SetWindowLongA.USER32(?,000000F4,?), ref: 00413604
SetPropA.USER32(?,00000000,00000000), ref: 0041361B
SetPropA.USER32(?,00000000,00000000), ref: 00413632

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 86a15e674b3ea48860a72e4751bd866d9c55aec508b8b4782c27e449c12c4e66
Instruction ID: 44bb5ba5a57c54889193f85f1a8a28b74f903b4ef320443ee5f093ebf11223bc
Opcode Fuzzy Hash: 86a15e674b3ea48860a72e4751bd866d9c55aec508b8b4782c27e449c12c4e66
Instruction Fuzzy Hash: B611C975500244BFDB00DF99DC85E9A3BE8BB19364F114266B928DB2A1D738D9908B68

Function 004540C4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045425B,?,00000000,0045429B), ref: 004541A1

Strings

PendingFileRenameOperations, xrefs: 00454140
WININIT.INI, xrefs: 004541D0
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454124
PendingFileRenameOperations2, xrefs: 00454170

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: 3b606e1cfbb150bd088f74f1063c905db1383d3fd6ed35e0c09aba21d543f6f9
Instruction ID: 8ceaccac1fe58e6261fec66e20af0929b63452d54162f6f6a325dab65676f0d5
Opcode Fuzzy Hash: 3b606e1cfbb150bd088f74f1063c905db1383d3fd6ed35e0c09aba21d543f6f9
Instruction Fuzzy Hash: 0051BA30E001189FDB10DF62DC519DEB7B9EFC4348F5085B7F814AB292DB78AA85CA58

Function 004639E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115windowCOMMON

Download Yara Rule

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00463A85
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00463AAB

Part of subcall function 00463928: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004639C0
Part of subcall function 00463928: DestroyCursor.USER32(00000000), ref: 004639D6

SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00463B07
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00463B2D

Strings

c:\directory, xrefs: 00463A80

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Icon$ExtractFileInfo$CursorDestroyDraw
String ID: c:\directory
API String ID: 2926980410-3984940477
Opcode ID: 1a7901e35b7efb8855ed844898b1e62419ded63c9a28a762335ba207438abc47
Instruction ID: 671f662d79a6b5497fd1efd513546b718c4d5ac7f56db0c83477fb4c85f01fd4
Opcode Fuzzy Hash: 1a7901e35b7efb8855ed844898b1e62419ded63c9a28a762335ba207438abc47
Instruction Fuzzy Hash: 5C417F70640288AFD711DF55DC8AFDEBBE8EB48705F1040A6F904DB382D679EE808B59

Function 004537C8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00453876
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,0045393C), ref: 004538E0

Strings

sfc.dll, xrefs: 00453838
SfcIsFileProtected, xrefs: 00453870
P@l, xrefs: 0045387B, 00453887, 00453902

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: P@l$SfcIsFileProtected$sfc.dll
API String ID: 2508298434-1167317136
Opcode ID: 7bac0491a20355553d1817e9708559ea9c2ee3dc019520cc376e2a618a3a3bbf
Instruction ID: 8896df26e74b4f53e6f77957fc07a02fe6ad1856ac683947f167e21e68caa71d
Opcode Fuzzy Hash: 7bac0491a20355553d1817e9708559ea9c2ee3dc019520cc376e2a618a3a3bbf
Instruction Fuzzy Hash: 9D4167B0A042189FEB10DF55DC85B9D77B8AB04346F5041BBB908A7293D7785F48CE5C

Function 0042DC7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,?), ref: 0042DC88
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DE0B,00000000,0042DE23,?,?,?,?,00000006,?,00000000,00491FBA), ref: 0042DCA3
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DCA9

Strings

advapi32.dll, xrefs: 0042DC9E
RegDeleteKeyExA, xrefs: 0042DC99

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: 1ac9f45d9403d68368f5ea09b308c2771ffc131f1d77a79e4eddddbac772e20e
Instruction ID: 479eeeb2458f1cbf9b477f45b3eef1c6296245770f751ec8fb172f928072974a
Opcode Fuzzy Hash: 1ac9f45d9403d68368f5ea09b308c2771ffc131f1d77a79e4eddddbac772e20e
Instruction Fuzzy Hash: 57E06DF0B45230AAD620676B7D4AFA327299B64725F54403BB105A619182FD4C40DE5C

Function 0047D994 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,0047DCA9,?,?,00000001,?), ref: 0047DAA5
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 0047DB1A

Strings

, xrefs: 0047DBD7
Need to restart Windows? %s, xrefs: 0047DB57

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: 12037f27ca6cd308aea1d326a4c3b70745560e3ec434e9b2862bfd7b37a3da6d
Instruction ID: 90cd12f1ce5866ea51d49213f29bb353ee2a99eceb2f679e27348fc142a0b483
Opcode Fuzzy Hash: 12037f27ca6cd308aea1d326a4c3b70745560e3ec434e9b2862bfd7b37a3da6d
Instruction Fuzzy Hash: FD91B170A142448FCB11EB69D882B9E77F1AF55308F5080BBE8049B366DB78AD09DB5D

Function 0046B8B4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042C6E0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C704

GetLastError.KERNEL32(00000000,0046BAB1,?,?,00000001,00497154), ref: 0046B98E
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046BA08
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046BA2D

Strings

Creating directory: %s, xrefs: 0046B976

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: 6e6b56944f7af39c61aec4d517d3385b6d008573cf9049f4c4aabfc7d62e10ff
Instruction ID: 7ea54ca36873d6337a8b148a308a739efa0342075aaa82460d6101fa077cad05
Opcode Fuzzy Hash: 6e6b56944f7af39c61aec4d517d3385b6d008573cf9049f4c4aabfc7d62e10ff
Instruction Fuzzy Hash: 40512F74E00258ABDB01DFE5C482BDEB7F5EF48304F50856AE851A7382D7785E44CB99

Function 0045262C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045271B,?,?,00000000,00496628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00452672
GetLastError.KERNEL32(00000000,00000000,?,00000000,0045271B,?,?,00000000,00496628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045267B

Strings

.tmp, xrefs: 0045265B
o1I, xrefs: 00452700, 004526B1, 004526BB

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp$o1I
API String ID: 1375471231-2043145612
Opcode ID: 6263e7da38dc712251df72676f2ee857ab2003e645070e4b394e34e858e0385a
Instruction ID: 89aaa5dd644a1bfb9c6e4ab11305a67587a6d25824e33790291d603b6c08dcc0
Opcode Fuzzy Hash: 6263e7da38dc712251df72676f2ee857ab2003e645070e4b394e34e858e0385a
Instruction Fuzzy Hash: 14216575A002089BDB01EFA1C9929DFB7B8EF58305F50457BEC01B7342DA7CAE058AA5

Function 00451118 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

751C1520.VERSION(00000000,?,?,?,] I), ref: 00451138
751C1500.VERSION(00000000,?,00000000,?,00000000,004511B3,?,00000000,?,?,?,] I), ref: 00451165
751C1540.VERSION(?,004511DC,?,?,00000000,?,00000000,?,00000000,004511B3,?,00000000,?,?,?,] I), ref: 0045117F

Strings

] I, xrefs: 0045111E

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: C1500C1520C1540
String ID: ] I
API String ID: 1315064709-27375975
Opcode ID: ae97c8c8a0c1eba3379072f8b46b7e7df9da348ac85090545a8034cef28368fb
Instruction ID: c2ad28a97d73236a39d00b1522cfa6caf261f6f5eba90309d69346832355d152
Opcode Fuzzy Hash: ae97c8c8a0c1eba3379072f8b46b7e7df9da348ac85090545a8034cef28368fb
Instruction Fuzzy Hash: 5D219235A00508AFDB01DAA98C41EBFB7FCEB49340F5544BAFD00E3392D6799E058769

Function 004543FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

RegCloseKey.ADVAPI32(?,00454467,?,00000001,00000000), ref: 0045445A

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454408
PendingFileRenameOperations, xrefs: 0045442C
PendingFileRenameOperations2, xrefs: 0045443B

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: 4d74768cc722451e6c2d7b21cab6517138d2d42bcabe4ec3ebcd03ef8cae5871
Instruction ID: f6b2750a9208994f71abef58e55a78fed862e8850860690132b194e4ac46e676
Opcode Fuzzy Hash: 4d74768cc722451e6c2d7b21cab6517138d2d42bcabe4ec3ebcd03ef8cae5871
Instruction Fuzzy Hash: C0F062313442046FDB04D6A6EC12B5B73ADD7C5B19FA0446AFC009A682DA79AD48D51C

Function 004211E4 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 004212D1
SetMenu.USER32(00000000,00000000), ref: 004212EE
SetMenu.USER32(00000000,00000000), ref: 00421323
SetMenu.USER32(00000000,00000000), ref: 0042133F

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: 828adb1f4503573b8b19ec7e50c880e5d7ba93b5c851f867c46ca8f401a21855
Instruction ID: 658f50d7c39b10a4f0c402205ec9e9078e39c2738942e4c3e39302bb3a71e335
Opcode Fuzzy Hash: 828adb1f4503573b8b19ec7e50c880e5d7ba93b5c851f867c46ca8f401a21855
Instruction Fuzzy Hash: 7641BE307002645BEB20AA7AA88579B37914F65308F4845BFFC44EF3A7CA7DCC4582AD

Function 00416AB2 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00416AF4
SetTextColor.GDI32(?,00000000), ref: 00416B0E
SetBkColor.GDI32(?,00000000), ref: 00416B28
CallWindowProcA.USER32(?,?,?,?,?), ref: 00416B50

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: 1d3cbda9518b2ce12e9cd07cc94b211126e19477f7e649d954dcb8d793c07e3f
Instruction ID: c000e8b01db0500dd6874d208778bcf8efa3d9016d5589f965051e8255cd057a
Opcode Fuzzy Hash: 1d3cbda9518b2ce12e9cd07cc94b211126e19477f7e649d954dcb8d793c07e3f
Instruction Fuzzy Hash: 74115EB2604604AFC710EE6ECC84E8777ECEF49710B15886BB55ADB652C638FC418B79

Function 004239F4 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(0042398C), ref: 00423A18
GetWindow.USER32(?,00000003), ref: 00423A2D
GetWindowLongA.USER32(?,000000EC), ref: 00423A3C
SetWindowPos.USER32(00000000,004240CC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042411B,?,?,00423CE3), ref: 00423A72

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: b2f5db6fe163c30d8c8c0473a117728a579ec2d7ead3c741ce22ac317b482cf1
Instruction ID: 335c349655b4e4ce664b27c97d7ab575fba50449cb033fde685ace27ceb71c75
Opcode Fuzzy Hash: b2f5db6fe163c30d8c8c0473a117728a579ec2d7ead3c741ce22ac317b482cf1
Instruction Fuzzy Hash: 91115A70700610ABDB10EF68DC85F5A77E8EB08725F11026AF9A4AB2E2C37CDC40CB58

Function 00423038 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 0042308E
EnumFontsA.GDI32(00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 004230A1
73EA4620.GDI32(00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230A9
73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230B4

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: A4620A480A570EnumFonts
String ID:
API String ID: 178811091-0
Opcode ID: 0130a543140e80f2b9f86b8e83a342749db33d5760528b3305e50fe7c2cc1c24
Instruction ID: 4d68480f6d607538855b0f171b38ffa839f5ce6e0578d669e72114bdc8101102
Opcode Fuzzy Hash: 0130a543140e80f2b9f86b8e83a342749db33d5760528b3305e50fe7c2cc1c24
Instruction Fuzzy Hash: 0601D2616053002AE700BF6A5C82B9B37649F00709F40027BF804AF2C7D6BE9805476E

Function 00453970 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(00000001,00000032), ref: 0045399C
MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004539BE
GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 004539CD
CloseHandle.KERNEL32(00000001,004539FA,004539F3,?,00000031,00000080,00000000,?,?,00453D4B,00000080,0000003C,00000000,00453D61), ref: 004539ED

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: b5c2dbf5272f504e7b06945f00b02d3f578c52004c30b2aed4c8e7ec893f2b0e
Instruction ID: f26be41c5c034272f157e269139ed2410fa661b94adc91c278c581610335523b
Opcode Fuzzy Hash: b5c2dbf5272f504e7b06945f00b02d3f578c52004c30b2aed4c8e7ec893f2b0e
Instruction Fuzzy Hash: 3301F9F06006087EEB219B998C06F6BBB9CDB457A1F600167F904D32C2C5F89E00CA69

Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 00406287
GlobalUnWire.KERNEL32(00000000), ref: 0040628E
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
GlobalFix.KERNEL32(00000000), ref: 00406299

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D

Function 0045A940 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00450088: SetEndOfFile.KERNEL32(?,?,0045AA1E,00000000,0045ABA9,?,00000000,00000002,00000002), ref: 0045008F

FlushFileBuffers.KERNEL32(?), ref: 0045AB75

Strings

EndOffset range exceeded, xrefs: 0045AAA9
NumRecs range exceeded, xrefs: 0045AA72

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: 284914d50a052015b7c75a6107dacc898a09a70c67966605e73dc69b2178a5f5
Instruction ID: 49fd1ead36e8c92626c0d22f3e04e342ae71ee3369d077df08b87a69a2b16800
Opcode Fuzzy Hash: 284914d50a052015b7c75a6107dacc898a09a70c67966605e73dc69b2178a5f5
Instruction Fuzzy Hash: 68617334A002588FDB24DF25C881BDAB7B5EF49305F0085EAED889B352D674AEC9CF55

Function 004931D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,004931DE), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,004931DE), ref: 00403356

Part of subcall function 00409AE8: 6F9E1CD0.COMCTL32(004931ED), ref: 00409AE8

Part of subcall function 004108C4: GetCurrentThreadId.KERNEL32 ref: 00410912

Part of subcall function 00418FB0: GetVersion.KERNEL32(00493201), ref: 00418FB0

Part of subcall function 0044F178: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00493215), ref: 0044F1B3
Part of subcall function 0044F178: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F1B9

Part of subcall function 0044F55C: GetVersionExA.KERNEL32(00496780,0049321A), ref: 0044F56B

Part of subcall function 00451DF8: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451E91,?,?,?,?,00000000,?,00493224), ref: 00451E18
Part of subcall function 00451DF8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451E1E
Part of subcall function 00451DF8: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451E91,?,?,?,?,00000000,?,00493224), ref: 00451E32
Part of subcall function 00451DF8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451E38

Part of subcall function 00460EAC: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00493238), ref: 00460EBB
Part of subcall function 00460EAC: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00460EC1

Part of subcall function 00468C50: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 00468C65

Part of subcall function 00474088: GetModuleHandleA.KERNEL32(kernel32.dll,?,00493242), ref: 0047408E
Part of subcall function 00474088: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047409B
Part of subcall function 00474088: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004740AB

Part of subcall function 00490338: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00490351

SetErrorMode.KERNEL32(00000001,00000000,0049328A), ref: 0049325C

Part of subcall function 00492FE0: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00493266,00000001,00000000,0049328A), ref: 00492FEA
Part of subcall function 00492FE0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00492FF0

Part of subcall function 00424444: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424463

Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C

ShowWindow.USER32(?,00000005,00000000,0049328A), ref: 004932CD

Part of subcall function 0047D0AC: SetActiveWindow.USER32(?), ref: 0047D150

Strings

Setup, xrefs: 004932B3

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModeRegisterSendShowTextThread
String ID: Setup
API String ID: 4266685988-3839654196
Opcode ID: fee832f36ce975679e260f9b0954113cf3741595f260ce40ded7ca7ebb5c54dd
Instruction ID: 779a321fc15f42447a8f0963ad68d9f2a93317841f7d3acf2e890d1de8ee30c9
Opcode Fuzzy Hash: fee832f36ce975679e260f9b0954113cf3741595f260ce40ded7ca7ebb5c54dd
Instruction Fuzzy Hash: 0531A3312146409FDB11BBB7AC1351D3BA4EB8A71DBA2447FF804C2653CE3D5C548A6E

Function 004513F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,?,?,dE,00000000,004564D0,?,?,?,00000000,0045146A,?,?,?,00000001), ref: 00451444
GetLastError.KERNEL32(00000000,00000000,?,?,dE,00000000,004564D0,?,?,?,00000000,0045146A,?,?,?,00000001), ref: 0045144C

Strings

dE, xrefs: 00451436, 00451439

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: dE
API String ID: 2919029540-3809906464
Opcode ID: 593608dd5432025e5c10579cc54da45850a235723a39842afc18d8064d6d1a21
Instruction ID: 6a74b67a3bdf66ca54efcfc0657381ecd904da166113fafb2436bbcb0ae12e28
Opcode Fuzzy Hash: 593608dd5432025e5c10579cc54da45850a235723a39842afc18d8064d6d1a21
Instruction Fuzzy Hash: E1117972600208AF8B00DEA9DC41EDFB7ECEB4D310B114566FD18D3212D638AD15CBA4

Function 004776B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,00477936,00000000,0047794C,?,?,?,?,00000000), ref: 00477712

Strings

RegisteredOrganization, xrefs: 00477701
RegisteredOwner, xrefs: 004776EF

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: 5da0313d24de2a72906f0e02df73607d497778b3bd604c1f31dadd7d7b78e1f2
Instruction ID: 44da9ba76ca96eafcd406259b3cb4b8fe95da4c4325a64976e48815ca65e7baf
Opcode Fuzzy Hash: 5da0313d24de2a72906f0e02df73607d497778b3bd604c1f31dadd7d7b78e1f2
Instruction Fuzzy Hash: 94F0593470C244AFDB04D6A5EC52BAB3B9AD740308FA4807BA544CB391C67CBD05D74C

Function 004231AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 004231B9
LoadCursorA.USER32(00000000,00000000), ref: 004231E3

Strings

EI, xrefs: 004231C6

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CursorLoad
String ID: EI
API String ID: 3238433803-1715459816
Opcode ID: cf7d116e50ce189f5790faa080c989bb411d79830bfeb1cde74da96b9f6355ff
Instruction ID: e763212e35d88e91f52bf3e5ce882ef76e84b1945e438db40d164ba05c470673
Opcode Fuzzy Hash: cf7d116e50ce189f5790faa080c989bb411d79830bfeb1cde74da96b9f6355ff
Instruction Fuzzy Hash: 1DF0A7117001145BD620593E6CC1D3A72688F87736B61033BFE2AD72D1C62E2D51426D

Function 00470F48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047117F), ref: 00470F6D
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047117F), ref: 00470F84

Part of subcall function 004520A4: GetLastError.KERNEL32(00000000,00452B15,00000005,00000000,00452B4A,?,?,00000000,00496628,00000004,00000000,00000000,00000000,?,00492A61,00000000), ref: 004520A7

Strings

CreateFile, xrefs: 00470F79

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: 8e17254768e76acdbc2e0aeec1a0314679b2821655cd6b60debc059c7f00f31f
Instruction ID: 4dce3a0fb710f8058c99a71000b1262451dde5c1e1bb000cefd451e94b844243
Opcode Fuzzy Hash: 8e17254768e76acdbc2e0aeec1a0314679b2821655cd6b60debc059c7f00f31f
Instruction Fuzzy Hash: C4E06D74341304BFEA20E669DCC6F4977889B04728F108152FA48AF3E2C6F9EC408658

Function 0046ADDC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,TqI,00000004,00000001,?,0046B40F,?,?,00000000,0046B4F7,?,_is1,?), ref: 0046ADEF

Strings

TqI, xrefs: 0046ADE5, 0046ADE8
NoModify, xrefs: 0046ADED

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Value
String ID: NoModify$TqI
API String ID: 3702945584-2484388882
Opcode ID: f5a2910f86b5d4890aa6fcbcf0034d47aef96215c39c1bb137200c97013dc63d
Instruction ID: 388a847686ab158aae351853834ee3a19678c554c0d9cb8fd514d48c61279f2c
Opcode Fuzzy Hash: f5a2910f86b5d4890aa6fcbcf0034d47aef96215c39c1bb137200c97013dc63d
Instruction Fuzzy Hash: F4E04FB0640704BFEB04DB55CD4AF6B77ACDB48714F104059BA08EB281E674FE10CA69

Function 0042DC54 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

Strings

OG, xrefs: 0042DC6A, 0042DC6D
System\CurrentControlSet\Control\Windows, xrefs: 0042DC6E

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Open
String ID: OG$System\CurrentControlSet\Control\Windows
API String ID: 71445658-2870956291
Opcode ID: cac79e148e5d1637301d0cd401e0a8768c8b40d51dfb76d9d00be79e5a4099f3
Instruction ID: fabb803f5ff523eeab3b7a035bb747b9213277980d9d81731b2bf545c5070290
Opcode Fuzzy Hash: cac79e148e5d1637301d0cd401e0a8768c8b40d51dfb76d9d00be79e5a4099f3
Instruction Fuzzy Hash: EDD0C772910128BBDB10DA89DC41DF7775DDB59760F54401AFD0497141C1B4EC5197F4

Function 00468C50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E1F0: SetErrorMode.KERNEL32(00008000), ref: 0042E1FA
Part of subcall function 0042E1F0: LoadLibraryA.KERNEL32(00000000,00000000,0042E244,?,00000000,0042E262,?,00008000), ref: 0042E229

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 00468C65

Strings

SHPathPrepareForWriteA, xrefs: 00468C50
shell32.dll, xrefs: 00468C5A

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressErrorLibraryLoadModeProc
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2492108670-2683653824
Opcode ID: 2242cd585e3a95cf47e04d02ab2c9cb54a1972a887a648b3717fd23610ab8d3e
Instruction ID: f54d236eaa647a004fc156d77ac0774b12b8f86e94465ae50302f3b70839ea38
Opcode Fuzzy Hash: 2242cd585e3a95cf47e04d02ab2c9cb54a1972a887a648b3717fd23610ab8d3e
Instruction Fuzzy Hash: FDB092A064271082CE006BB2584271B22149750744B10C57FB040AA295EE7D88044FBE

Function 0047C760 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,0047C898), ref: 0047C830
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0047C841
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 0047C859

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Menu$Append$System
String ID:
API String ID: 1489644407-0
Opcode ID: 103ad35a9952b07d56bdb3bad9c34a645578be9cba599f62803875c0b4fd2168
Instruction ID: 938ecdfec97688d9e91313a56ab48558b9b04f1f4dc78c4c1ee95835cae09dfe
Opcode Fuzzy Hash: 103ad35a9952b07d56bdb3bad9c34a645578be9cba599f62803875c0b4fd2168
Instruction Fuzzy Hash: BA31CF307143455AD710FB768CC2B9A3A989B51318F55947FF904AA2D3CA7C9C09C66E

Function 0044ADC0 Relevance: 4.6, APIs: 3, Instructions: 74COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,00000000,00000000,0044AEC1,?,0047D0C7,?,?), ref: 0044AE35
SelectObject.GDI32(?,00000000), ref: 0044AE58
73E9A480.USER32(00000000,?,0044AE98,00000000,0044AE91,?,00000000,?,00000000,00000000,0044AEC1,?,0047D0C7,?,?), ref: 0044AE8B

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: A480A570ObjectSelect
String ID:
API String ID: 1230475511-0
Opcode ID: 91444e5bf131007ac93604d47e6fc7e18e34c23fefa9c833d2c38518ec62aedf
Instruction ID: 233d7bfbdcc25e67ff0a572e229f91d747dfb26028a93c536af8bc2826ebb7c8
Opcode Fuzzy Hash: 91444e5bf131007ac93604d47e6fc7e18e34c23fefa9c833d2c38518ec62aedf
Instruction Fuzzy Hash: D721B570E84208AFEB01DFA5C841B9F7BB9DB48304F51847AF504A6281C77C9950CB19

Function 0044AAF4 Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044AB80,?,0047D0C7,?,?), ref: 0044AB52
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044AB65
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044AB99

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID:
API String ID: 65125430-0
Opcode ID: 145cb60817e1461b02aba970f6a399deb92e78d362c3eca44f3c4fb02434d21d
Instruction ID: de988064b5c118741e346c03ff1e8b17db840b4da88b1af59de34c2d8924ec6d
Opcode Fuzzy Hash: 145cb60817e1461b02aba970f6a399deb92e78d362c3eca44f3c4fb02434d21d
Instruction Fuzzy Hash: D811E6B27446447FE711DAAA8C81D6FB7EDDB88724F10413AF604E7280C6389E018669

Function 0042436C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424382
TranslateMessage.USER32(?), ref: 004243FF
DispatchMessageA.USER32(?), ref: 00424409

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 4c72fe453077d3d5441811771d3c73f57da1beb0f02e586e781598996b195a0c
Instruction ID: aef1b0206ccdbb2aa8587e86ea6dacd49c82d9c27d6d10fa8c02d352bba97142
Opcode Fuzzy Hash: 4c72fe453077d3d5441811771d3c73f57da1beb0f02e586e781598996b195a0c
Instruction Fuzzy Hash: 6F11543030432056DA20E665A94179B73D4DFC1B44F80886EF9DD97382D77D9D4987AA

Function 004165B4 Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SetPropA.USER32(00000000,00000000), ref: 004165DA
SetPropA.USER32(00000000,00000000), ref: 004165EF
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 00416616

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: 1283a2ba918a1a05b7609b6f7b848b7b983b1697ade3d6b61c1960e914505d94
Instruction ID: 49560f5f00ee2c9135054c0b38937f4b9f373f0e35015079742173c5fde362c9
Opcode Fuzzy Hash: 1283a2ba918a1a05b7609b6f7b848b7b983b1697ade3d6b61c1960e914505d94
Instruction Fuzzy Hash: C3F0BD71701220BBEB10AB599C85FA632DCAB09715F16057ABE09EF286C778DC44C7A8

Function 004014E4 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Strings

1[, xrefs: 00401522

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: 1[
API String ID: 2087232378-3738508114
Opcode ID: ac11951010fca1e09d027c43c8ed5b4b578696c80165eb8de0d03b95ec4bb515
Instruction ID: 1d7fc67d8943aca9bd8b7424c3d760102f2274f63a1bf98f742a2cdc6a51162d
Opcode Fuzzy Hash: ac11951010fca1e09d027c43c8ed5b4b578696c80165eb8de0d03b95ec4bb515
Instruction Fuzzy Hash: 28F0A772B0073067EB605A6A4C81F5359C49FC5B94F154076FD0DFF3E9D6B58C0142A9

Function 0041EDC4 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0041EDD4
IsWindowEnabled.USER32(?), ref: 0041EDDE
EnableWindow.USER32(?,00000000), ref: 0041EE04

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: f1041f771c00274fafaec7c92c8c7bfa6f382932e423aeab5ff933265dcc9458
Instruction ID: feef2f1e36016e7b5cf4fb144cadbc7ab6d373431457e94ba2eb74728d462d7d
Opcode Fuzzy Hash: f1041f771c00274fafaec7c92c8c7bfa6f382932e423aeab5ff933265dcc9458
Instruction Fuzzy Hash: B9E0E5B41003006BD711AF67DC85E57769CBB94314F568437AD0597793EA3ED8418AB8

Function 00408544 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040867A), ref: 00408563

Part of subcall function 00406D54: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406D71

Part of subcall function 004084D0: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004964C0,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE

Strings

1I, xrefs: 0040857E, 0040858C, 004085A9, 004085B7, 004085FD, 0040860B, 0040862A, 00408638, 0040866C

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID: 1I
API String ID: 1658689577-762079770
Opcode ID: 6e8303e27ed7ddfbf6acd002e5c720f3c58af445dc5c20a44dc96457956c1da1
Instruction ID: 74dcf24fece9135f842d9e2340cbc50c81b3ec91f87ebb2824f4d2ce1649f107
Opcode Fuzzy Hash: 6e8303e27ed7ddfbf6acd002e5c720f3c58af445dc5c20a44dc96457956c1da1
Instruction Fuzzy Hash: E7316375E00109ABCF00EF95C8819EEB7B9FF84314F118577E815BB285E738AE058B98

Function 0047D0AC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 0047D150

Strings

InitializeWizard, xrefs: 0047D0F3

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: 669a6a269d9429eb07b4638d8b152cc205309fde65fa91bd383415d10fe050b9
Instruction ID: 27c915d5e84757d1ee1c922a0b45ecd3517ff57706a6a9b1ea1830c72a43ed0f
Opcode Fuzzy Hash: 669a6a269d9429eb07b4638d8b152cc205309fde65fa91bd383415d10fe050b9
Instruction Fuzzy Hash: 9811C2306382009FD710EB29EC82B5A7BF5EB15724F50403BE808872A2DA39AC50CB5D

Function 004775CC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,00477812,00000000,0047794C), ref: 00477611

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004775E1

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 225175c1cb3e5d3e9e70e9ef9a971fa01c6206b910d71101a0ac37fcff0035a7
Instruction ID: 814c6dcea663d1405d948e9489940348151ed5d62cb49aab8d6aacd0da240b25
Opcode Fuzzy Hash: 225175c1cb3e5d3e9e70e9ef9a971fa01c6206b910d71101a0ac37fcff0035a7
Instruction Fuzzy Hash: C7F0A7317085146BDA00A65E6D42B9FA6DDCB84778F60443BF608EB346DABDDE0243AD

Function 0046AD6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,00497154,?,0046B06F,?,00000000,0046B4F7,?,_is1), ref: 0046AD8F

Strings

Inno Setup: Setup Version, xrefs: 0046AD8D

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Value
String ID: Inno Setup: Setup Version
API String ID: 3702945584-4166306022
Opcode ID: b5001300976c311ff63bf81daa3498fb24628c1a8b44004d588d325ece062412
Instruction ID: 411328d8211db58a77dae3404ef256999053971fa6961c2aedf3cbf650fcdf7d
Opcode Fuzzy Hash: b5001300976c311ff63bf81daa3498fb24628c1a8b44004d588d325ece062412
Instruction Fuzzy Hash: 7FE06D713016043FD710AA6ADC85F5BBADCDF88365F10403AB908EB392D578DD0085A9

Function 0042DA38 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DB70), ref: 0042DA74
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DB70), ref: 0042DAE4

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fe899f6043c7f770a4508ac600d0d0e70af19fa3b1a52c17f713553a047210da
Instruction ID: de7305fe23da407263f6a21fe748e6d6d926aae016943a7179aec9e2dd5a457b
Opcode Fuzzy Hash: fe899f6043c7f770a4508ac600d0d0e70af19fa3b1a52c17f713553a047210da
Instruction Fuzzy Hash: 4F417171E04129AFDF10DF91D891BAFBBB8EB01704F918466E810B7240D778BE04CB99

Function 0042DCF8 Relevance: 3.1, APIs: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DDF6,?,?,00000008,00000000,00000000,0042DE23), ref: 0042DD8C
RegCloseKey.ADVAPI32(?,0042DDFD,?,00000000,00000000,00000000,00000000,00000000,0042DDF6,?,?,00000008,00000000,00000000,0042DE23), ref: 0042DDF0

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: b395eec5d444746d883dbbe68a26dc186a8be4d3543415a8a9a06ae4829f6fc1
Instruction ID: 4db75c3f0003ee77c81ad7234f2e5e1b513bc4eba3d2eee43a500da64a91fe5e
Opcode Fuzzy Hash: b395eec5d444746d883dbbe68a26dc186a8be4d3543415a8a9a06ae4829f6fc1
Instruction Fuzzy Hash: 4931B270F04649AFDB14DFA6DC52BAFBBB9EB48304F90407BE400F7281D6785A01CA29

Function 0040AF38 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AF52
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B0AF,00000000,0040B0C7,?,?,?,00000000), ref: 0040AF63

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: 495ed283f31991be558d7aaf91bbf96f1b13b17f58e3dd61e94c2b353b9623af
Instruction ID: d0e6d2b3de5701a5b01f0c314f0e154d100cb3f2f79c9d4e2e087994511e300e
Opcode Fuzzy Hash: 495ed283f31991be558d7aaf91bbf96f1b13b17f58e3dd61e94c2b353b9623af
Instruction Fuzzy Hash: 7701F7B1704300AFD700EF69DC92E1A77EDDB897187128076F500EB3D0DA799C119669

Function 0041EE14 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041EE63
73EA5940.USER32(00000000,0041EDC4,00000000,00000000,0041EE80,?,00000000,0041EEB7,?,0042E908,?,00000001), ref: 0041EE69

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: A5940CurrentThread
String ID:
API String ID: 2589350566-0
Opcode ID: b328251ae0892c8a3b7f185b32438ae157af80a37aa78e1151a8addd2e42d252
Instruction ID: 6dec67758a4febc774e22da3091525d30ea0c4d8bfc57ce8b44416be19a69247
Opcode Fuzzy Hash: b328251ae0892c8a3b7f185b32438ae157af80a37aa78e1151a8addd2e42d252
Instruction Fuzzy Hash: C3015B74A04704AFD701CFA6EC11956BBE8E789720B22887BE904D37A0EA385811DE18

Function 0040170C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,00401973), ref: 00401766

Strings

1[, xrefs: 0040173B, 0040177B

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FreeVirtual
String ID: 1[
API String ID: 1263568516-3738508114
Opcode ID: 09cabece21cf584f7b8116981dfbad3f8653d6c5a4f55eb454a10d9661d4edbc
Instruction ID: dd39995c24d96b1f0cd65365fb3acc738aa13d81c460f04ccbda7f03c85f078f
Opcode Fuzzy Hash: 09cabece21cf584f7b8116981dfbad3f8653d6c5a4f55eb454a10d9661d4edbc
Instruction Fuzzy Hash: 6D01FC766442148FC3109F69DCC0E2677E8D794378F16453EDA85673A1D37A6C018BDC

Function 00451888 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 004518CA
GetLastError.KERNEL32(00000000,00000000,00000000,004518F0), ref: 004518D2

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorFileLastMove
String ID:
API String ID: 55378915-0
Opcode ID: 10a17b5f55d8132d355b2be22579e48721c0d02d21db4419b0f25e12a06febb5
Instruction ID: 4a908479c274ede1fa612a67027dcf523005e30280c6ec4e7261d6cc76548501
Opcode Fuzzy Hash: 10a17b5f55d8132d355b2be22579e48721c0d02d21db4419b0f25e12a06febb5
Instruction Fuzzy Hash: B9014971B00304AF9B10FFB99C4259EB7ECDB8832171045BBFC08E3652EA384E048558

Function 00451378 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004513D7), ref: 004513B1
GetLastError.KERNEL32(00000000,00000000,00000000,004513D7), ref: 004513B9

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7fd9e911900e9a06a0dfd278701c74cc3c46c37c0458817335f085c5dd111093
Instruction ID: 9b23b03b90933790c580962e112c838e42041695dbfb4577ddf6274ef4a18e8c
Opcode Fuzzy Hash: 7fd9e911900e9a06a0dfd278701c74cc3c46c37c0458817335f085c5dd111093
Instruction Fuzzy Hash: 2EF0C871A04708BBEB00EFB5AC516AEB7E8EB09315F5045B7FC04E3A52E6794E148698

Function 0042E1F0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E1FA
LoadLibraryA.KERNEL32(00000000,00000000,0042E244,?,00000000,0042E262,?,00008000), ref: 0042E229

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 0102d987cd0908c49357e23cdbf7a47517641d04aa5dfc05fc1f8898bd46d34f
Instruction ID: 2bd629673230950b16c4bb4544665cc4d3578012b9e0763c9fae70ecea85f9d4
Opcode Fuzzy Hash: 0102d987cd0908c49357e23cdbf7a47517641d04aa5dfc05fc1f8898bd46d34f
Instruction Fuzzy Hash: 31F08270714744FEDF019F779C6282BBBECE74DB1479249B6F800A2691E63C5810C939

Function 00450054 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046C065,?,00000000), ref: 0045006A
GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046C065,?,00000000), ref: 00450072

Part of subcall function 0044FE10: GetLastError.KERNEL32(0044FC2C,0044FED2,?,00000000,?,00492588,00000001,00000000,00000002,00000000,004926E9,?,?,00000005,00000000,0049271D), ref: 0044FE13

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: f7b6d91780900016932261e5b31036d83abc2770e31421f62e2bd79437fa69ba
Instruction ID: 619d70630f7d728e19568b0c26e44efacd411b086580920acadf97a9c9154113
Opcode Fuzzy Hash: f7b6d91780900016932261e5b31036d83abc2770e31421f62e2bd79437fa69ba
Instruction Fuzzy Hash: F9E012B53042016BEB10EAA5A9C1F3B23DCEF44715F10447EB944CF183D674CC054B69

Function 00478F74 Relevance: 1.6, APIs: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

SendNotifyMessageA.USER32(000203EC,00000496,00002711,00000000), ref: 0047912C

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: MessageNotifySend
String ID:
API String ID: 3556456075-0
Opcode ID: 1bf78a2a4972fbb2a73e3495687c09ee27ad1c961f8a5cc689fdc3f33d66a45c
Instruction ID: 7d22008d7a83e2500ddd5853d1c98629ae082a9ef6797e0e4edc72868eccde80
Opcode Fuzzy Hash: 1bf78a2a4972fbb2a73e3495687c09ee27ad1c961f8a5cc689fdc3f33d66a45c
Instruction Fuzzy Hash: 884142343240009BCB10FF26D88598A7BA5EB50309B65C5BBB8049F3A7CA3DDD46DB9D

Function 0046A1C4 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

7715E550.OLE32(00494B14,00000000,00000001,00494B24,00497054), ref: 0046A2B9

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: 7715E550
String ID:
API String ID: 730562625-0
Opcode ID: 1a96fdbb3e90de8797b7c34e8fd7761ef28502cc93813c311678e4427fcc9a8f
Instruction ID: 28ea0cda059d87ed8d6f055d3f11cf2141d1ab261bbca5563b99c48b31e217e3
Opcode Fuzzy Hash: 1a96fdbb3e90de8797b7c34e8fd7761ef28502cc93813c311678e4427fcc9a8f
Instruction Fuzzy Hash: 1731BC303686008FD750DB19D895B6A73E1EB95314F6082BBF8489B3A1E779EC41CB4E

Function 0041FB0C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FBA9

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: 50e1310ba0544b59a0555e2be0f3aefd4cf1699031129a7841ddf0d9dd467a2f
Instruction ID: 884c2cb002146e47c45dd1875db58eae66db6a4caaf859e9ca4b80fd75174b4c
Opcode Fuzzy Hash: 50e1310ba0544b59a0555e2be0f3aefd4cf1699031129a7841ddf0d9dd467a2f
Instruction Fuzzy Hash: DD2130716087456FC340DF39D840696BBE4BB48344F148A3EA098C3341D774E99ACBD6

Function 00468368 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0041EE14: GetCurrentThreadId.KERNEL32 ref: 0041EE63
Part of subcall function 0041EE14: 73EA5940.USER32(00000000,0041EDC4,00000000,00000000,0041EE80,?,00000000,0041EEB7,?,0042E908,?,00000001), ref: 0041EE69

SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,004683C6,?,00000000,?,?,004685D3,?,00000000,00468612), ref: 004683AA

Part of subcall function 0041EEC8: IsWindow.USER32(8BF0EBFF), ref: 0041EED6
Part of subcall function 0041EEC8: EnableWindow.USER32(8BF0EBFF,00000001), ref: 0041EEE5

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$A5940CurrentEnablePathPrepareThreadWrite
String ID:
API String ID: 3104224314-0
Opcode ID: 467ce9893c8a2b941d671877d34955771c88eccab2483bb784be52c54abd03e3
Instruction ID: 1e6c9ee491f26ebb38a393fd70065da3d13cda2054ea28a361ce8fb2712a9f85
Opcode Fuzzy Hash: 467ce9893c8a2b941d671877d34955771c88eccab2483bb784be52c54abd03e3
Instruction Fuzzy Hash: F0F0E9B1258300BFE7159B72EC56B1677E8E314B15F51447FF804C66D0EA7A5890C62D

Function 00440DC8 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00440DDF

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction ID: f885d1546c0ddadd170268c7727831953bb7ef74118cb9c1630738a499be6481
Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction Fuzzy Hash: E3F06D70504109EFAF0CCF58D0658AF77A1EF48300B2084AFE60797790D638AE30E798

Function 004164C0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 004164F5

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cdcc0148ce654954751abbafc01dffb42bdee5d1888213000ee0bb92e9214fa3
Instruction ID: a44329a4cc8b06b024a2b0eee2fd8d89e642962040674eee811c3e7967e458ca
Opcode Fuzzy Hash: cdcc0148ce654954751abbafc01dffb42bdee5d1888213000ee0bb92e9214fa3
Instruction Fuzzy Hash: F5F025B2200510AFDB84CF9CD9C0F9373ECEB0C210B0981A6FA08CF24AD220EC108BB0

Function 00414924 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 0041495F

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Function 0042CBA8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0042CBF0,?,00000001,?,?,00000000,?,0042CC42,00000000,0045162D,00000000,0045164E,?,00000000), ref: 0042CBD3

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fb728ae1967c572744be537d183b1c2397660519459ab9e6793d4da77068addf
Instruction ID: dfed850972a7f4cfed0b3d6ce6ead54829112a593105f6481b619d55be1254e6
Opcode Fuzzy Hash: fb728ae1967c572744be537d183b1c2397660519459ab9e6793d4da77068addf
Instruction Fuzzy Hash: 1AE06571304708BFD701EB62AC93E5EBBACD745714B914876B400A7651D5B8AE00845C

Function 0044FF20 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FF60

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a92cf0aa8bb23f57ccdc9442b6704fbd4576b7ac5b6e0326e42d432a692528ee
Instruction ID: 45ed5e217c844315310d89a20c49d2eff003bfa8467b370b0955f01a950c20be
Opcode Fuzzy Hash: a92cf0aa8bb23f57ccdc9442b6704fbd4576b7ac5b6e0326e42d432a692528ee
Instruction Fuzzy Hash: 39E0EDA53541583ED240AABCBC52F9767DC9759754F008033B998D7241D4619A158BA8

Function 0042E670 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451E7B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E68F

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 860b655ccada46b5013a8742cf2038536e52ba062f8b3e277fa769ce81e13b95
Instruction ID: 7c82c80d86496392c3130c3e7de8882f0dfcc9e316fc406f93a4df2216b263d5
Opcode Fuzzy Hash: 860b655ccada46b5013a8742cf2038536e52ba062f8b3e277fa769ce81e13b95
Instruction Fuzzy Hash: 21E026617843112AF23514567C83B7F1A4E83C0B04FE4842B7B00DE3C3DAAEAD09429E

Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,004235EC,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 00406329

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1

Function 0042DC1C Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC48

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4676b834bccda8ccd94f8a4f379db04665fbdc7bc7b85aab9c145464b6c6dbba
Instruction ID: 5aa87c08ff8936fcaaa84cf50ff31e6a06e3de0a8084b04fc6442f63f77fe161
Opcode Fuzzy Hash: 4676b834bccda8ccd94f8a4f379db04665fbdc7bc7b85aab9c145464b6c6dbba
Instruction Fuzzy Hash: BDE07EB2600129AF9B40DE8DDC81EEB37ADAB1D350F404016FA08D7200C2B4EC519BB4

Function 004536BC Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,000000FF,0046C888,00000000,0046D681,?,00000000,0046D6CA,?,00000000,0046D803,?,00000000,?,00000000), ref: 004536D2

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 7d5519857b665cbbf82b8b35f439f608cfeada5da546942c6fbe9b0196f0527a
Instruction ID: eca53ef0c4505d94b6e963a585f564cfd6265b0c9c03d819447d58a966c2af15
Opcode Fuzzy Hash: 7d5519857b665cbbf82b8b35f439f608cfeada5da546942c6fbe9b0196f0527a
Instruction Fuzzy Hash: 49E065705047004BCB24DF3A848121A7AD15F84321F08C56AAC58CB396E63DC4199616

Function 004145EC Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00490192,?,004901B4,?,?,00000000,00490192,?,?), ref: 0041460B

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Function 00406E78 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406E8C

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a86332fa630e211a890a26f820a456cfae7ee7da2a92b38f798d74d6102b1500
Instruction ID: 5e9ef0cb41ef517b54198f539e7e4457f1ce254f1207c5e451c0fee893fabf4d
Opcode Fuzzy Hash: a86332fa630e211a890a26f820a456cfae7ee7da2a92b38f798d74d6102b1500
Instruction Fuzzy Hash: 3DD05B763082107AD620A55BAC44DA76BDCCFC5770F11063EB558C71C1D6309C01C675

Function 004235BC Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00423568: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042357D

ShowWindow.USER32(004105C0,00000009,?,00000000,0041ED14,004238AA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 004235D7

Part of subcall function 00423598: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 004235B4

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: 05b12f49588f72d468172bd8f1b82f2cb8bfea04f415fe28581d7e625a87d56b
Instruction ID: 6e8deb3ed7ffb4c54c7bf11bddd21d475954711d807402a63cfbe74293682e9f
Opcode Fuzzy Hash: 05b12f49588f72d468172bd8f1b82f2cb8bfea04f415fe28581d7e625a87d56b
Instruction Fuzzy Hash: 03D05E123812743102107ABB280998B42A84D862AB388043BB54CDB202E91E8A81A1AC

Function 00424234 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 0042424C

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: c34688b727229efcedc1f2997f44e421d28f5fd8d0fc977b3f59e8ef08dab085
Instruction ID: a3b20f4c882213fa23ff33249cd178fa67041ba6f44abe22b1f00704e939aabb
Opcode Fuzzy Hash: c34688b727229efcedc1f2997f44e421d28f5fd8d0fc977b3f59e8ef08dab085
Instruction Fuzzy Hash: 4CD05EE27011702BCB01BBED54C4AC667CC8B8829AB1940BBF918EF257C638CE448398

Function 0042CC00 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00450CD7,00000000), ref: 0042CC0B

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 696c079d1e659a807bafa968d47e5a3e4cea9be412662ea6c9d5bc89f686c2e0
Instruction ID: 3d474633da5dc292dd1e9b08acfa0ea7ef8e6560f0837aa6ac70ccb6d2902417
Opcode Fuzzy Hash: 696c079d1e659a807bafa968d47e5a3e4cea9be412662ea6c9d5bc89f686c2e0
Instruction Fuzzy Hash: 42C08CE03022001A9A1465BF2CC511F42C8891827A3A41F37F53CE32D2D27E88A72428

Function 004633A4 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00464010,00000000,00000000,00000000,0000000C,00000000), ref: 004633BC

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0

Function 00406E28 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A834,0040CDE0,?,00000000,?), ref: 00406E45

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4583f237df22b439ee34a1a79ec62ce4162a2c4c0b032f6043df3341da82d5c7
Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
Opcode Fuzzy Hash: 4583f237df22b439ee34a1a79ec62ce4162a2c4c0b032f6043df3341da82d5c7
Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C

Function 00450088 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,?,0045AA1E,00000000,0045ABA9,?,00000000,00000002,00000002), ref: 0045008F

Part of subcall function 0044FE10: GetLastError.KERNEL32(0044FC2C,0044FED2,?,00000000,?,00492588,00000001,00000000,00000002,00000000,004926E9,?,?,00000005,00000000,0049271D), ref: 0044FE13

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 857a2ef5c33fcabe859aa2781a1519cd0b5291b8658590954683ea0b80d8510a
Instruction ID: 5fd336f37560a3562a1f9a64c462d12011a30875c45227d907a3aa1d5a9b5e2e
Opcode Fuzzy Hash: 857a2ef5c33fcabe859aa2781a1519cd0b5291b8658590954683ea0b80d8510a
Instruction Fuzzy Hash: 35C04C65300110479F00A6BE95C1A1763D95F083063104866BA04CF257D669D8544A18

Function 00407210 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,?,00492516,00000000,004926E9,?,?,00000005,00000000,0049271D,?,?,00000000), ref: 0040721B

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 116f646fca034a371e6a5c157b9d4efecc0deabf7e2bcd6bcee3aaaef58023bf
Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
Opcode Fuzzy Hash: 116f646fca034a371e6a5c157b9d4efecc0deabf7e2bcd6bcee3aaaef58023bf
Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514

Function 0042E24B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042E269), ref: 0042E25C

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7fad5ebe009d69c2099675b3e000f1c062c351dec5b4fb3cd432c824ae70c241
Instruction ID: b0804e078831a813d9aa2463563e291fc03c9a68ee142e2bda9a21ea894dad8b
Opcode Fuzzy Hash: 7fad5ebe009d69c2099675b3e000f1c062c351dec5b4fb3cd432c824ae70c241
Instruction Fuzzy Hash: AFB09B7670C600DDB709D6D6745552D63D8D7C47207E145B7F001D2580D93C58004928

Function 0041655C Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

73EA5CF0.USER32(?), ref: 00416563

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15102f7382d34fed751781a5022c55e4c44b9a191595ad2a6c0bef55f1a25186
Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
Opcode Fuzzy Hash: 15102f7382d34fed751781a5022c55e4c44b9a191595ad2a6c0bef55f1a25186
Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58

Function 0044815C Relevance: 1.4, APIs: 1, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab2ea1812401c856e0cde9d0c05d2385f19664b13b8620937c6159cc733bb41
Instruction ID: d201100ca80ec2f8cbfe3f56f823717f17ab321979d0d2a0415f45e630f29b9c
Opcode Fuzzy Hash: 4ab2ea1812401c856e0cde9d0c05d2385f19664b13b8620937c6159cc733bb41
Instruction Fuzzy Hash: CD518674E042459FDB00EFA9C482AAEBBF5EF49704F5041BEE500A7351DB789E41CB98

Function 0045C348 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0045C3D8

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 76fbdefa84b6e6646576d37aa534d5687847a51f5d406797e85eb89dfb11de70
Instruction ID: 7994756c429da8fd341528b1115bd972bbd87915911d1c28c7d9b705713d9cd5
Opcode Fuzzy Hash: 76fbdefa84b6e6646576d37aa534d5687847a51f5d406797e85eb89dfb11de70
Instruction Fuzzy Hash: 641163716043089FD700AE55C8C1B4B3795AF8475AF05806AFD589B2C7DB38E848CB6A

Function 0041F334 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED14,?,004237FF,00423B7C,0041ED14), ref: 0041F352

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fcc5bb2b52a6c868320fd556f825bdddd6823e0008dba192f27ebe0d5c6033d0
Instruction ID: b4617262a153a49870252b9da37c83347ffd54b91452f412ea0f349906787434
Opcode Fuzzy Hash: fcc5bb2b52a6c868320fd556f825bdddd6823e0008dba192f27ebe0d5c6033d0
Instruction Fuzzy Hash: 361118742407099BC710DF59D881B86FBE5EB983A0B10C53BED688B385D378E945CBA9

Function 00451BCC Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00451C35), ref: 00451C17

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: ab3637484c69f1e3a9289275503d70efe7f0fad7bd619f5ef2b617ba719f0b94
Instruction ID: 9b046278fcf2f54c8895181bb84fa4e67d3ca0abe95595291a9aaadc5344c142
Opcode Fuzzy Hash: ab3637484c69f1e3a9289275503d70efe7f0fad7bd619f5ef2b617ba719f0b94
Instruction Fuzzy Hash: 7B017036604248AF8B11DF69AC105EEF7E8EB4932072082B7FC64C3352D7754D05D694

Function 0045C2F0 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,0045C3CE), ref: 0045C307

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 1db0cbd719025b65296d728f72a94704870e37dd70070be8469bdcaf82232f5c
Instruction ID: 3bb3114e2640d79ee9d1f6c6c170ec04299b672b50bb43f7844af23f30410e64
Opcode Fuzzy Hash: 1db0cbd719025b65296d728f72a94704870e37dd70070be8469bdcaf82232f5c
Instruction Fuzzy Hash: 6CD0E9B17557045FDF90EE798CC1B0237D8BB48741F5044666D04DB286E674E8048A18

Function 00406EB0 Relevance: 1.3, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00406EB1

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ce9819a0c299784ac39983e171dfc3d0d3373cd0e3bd5e96c40e619c76bc7acf
Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
Opcode Fuzzy Hash: ce9819a0c299784ac39983e171dfc3d0d3373cd0e3bd5e96c40e619c76bc7acf
Instruction Fuzzy Hash:

Non-executed Functions

Function 0044B08C Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B038: GetVersionExA.KERNEL32(00000094), ref: 0044B055

LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F1A9,00493215), ref: 0044B0B3
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B0CB
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B0DD
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B0EF
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B101
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B113
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B125
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B137
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B149
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B15B
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B16D
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B17F
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B191
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B1A3
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B1B5
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B1C7
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B1D9
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B1EB
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B1FD
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B20F
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B221
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B233
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B245
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B257
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B269
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B27B
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B28D
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B29F
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B2B1
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B2C3
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B2D5
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B2E7
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B2F9
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B30B
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B31D
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B32F
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B341
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B353
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B365
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B377
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B389
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B39B
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B3AD
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B3BF
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B3D1
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B3E3
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B3F5
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B407

Strings

GetThemeSysSize, xrefs: 0044B303
GetThemeBool, xrefs: 0044B207
GetThemeDocumentationProperty, xrefs: 0044B3DB
GetThemeTextMetrics, xrefs: 0044B153
OpenThemeData, xrefs: 0044B0C3
GetThemeSysString, xrefs: 0044B327
GetThemeSysInt, xrefs: 0044B339
GetThemeAppProperties, xrefs: 0044B3A5
GetThemeTextExtent, xrefs: 0044B141
GetThemeSysFont, xrefs: 0044B315
GetThemeColor, xrefs: 0044B1D1
GetThemeRect, xrefs: 0044B261
GetThemeSysColorBrush, xrefs: 0044B2DF
GetThemeFilename, xrefs: 0044B2BB
GetThemeBackgroundRegion, xrefs: 0044B165
CloseThemeData, xrefs: 0044B0D5
IsThemeBackgroundPartiallyTransparent, xrefs: 0044B1BF
uxtheme.dll, xrefs: 0044B0AE
GetThemeInt, xrefs: 0044B219
GetThemeEnumValue, xrefs: 0044B22B
EnableTheming, xrefs: 0044B3FF
EnableThemeDialogTexture, xrefs: 0044B381
DrawThemeText, xrefs: 0044B0F9
GetThemePropertyOrigin, xrefs: 0044B297
GetThemePosition, xrefs: 0044B23D
IsThemeDialogTextureEnabled, xrefs: 0044B393
DrawThemeParentBackground, xrefs: 0044B3ED
GetWindowTheme, xrefs: 0044B36F
GetThemeSysColor, xrefs: 0044B2CD
DrawThemeEdge, xrefs: 0044B189
IsThemeActive, xrefs: 0044B34B
GetThemePartSize, xrefs: 0044B12F
GetCurrentThemeName, xrefs: 0044B3C9
DrawThemeBackground, xrefs: 0044B0E7
HitTestThemeBackground, xrefs: 0044B177
IsThemePartDefined, xrefs: 0044B1AD
GetThemeMargins, xrefs: 0044B273
GetThemeIntList, xrefs: 0044B285
SetWindowTheme, xrefs: 0044B2A9
GetThemeBackgroundContentRect, xrefs: 0044B10B, 0044B11D
GetThemeString, xrefs: 0044B1F5
GetThemeFont, xrefs: 0044B24F
GetThemeSysBool, xrefs: 0044B2F1
GetThemeMetric, xrefs: 0044B1E3
SetThemeAppProperties, xrefs: 0044B3B7
DrawThemeIcon, xrefs: 0044B19B
IsAppThemed, xrefs: 0044B35D

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 1968650500-2910565190
Opcode ID: c0b6a7321769edc8054774f6e1a4a7cc645fbf4eca71de10d65dcd89c53b7c41
Instruction ID: fe7ec38607b22d39bed663b2d58cef56837bfbcccade8a066643eb3a06087c6f
Opcode Fuzzy Hash: c0b6a7321769edc8054774f6e1a4a7cc645fbf4eca71de10d65dcd89c53b7c41
Instruction Fuzzy Hash: 3B91E3B0A40B50EFEF00EBF598C6A2636A8EB15B18B15457BB444EF296C778D804CF5D

Function 00456D8C Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00456DF3
QueryPerformanceCounter.KERNEL32(02113858,00000000,00457086,?,?,02113858,00000000,?,00457782,?,02113858,00000000), ref: 00456DFC
GetSystemTimeAsFileTime.KERNEL32(02113858,02113858), ref: 00456E06
GetCurrentProcessId.KERNEL32(?,02113858,00000000,00457086,?,?,02113858,00000000,?,00457782,?,02113858,00000000), ref: 00456E0F
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00456E85
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02113858,02113858), ref: 00456E93
CreateFileA.KERNEL32(00000000,C0000000,00000000,00494AB0,00000003,00000000,00000000,00000000,00457042), ref: 00456EDB
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00457031,?,00000000,C0000000,00000000,00494AB0,00000003,00000000,00000000,00000000,00457042), ref: 00456F14

Part of subcall function 0042D7A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7B3

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00456FBD
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00456FF3
CloseHandle.KERNEL32(000000FF,00457038,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 0045702B

Part of subcall function 004520A4: GetLastError.KERNEL32(00000000,00452B15,00000005,00000000,00452B4A,?,?,00000000,00496628,00000004,00000000,00000000,00000000,?,00492A61,00000000), ref: 004520A7

Strings

\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00456E5B
CreateProcess, xrefs: 00456FC6
64-bit helper EXE wasn't extracted, xrefs: 00456DE7
Cannot utilize 64-bit features on this version of Windows, xrefs: 00456DD4
i, xrefs: 00456F70
D, xrefs: 00456F36
CreateNamedPipe, xrefs: 00456EA3
Starting 64-bit helper process., xrefs: 00456DC1
CreateFile, xrefs: 00456EE9
Helper process PID: %u, xrefs: 00457010
helper %d 0x%x, xrefs: 00456F9C
SetNamedPipeHandleState, xrefs: 00456F1D

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 53890445295be3d3d31e52727ea490adc7ccb43dce6168ff118a2784991df1db
Instruction ID: f6538b9f74412226b669bfece35f7f8b6dba794c0ca87bd4e30d5109fc12bfbf
Opcode Fuzzy Hash: 53890445295be3d3d31e52727ea490adc7ccb43dce6168ff118a2784991df1db
Instruction Fuzzy Hash: 49716470A04744AFDB20DB69DC41B5EBBF8AB05705F5084BAF908EB282D7785948CF69

Function 0045B29C Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045B2B6
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045B2D6
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045B2E3
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045B2F0
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045B2FE

Part of subcall function 0045B1A4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045B243,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045B21D

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045B4F1,?,?,00000000), ref: 0045B3B7
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045B4F1,?,?,00000000), ref: 0045B3C0

Strings

GetNamedSecurityInfoW, xrefs: 0045B2DD
advapi32.dll, xrefs: 0045B2D1
SetNamedSecurityInfoW, xrefs: 0045B2EA
SetEntriesInAclW, xrefs: 0045B2F8
W, xrefs: 0045B3CE

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: 1d806d9dda6068bb291ca6d6d76056618574950846b2f0729205e6ddb2b5ae31
Instruction ID: c7fa785e835f4f31fbb174cc3c8bee0aea38d4a0e272f0ec20846287379b14aa
Opcode Fuzzy Hash: 1d806d9dda6068bb291ca6d6d76056618574950846b2f0729205e6ddb2b5ae31
Instruction Fuzzy Hash: 455174B1900608EFDB10DF99C845BEEB7B8EB49315F14806AF904B7382D7789945CFA9

Function 004739C4 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 77COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 00473A17
GetLastError.KERNEL32(?,?), ref: 00473A20
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00473A6D
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00473A91
CloseHandle.KERNEL32(00000000,00473AC2,00000000,00000000,000000FF,000000FF,00000000,00473ABB,?,?,?), ref: 00473AB5

Strings

MsgWaitForMultipleObjects, xrefs: 00473A7A
ShellExecuteEx returned hProcess=0, xrefs: 00473A41
<, xrefs: 004739E2
ShellExecuteEx, xrefs: 00473A31
GetExitCodeProcess, xrefs: 00473A9A
runas, xrefs: 004739F0

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseCodeErrorExecuteExitHandleLastMultipleObjectsProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 171997614-221126205
Opcode ID: bdd79b2e264e3947b3271ce07b307c804a443899bf148872aca85f54ba098470
Instruction ID: fd51c6fdc7ef3a5c4723c7cab516b72f55abc6f577cd61f87c3a1e5de1d1d72d
Opcode Fuzzy Hash: bdd79b2e264e3947b3271ce07b307c804a443899bf148872aca85f54ba098470
Instruction Fuzzy Hash: C92167B0A00204ABDB14EFA98943ADD76E8EF05709F50843BF548F62C2DB7C9A04975D

Function 004227CC Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422964
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422B2E), ref: 00422974

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: fa9062f2f8c7c292f6ba47f23b62071bd1c02060dccc7d557ee2b61b6739a24d
Instruction ID: 22a298226f26ad5282d2b06c056c5494fcfa573f7ff451a3aba74327ab4f92ef
Opcode Fuzzy Hash: fa9062f2f8c7c292f6ba47f23b62071bd1c02060dccc7d557ee2b61b6739a24d
Instruction Fuzzy Hash: A6917271B04214FFD710EBA9DA86F9D77F4AB09314F5104BAF504AB3A2C778AE409B58

Function 004182F4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00418303
GetWindowPlacement.USER32(?,0000002C), ref: 00418320
GetWindowRect.USER32(?), ref: 0041833C
GetWindowLongA.USER32(?,000000F0), ref: 0041834A
GetWindowLongA.USER32(?,000000F8), ref: 0041835F
ScreenToClient.USER32(00000000), ref: 00418368
ScreenToClient.USER32(00000000,?), ref: 00418373

Strings

,, xrefs: 0041830C

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 76ed797ea6865fddbc3593e7458191c6aaa261637689223d055d8f073444f388
Instruction ID: 9cf88c6662a8b54f2d940af1896da5675c8924d24fa9a5d7825e36bf04e718ba
Opcode Fuzzy Hash: 76ed797ea6865fddbc3593e7458191c6aaa261637689223d055d8f073444f388
Instruction Fuzzy Hash: 40112B71505201AFDB00DF69C885F9B77E8AF49314F18067EBD58DB286C739D900CB69

Function 00453FD0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00453FDF
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453FE5
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00453FFE
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454025
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045402A
ExitWindowsEx.USER32(00000002,00000000), ref: 0045403B

Strings

SeShutdownPrivilege, xrefs: 00453FF7

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 38b00b688662a0d9bbbecbe7d33395a35eb7a17cbac0a46106fc5b3172d15a50
Instruction ID: fefb7ae41868014354d83cb3ae28757c4cdc7dcc71e7b198ec4e0078f4c74e40
Opcode Fuzzy Hash: 38b00b688662a0d9bbbecbe7d33395a35eb7a17cbac0a46106fc5b3172d15a50
Instruction Fuzzy Hash: 06F06270694702B5E620AA758C07F6B25989B80F8DF60492ABE45EF1C3D6BCC54C4A2A

Function 0045B864 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045B86D
GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045B87D
GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045B88D
ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047A5DB,00000000,0047A604), ref: 0045B8B2

Strings

ArcFourCrypt, xrefs: 0045B887
ISCryptGetVersion, xrefs: 0045B867
ArcFourInit, xrefs: 0045B877

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc$CryptVersion
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 1951258720-508647305
Opcode ID: c3c7ec0b1ce4a4f9ebe2d8e394cd6736047279cae241cd1696ff5e4f0e7e87a0
Instruction ID: 302474af057a75e6aa59db1b8817eaeab706bde5883f342fd947c8368cb819cc
Opcode Fuzzy Hash: c3c7ec0b1ce4a4f9ebe2d8e394cd6736047279cae241cd1696ff5e4f0e7e87a0
Instruction Fuzzy Hash: BFF0F9B0529700DEEB06EF76AC866623699E79032AF14D43BE408961A2D77C0448CF1C

Function 00492760 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0049289E,?,?,00000000,00496628,?,00492A28,00000000,00492A7C,?,?,00000000,00496628), ref: 004927B7
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049283A
FindNextFileA.KERNEL32(000000FF,?,00000000,00492876,?,00000000,?,00000000,0049289E,?,?,00000000,00496628,?,00492A28,00000000), ref: 00492852
FindClose.KERNEL32(000000FF,0049287D,00492876,?,00000000,?,00000000,0049289E,?,?,00000000,00496628,?,00492A28,00000000,00492A7C), ref: 00492870

Strings

isRS-, xrefs: 004927D7
isRS-???.tmp, xrefs: 004927A1

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: 70fea279a0487c66a379aa7ff36a45d08903b4abdbe9169b97591ec596f32377
Instruction ID: 6f3af90e7e4d79464d1657adb4957f5333b5dfcd3ed3f620ee887a0d658b233a
Opcode Fuzzy Hash: 70fea279a0487c66a379aa7ff36a45d08903b4abdbe9169b97591ec596f32377
Instruction Fuzzy Hash: A5319471900618BFDF10EF66CD41ACEBBBCDB49304F5085F7A808A32A1D7789E458E58

Function 0047884C Relevance: 9.2, APIs: 6, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,00000000,00478B12,?,00000000,?,00000000,?,00478C56,00000000,00000000), ref: 004788AD
FindNextFileA.KERNEL32(000000FF,?,00000000,004789BD,?,00000000,?,?,?,?,00000000,00478B12,?,00000000,?,00000000), ref: 00478999
FindClose.KERNEL32(000000FF,004789C4,004789BD,?,00000000,?,?,?,?,00000000,00478B12,?,00000000,?,00000000), ref: 004789B7
FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000,00478B12,?,00000000,?,00000000,?,00478C56,00000000), ref: 00478A10

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Find$File$First$CloseNext
String ID:
API String ID: 2001080981-0
Opcode ID: bf4e0802f79d6ecb0b26fe8947a890451376e871c9cd550310497b4db5b6158c
Instruction ID: c53e02efa538cd00ed8c6064e36d24adcac4933ff0a83cd0056e21b928a08691
Opcode Fuzzy Hash: bf4e0802f79d6ecb0b26fe8947a890451376e871c9cd550310497b4db5b6158c
Instruction Fuzzy Hash: CD71607090020DAFCF11EFA5CC45ADFBBB9EF49304F5084AAE508A7291DB399A45CF59

Function 00455800 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0045587D
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004558A4
SetForegroundWindow.USER32(?), ref: 004558B5
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00455B8F,?,00000000,00455BCB), ref: 00455B7A

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 004559FA

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: aba927f1f309b32fe38766258577f601f314c8aed9c78afadeeb596dcf30424a
Instruction ID: 78b58341f63533b3ae22fdc0b35f2ff7933112878ccc3eccec269f40d3d6be6d
Opcode Fuzzy Hash: aba927f1f309b32fe38766258577f601f314c8aed9c78afadeeb596dcf30424a
Instruction Fuzzy Hash: 0291C234604604EFD715CF65D965F6ABBF9EB48714F2180BAEC0497792C739AE04CB18

Function 004547F8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,0045492C), ref: 00454828
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045482E

Strings

kernel32.dll, xrefs: 00454823
GetDiskFreeSpaceExA, xrefs: 0045481E

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: eac562a1060f7fadf38ecb16a1882514189a9ad3f183d6e31b82e056aa49acf1
Instruction ID: 4ed4d427c84f2e0797dfbcbbf1775a844099e9a297d380e2836bd8fb6971dfff
Opcode Fuzzy Hash: eac562a1060f7fadf38ecb16a1882514189a9ad3f183d6e31b82e056aa49acf1
Instruction Fuzzy Hash: DA316275A04249AFCF01EFA5C8829EFB7B8EF89704F504567E800F7252D6385D098B68

Function 00417C40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417C7F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417C9D
GetWindowPlacement.USER32(?,0000002C), ref: 00417CD3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417CFA

Strings

,, xrefs: 00417CC1

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 81a48e547fa398d3f0e332d3c5732c978cb07eabcf612ef17b70e18ae1a1ab95
Instruction ID: c7e48a005123f112bfb3c773aae920d88014dc0855fb7fe4f04d55f6c4297c8c
Opcode Fuzzy Hash: 81a48e547fa398d3f0e332d3c5732c978cb07eabcf612ef17b70e18ae1a1ab95
Instruction Fuzzy Hash: 92213E71604204ABCF00EF69D8C4ADA77B8AF48314F11456AFD18DF346D678E984CBA8

Function 00460594 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00460751), ref: 004605C5
FindFirstFileA.KERNEL32(00000000,?,00000000,00460724,?,00000001,00000000,00460751), ref: 00460654
FindNextFileA.KERNEL32(000000FF,?,00000000,00460706,?,00000000,?,00000000,00460724,?,00000001,00000000,00460751), ref: 004606E6
FindClose.KERNEL32(000000FF,0046070D,00460706,?,00000000,?,00000000,00460724,?,00000001,00000000,00460751), ref: 00460700

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 8e5f21022fae35bd05caf680941799b374ea027a06ecb90817f05a91b3dc2be9
Instruction ID: f78dcee57c625dac1728093300786459247b71741faca452f92d1a4d7efbbe15
Opcode Fuzzy Hash: 8e5f21022fae35bd05caf680941799b374ea027a06ecb90817f05a91b3dc2be9
Instruction Fuzzy Hash: D941B970A006189FDB11EF65DC85ADFB7B8EB88705F5044BAF804E7391D63C9E488E59

Function 00460A10 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00460BF7), ref: 00460A85
FindFirstFileA.KERNEL32(00000000,?,00000000,00460BC2,?,00000001,00000000,00460BF7), ref: 00460ACB
FindNextFileA.KERNEL32(000000FF,?,00000000,00460BA4,?,00000000,?,00000000,00460BC2,?,00000001,00000000,00460BF7), ref: 00460B80
FindClose.KERNEL32(000000FF,00460BAB,00460BA4,?,00000000,?,00000000,00460BC2,?,00000001,00000000,00460BF7), ref: 00460B9E

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 49e9851897b8f681d322c96bb90846bd68f017f54ff683acd975a5c922cbe8b7
Instruction ID: c4fca8719043302f1557867009f5b54629f0d04ae6016422a46977757255b98a
Opcode Fuzzy Hash: 49e9851897b8f681d322c96bb90846bd68f017f54ff683acd975a5c922cbe8b7
Instruction Fuzzy Hash: D7417631A00618DFCB10EFA5DC859DFB7B8EB88709F5085A6F804A7341E7789E448E59

Function 0042E6DC Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00451B47,00000000,00451B68), ref: 0042E6FE
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E729
GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00451B47,00000000,00451B68), ref: 0042E736
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00451B47,00000000,00451B68), ref: 0042E73E
SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00451B47,00000000,00451B68), ref: 0042E744

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: b398f5f594d3ce364fdf5cd670d1d6f1cfc7debce29cf4bfe02d4251d0372630
Instruction ID: 405047736e0f3db58adf1e262a5124b738154ad7abc3b976f47152011cf6baa3
Opcode Fuzzy Hash: b398f5f594d3ce364fdf5cd670d1d6f1cfc7debce29cf4bfe02d4251d0372630
Instruction Fuzzy Hash: 12F0F0713917207AF620B1BA6CC6F7B018CC7C5B68F10823ABB04FF1C1D9A84C06056D

Function 0047E0A8 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0047E0E6
GetWindowLongA.USER32(00000000,000000F0), ref: 0047E104
ShowWindow.USER32(00000000,00000005,00000000,000000F0,00497030,0047D932,0047D966,00000000,0047D986,?,?,00000001,00497030), ref: 0047E126
ShowWindow.USER32(00000000,00000000,00000000,000000F0,00497030,0047D932,0047D966,00000000,0047D986,?,?,00000001,00497030), ref: 0047E13A

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: f6c937e62bd4f7f33b8cff1129e0ff9e0c9ea1576419266ffb873d417130a402
Instruction ID: c92ae80fdea3dbb9ecd522712915d334841aed4b7b9fd6eda1dbd96f1c302fca
Opcode Fuzzy Hash: f6c937e62bd4f7f33b8cff1129e0ff9e0c9ea1576419266ffb873d417130a402
Instruction Fuzzy Hash: 910171702252509ADB00B776CC46BDB2396AB19344F4486BBF8489B3A3CA7D9C61974C

Function 0045F008 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0045F0DC), ref: 0045F060
FindNextFileA.KERNEL32(000000FF,?,00000000,0045F0BC,?,00000000,?,00000000,0045F0DC), ref: 0045F09C
FindClose.KERNEL32(000000FF,0045F0C3,0045F0BC,?,00000000,?,00000000,0045F0DC), ref: 0045F0B6

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 28630f636b04da4fcdbc8bf603e3cd822730a77496e846d3c01d6dea91b4df37
Instruction ID: 68591aebe15be66c02bfe18b1190825c6ab69d9b7e21385b208dddf45066949f
Opcode Fuzzy Hash: 28630f636b04da4fcdbc8bf603e3cd822730a77496e846d3c01d6dea91b4df37
Instruction Fuzzy Hash: 6D21DB315047086EDB11EB65CC41ADEBBACDB49714F5484F7BC08D35E3E6389E4C895A

Function 0042414C Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00424154
SetActiveWindow.USER32(?,?,?,00468BB4), ref: 00424161

Part of subcall function 004235BC: ShowWindow.USER32(004105C0,00000009,?,00000000,0041ED14,004238AA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 004235D7

Part of subcall function 00423A84: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021125AC,0042417A,?,?,?,00468BB4), ref: 00423ABF

SetFocus.USER32(00000000,?,?,?,00468BB4), ref: 0042418E

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: bf39fc93c20dd362814a915e3816c2be519e9f0d9e4d58152530bfc1c9f789b4
Instruction ID: 4136aac35a779e4733478972a6ab5bc4469f39141bd8f2cff661810d574da02b
Opcode Fuzzy Hash: bf39fc93c20dd362814a915e3816c2be519e9f0d9e4d58152530bfc1c9f789b4
Instruction Fuzzy Hash: 3EF03A717001208BDB40AFAA98C4B9633A8AF48304B55017BBD09EF34BCA7CDC5187A8

Function 00417C3E Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417C7F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417C9D
GetWindowPlacement.USER32(?,0000002C), ref: 00417CD3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417CFA

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: b8fbe12c44fb062a6cac749eb6b5fd61645d1f9f5889301bfb76636b936bc9d1
Instruction ID: f0313cfea0d4087130c3a657ee055cc65a4736f61d4b278e94d42609036002a6
Opcode Fuzzy Hash: b8fbe12c44fb062a6cac749eb6b5fd61645d1f9f5889301bfb76636b936bc9d1
Instruction Fuzzy Hash: 31015A31204104ABDF10EE6A98C5EEA73A8AF44324F114166FD08CF342E638EC8086A8

Function 00417508 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417533
GetCapture.USER32 ref: 0041753C

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: af1c5b43412e2fcaa88ec6dbe6a8b705b794b180b560b7f19973f3177c796014
Instruction ID: 516534a0d685a41b5289b303ed97122a4deaa6af678778b669afb1f0a2bf06d6
Opcode Fuzzy Hash: af1c5b43412e2fcaa88ec6dbe6a8b705b794b180b560b7f19973f3177c796014
Instruction Fuzzy Hash: 80F04471B04602A7DB20E72EC8C5AA762F69F44394B54443FF415C7B96EA7CDCC48758

Function 00424104 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0042410B

Part of subcall function 004239F4: EnumWindows.USER32(0042398C), ref: 00423A18
Part of subcall function 004239F4: GetWindow.USER32(?,00000003), ref: 00423A2D
Part of subcall function 004239F4: GetWindowLongA.USER32(?,000000EC), ref: 00423A3C
Part of subcall function 004239F4: SetWindowPos.USER32(00000000,004240CC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042411B,?,?,00423CE3), ref: 00423A72

SetActiveWindow.USER32(?,?,?,00423CE3,00000000,004240CC), ref: 0042411F

Part of subcall function 004235BC: ShowWindow.USER32(004105C0,00000009,?,00000000,0041ED14,004238AA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 004235D7

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: 42e4936c4a6647b65b5ab24117e0ac4ae5d8008d356746b3415a205c164669c5
Instruction ID: b8e4b42960b6b3797255afb6d30997fccd36cf0c86298b6f3b138aeb4614201e
Opcode Fuzzy Hash: 42e4936c4a6647b65b5ab24117e0ac4ae5d8008d356746b3415a205c164669c5
Instruction Fuzzy Hash: 76E0E5A0300100C7EB00AFAAD8C9B9672A9BB48304F5501BABC08CF24BD6B8C8948724

Function 00412548 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412745), ref: 00412733

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: ccb3f07b2fee23e1b7d0b9fe211690240d667b5ade3c407fcf90e85793529408
Instruction ID: 7676943622bfa1b87a175b7a8473920ed7b4936c8d574fb73453cf2521b2b913
Opcode Fuzzy Hash: ccb3f07b2fee23e1b7d0b9fe211690240d667b5ade3c407fcf90e85793529408
Instruction Fuzzy Hash: 5751D3356042059FC710DF5AD681A9BF3E5FF98304B3582ABE814C73A5D6B8AD92874C

Function 00473F28 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00474076

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 25d2fed37fc004c0ef9d7e1e532679906a7dfcc26d9c4c4e0f977566c6f286e0
Instruction ID: 893271b3bcd24fcb62a5a78660203d6d155b33e0871f9808868e069105ad9bad
Opcode Fuzzy Hash: 25d2fed37fc004c0ef9d7e1e532679906a7dfcc26d9c4c4e0f977566c6f286e0
Instruction Fuzzy Hash: E8415779A04144DFCB10CF99C2808AAB7F9EB88311B25C592E94CDB745D339EE41EB98

Function 0045B918 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045B923

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: 2fd5046d53dc597d3e4d98d458f148574003c2ec4f4f0757a2eee833ca150b3b
Instruction ID: 2225761bf594105b04891f9a979b45a9a4731abcd3a6ed3030aefe2a2354edc5
Opcode Fuzzy Hash: 2fd5046d53dc597d3e4d98d458f148574003c2ec4f4f0757a2eee833ca150b3b
Instruction Fuzzy Hash: C7C09BF601420CBF65005795ECC9CB7F75CE6586647408126F6044210195716C108674

Function 0045B930 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046994F), ref: 0045B936

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: c27a93e1bdfdde7edc9fcc879cc72405f18f208b3af26568a1f388ef4ce3250e
Instruction ID: 96b9a57d22d70392ad1d1cde2f2ee6f5b4e57433d8ae25836dc8224d98b85447
Opcode Fuzzy Hash: c27a93e1bdfdde7edc9fcc879cc72405f18f208b3af26568a1f388ef4ce3250e
Instruction Fuzzy Hash: A7A002B0A94300BAFD2157605D0EF67262C97D0F15F2084657201A91D085A46400C63C

Function 10001130 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3445483633.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3445437690.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3445513542.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_9MgoW3Y1ti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2

Function 10001000 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3445483633.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3445437690.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.3445513542.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_9MgoW3Y1ti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction Fuzzy Hash:

Function 004565B8 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 237filesynchronizationprocessCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00494AA4,00000001,00000000,00000000,004568ED,?,?,?,00000001,?,00456B07,00000000,00456B1D,?,00000000,00496628), ref: 00456605
CreateFileMappingA.KERNEL32(000000FF,00494AA4,00000004,00000000,00002018,00000000), ref: 0045663D
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,004568C3,?,00494AA4,00000001,00000000,00000000,004568ED,?,?,?), ref: 00456664
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456771
ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,004568C3,?,00494AA4,00000001,00000000,00000000,004568ED), ref: 004566C9

Part of subcall function 004520A4: GetLastError.KERNEL32(00000000,00452B15,00000005,00000000,00452B4A,?,?,00000000,00496628,00000004,00000000,00000000,00000000,?,00492A61,00000000), ref: 004520A7

CloseHandle.KERNEL32(00456B07,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456788
WaitForSingleObject.KERNEL32(00000000,000000FF,00456B07,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004567C1
GetLastError.KERNEL32(00000000,000000FF,00456B07,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004567D3
UnmapViewOfFile.KERNEL32(00000000,004568CA,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004568A5
CloseHandle.KERNEL32(00000000,004568CA,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004568B4
CloseHandle.KERNEL32(00000000,004568CA,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004568BD

Strings

OleInitialize, xrefs: 0045680D
D, xrefs: 00456732
REGDLL failed with exit code 0x%x, xrefs: 004567B1
CreateMutex, xrefs: 00456613
REGDLL mutex wait failed (%d, %d), xrefs: 004567E7
ReleaseMutex, xrefs: 004566D2
Spawning _RegDLL.tmp, xrefs: 004565E4
LoadLibrary, xrefs: 0045681F
_isetup\_RegDLL.tmp, xrefs: 004566EF
CreateProcess, xrefs: 0045677A
CreateFileMapping, xrefs: 0045664B
MapViewOfFile, xrefs: 00456672
_RegDLL.tmp %u %u, xrefs: 00456719
GetProcAddress, xrefs: 00456831
REGDLL returned unknown result code %d, xrefs: 00456884

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
API String ID: 4012871263-351310198
Opcode ID: 2d7d41f1dc95c0e97e8351de386188b607b902f05f624e0ced809bd65a677759
Instruction ID: 980461e75233d27168dbefb0458f3d7e1823a55311cdbdb2a0391f25a35d7111
Opcode Fuzzy Hash: 2d7d41f1dc95c0e97e8351de386188b607b902f05f624e0ced809bd65a677759
Instruction Fuzzy Hash: 32918170E002159FDB10EBA9C845B9EB7B4EF48305F91856BF914EB382DB789908CF59

Function 0041F088 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00418F60,00000000,?,?,?,00000001), ref: 0041F096
SetErrorMode.KERNEL32(00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0B2
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0BE
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0CC
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F0FC
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F125
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F13A
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F14F
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F164
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F179
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F18E
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1A3
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1B8
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F1CD
FreeLibrary.KERNEL32(00000001,?,00418F60,00000000,?,?,?,00000001), ref: 0041F1DF

Strings

Ctl3dRegister, xrefs: 0041F0F1
Ctl3dDlgFramePaint, xrefs: 0041F159
Ctl3dCtlColorEx, xrefs: 0041F16E
CTL3D32.DLL, xrefs: 0041F0B9
Ctl3dUnAutoSubclass, xrefs: 0041F198
Ctl3dSubclassCtl, xrefs: 0041F12F
Ctl3dAutoSubclass, xrefs: 0041F183
Ctl3DColorChange, xrefs: 0041F1AD
BtnWndProc3d, xrefs: 0041F1C2
Ctl3dSubclassDlgEx, xrefs: 0041F144
Ctl3dUnregister, xrefs: 0041F11A

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: 3ee75083f87a6e9960b975f8ce9b4bab73ebc8e6f4ff35a6c1ea5a687f8926a0
Instruction ID: da08133687b7634b50b6c6a847516dd753fa1eb4508864759417a9d87976edef
Opcode Fuzzy Hash: 3ee75083f87a6e9960b975f8ce9b4bab73ebc8e6f4ff35a6c1ea5a687f8926a0
Instruction Fuzzy Hash: 3531F0B1640740EBDB00EBF5EC86E653654F768B28756093BB608DB162D77D488ACB1C

Function 004917C0 Relevance: 35.5, APIs: 3, Strings: 17, Instructions: 495COMMON

Download Yara Rule

Strings

Setup version: Inno Setup version 5.3.5 (a), xrefs: 00491898
DeinitializeUninstall, xrefs: 00491F3A
Removed all? %s, xrefs: 00491CFA
Uninstall, xrefs: 0049184B
Will restart because UninstallNeedRestart returned True., xrefs: 00491D80
Need to restart Windows? %s, xrefs: 00491DD1
Cannot find utCompiledCode record for this version of the uninstaller, xrefs: 00491A36
utCompiledCode[1] is invalid, xrefs: 00491A71
Not calling UninstallNeedRestart because a restart has already been deemed necessary., xrefs: 00491DAF
Install was done in 64-bit mode but not running 64-bit Windows now, xrefs: 00491AAB
InitializeUninstall, xrefs: 00491BF0
UninstallNeedRestart, xrefs: 00491D30, 00491D69
Original Uninstall EXE: , xrefs: 004918A2
Uninstall DAT: , xrefs: 004918C5
InitializeUninstall returned False; aborting., xrefs: 00491C28
Will not restart Windows automatically., xrefs: 00491EA4
Uninstall command line: , xrefs: 004918E8

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$Long$Show
String ID: Cannot find utCompiledCode record for this version of the uninstaller$DeinitializeUninstall$InitializeUninstall$InitializeUninstall returned False; aborting.$Install was done in 64-bit mode but not running 64-bit Windows now$Need to restart Windows? %s$Not calling UninstallNeedRestart because a restart has already been deemed necessary.$Original Uninstall EXE: $Removed all? %s$Setup version: Inno Setup version 5.3.5 (a)$Uninstall$Uninstall DAT: $Uninstall command line: $UninstallNeedRestart$Will not restart Windows automatically.$Will restart because UninstallNeedRestart returned True.$utCompiledCode[1] is invalid
API String ID: 3609083571-1972832509
Opcode ID: 564fb5d3747994d23ef970b5a2b0d3f85f6acd01b6bbcc9d08c4d2da2b19c3a8
Instruction ID: 6596ef0c965ed04d70404abd425b2fb86aee653cd75455762a8c83b1d9d07689
Opcode Fuzzy Hash: 564fb5d3747994d23ef970b5a2b0d3f85f6acd01b6bbcc9d08c4d2da2b19c3a8
Instruction Fuzzy Hash: CE12AC34A54245AFDF11EB65EC42B9E7FA5AB19308F10807BF800A73B2CB789845CB5D

Function 0041C97C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,0041A8B4,?), ref: 0041C9B0
73EA4C40.GDI32(?,00000000,?,0041A8B4,?), ref: 0041C9BC
73EA6180.GDI32(0041A8B4,?,00000001,00000001,00000000,00000000,0041CBD2,?,?,00000000,?,0041A8B4,?), ref: 0041C9E0
73EA4C00.GDI32(?,0041A8B4,?,00000000,0041CBD2,?,?,00000000,?,0041A8B4,?), ref: 0041C9F0
SelectObject.GDI32(0041CDAC,00000000), ref: 0041CA0B
FillRect.USER32(0041CDAC,?,?), ref: 0041CA46
SetTextColor.GDI32(0041CDAC,00000000), ref: 0041CA5B
SetBkColor.GDI32(0041CDAC,00000000), ref: 0041CA72
PatBlt.GDI32(0041CDAC,00000000,00000000,0041A8B4,?,00FF0062), ref: 0041CA88
73EA4C40.GDI32(?,00000000,0041CB8B,?,0041CDAC,00000000,?,0041A8B4,?,00000000,0041CBD2,?,?,00000000,?,0041A8B4), ref: 0041CA9B
SelectObject.GDI32(00000000,00000000), ref: 0041CACC
73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B,?,0041CDAC,00000000,?,0041A8B4), ref: 0041CAE4
73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B,?,0041CDAC,00000000,?), ref: 0041CAED
73E98830.GDI32(0041CDAC,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B), ref: 0041CAFC
73E922A0.GDI32(0041CDAC,0041CDAC,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B), ref: 0041CB05
SetTextColor.GDI32(00000000,00000000), ref: 0041CB1E
SetBkColor.GDI32(00000000,00000000), ref: 0041CB35
73EA4D40.GDI32(0041CDAC,00000000,00000000,0041A8B4,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CB7A,?,?,00000000), ref: 0041CB51
SelectObject.GDI32(00000000,?), ref: 0041CB5E
DeleteDC.GDI32(00000000), ref: 0041CB74

Part of subcall function 00419FC8: GetSysColor.USER32(?), ref: 00419FD2

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Color$ObjectSelect$E922E98830Text$A570A6180DeleteFillRect
String ID:
API String ID: 1952589944-0
Opcode ID: d7b92da64cecfd48f0a2b1e7f5bec81e0b40094dab39069241f93e3b0f0d639f
Instruction ID: 7128b10ae0d2f5501f58bad1f60f679124a592cf14607d549707b49f1954e982
Opcode Fuzzy Hash: d7b92da64cecfd48f0a2b1e7f5bec81e0b40094dab39069241f93e3b0f0d639f
Instruction Fuzzy Hash: 5961FC71A44609ABDF10EBE5DC86FAFB7B8EF48704F10446AF504E7281C67CA9418B69

Function 0042DEBC Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memorylibraryloaderCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(00494788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DEF6
GetVersion.KERNEL32(00000000,0042E0A0,?,00494788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF13
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E0A0,?,00494788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF2C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DF32
FreeSid.ADVAPI32(00000000,0042E0A7,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E09A

Strings

CheckTokenMembership, xrefs: 0042DF22
advapi32.dll, xrefs: 0042DF27

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProcVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 1717332306-1888249752
Opcode ID: 59bbf30f185a9ae2ec61c265cb76b637c59ffee8dc596189c0408cef68f3f34f
Instruction ID: 5045d4bdae095839e21654112f0de3b8f2816e6eca6f617d5415efb28b53f152
Opcode Fuzzy Hash: 59bbf30f185a9ae2ec61c265cb76b637c59ffee8dc596189c0408cef68f3f34f
Instruction Fuzzy Hash: 6151C571B44629AEDB10EAE69C42F7F77ECEB09304F94447BB500F7282C5BC9806866D

Function 00492A8C Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,00492E24,?,?,00000000,?,00000000,00000000,?,00493165,00000000,0049316F,?,00000000), ref: 00492B0F
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00492E24,?,?,00000000,?,00000000,00000000,?,00493165,00000000), ref: 00492B22
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00492E24,?,?,00000000,?,00000000,00000000), ref: 00492B32
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00492B53
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00492E24,?,?,00000000,?,00000000), ref: 00492B63

Part of subcall function 0042D328: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3B6,?,?,00000000,?,?,00492520,00000000,004926E9,?,?,00000005), ref: 0042D35D

Strings

e1I, xrefs: 00492E16
/REG, xrefs: 00492AC1
Setup, xrefs: 00492AFB
.msg, xrefs: 00492B86
Inno-Setup-RegSvr-Mutex, xrefs: 00492B19
o1I, xrefs: 00492AB1, 00492ABE, 00492AD5, 00492AE2, 00492B76, 00492B80, 00492B90, 00492B9A
/REGU, xrefs: 00492AE5
.lst, xrefs: 00492BA0

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$e1I$o1I
API String ID: 2000705611-221793176
Opcode ID: 93f4319d652df31d1491f7e58c9920bd5a7ef255fec07566d47bc37a90253f49
Instruction ID: 4be49199d801b1cb5a3f4bb92d7f292d3e3738ea6ecad4381c70a4705d363757
Opcode Fuzzy Hash: 93f4319d652df31d1491f7e58c9920bd5a7ef255fec07566d47bc37a90253f49
Instruction Fuzzy Hash: 3891D434A04205AFDF11EBA5D956BAF7FB4EB09304F918477F400AB692C6BD9C05CB19

Function 00458DE4 Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 199COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045907E,?,?,?,?,?,00000006,?,00000000,00491FBA,?,00000000,0049205D), ref: 00458F30

Strings

.hlp, xrefs: 00458E1B
Stripped read-only attribute., xrefs: 00458F09
.gid, xrefs: 00458E34
Deleting file: %s, xrefs: 00458ECF
.chw, xrefs: 00458E99
.chm, xrefs: 00458E80
.fts, xrefs: 00458E58
Failed to delete the file; it may be in use (%d)., xrefs: 0045901F
Failed to strip read-only attribute., xrefs: 00458F15
The file appears to be in use (%d). Will delete on restart., xrefs: 00458F79

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-1593206319
Opcode ID: 5d7b9d7c30f83f3247b130719882f36e307d81f231b67c3dd7c11efa3abf157e
Instruction ID: e4eb3b4405a0979e1a2c77286c885a36d1837fd04eb9654633cb4fd66a7308d3
Opcode Fuzzy Hash: 5d7b9d7c30f83f3247b130719882f36e307d81f231b67c3dd7c11efa3abf157e
Instruction Fuzzy Hash: 7B618E30B042549BDB10EB69C8827AE77A9AB48715F50486FF801EB383CB789D49C799

Function 0041B31C Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

73EA4C40.GDI32(00000000,?,00000000,?), ref: 0041B333
73EA4C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B33D
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B34F
73EA6180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B366
73E9A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B372
73EA4C00.GDI32(00000000,0000000B,?,00000000,0041B3CB,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B39F
73E9A480.USER32(00000000,00000000,0041B3D2,00000000,0041B3CB,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3C5
SelectObject.GDI32(00000000,?), ref: 0041B3E0
SelectObject.GDI32(?,00000000), ref: 0041B3EF
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B41B
SelectObject.GDI32(00000000,00000000), ref: 0041B429
SelectObject.GDI32(?,00000000), ref: 0041B437
DeleteDC.GDI32(00000000), ref: 0041B440
DeleteDC.GDI32(?), ref: 0041B449

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Object$Select$Delete$A480A570A6180Stretch
String ID:
API String ID: 1888863034-0
Opcode ID: e420a80018f5a27581da0c94fb8e2332c520fd2d58b05de39de388c6394c4d5d
Instruction ID: ef99a8f9a6f00624a9096b2aeeb37702e3b70ceb3a8cbf3cb68c8f3869cb2bd7
Opcode Fuzzy Hash: e420a80018f5a27581da0c94fb8e2332c520fd2d58b05de39de388c6394c4d5d
Instruction Fuzzy Hash: 1541D071E40619AFDF10DAE9D846FEFB7BCEF08704F104466B614FB281C67869408BA4

Function 0046E8BC Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 319COMMON

Download Yara Rule

APIs

Part of subcall function 0042C6E0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C704

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0046EA4F
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046EB46
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0046EB5C
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046EB81

Strings

.lnk, xrefs: 0046E945
Desktop.ini, xrefs: 0046EC02
Filename: %s, xrefs: 0046E9F1
.url, xrefs: 0046E98B
target.lnk, xrefs: 0046EBCB
.pif, xrefs: 0046E968, 0046EACA
{group}\, xrefs: 0046E913

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
API String ID: 971782779-3668018701
Opcode ID: f899328f81346ceb28187c7e053454cefd689a42d0f673cda6a499a0fcfe0b0b
Instruction ID: 9b3c0a2ebe02865d096d3d92589461d85e8d30d772736a84054ea4ba39fb763a
Opcode Fuzzy Hash: f899328f81346ceb28187c7e053454cefd689a42d0f673cda6a499a0fcfe0b0b
Instruction Fuzzy Hash: FBD12274A00249AFDB01DF95D885FDEBBF5AF08314F54402AF900B7392D678AE45CB69

Function 00453338 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

RegQueryValueExA.ADVAPI32(00459246,00000000,00000000,?,00000000,?,00000000,004535D1,?,00459246,00000003,00000000,00000000,00453608), ref: 00453451

Part of subcall function 0042E670: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451E7B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E68F

RegQueryValueExA.ADVAPI32(00459246,00000000,00000000,00000000,?,00000004,00000000,0045351B,?,00459246,00000000,00000000,?,00000000,?,00000000), ref: 004534D5
RegQueryValueExA.ADVAPI32(00459246,00000000,00000000,00000000,?,00000004,00000000,0045351B,?,00459246,00000000,00000000,?,00000000,?,00000000), ref: 00453504

Strings

, xrefs: 004533C2
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045336F
RegOpenKeyEx, xrefs: 004533D4
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004533A8

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: d547f96382ddb47af51d9cc29b1b85abbfcd8a0dd46a61b3a596026ad2d6d4ad
Instruction ID: 553864e69fa8df29f0895cd1651d22ce7dcdc08a544756bbeb7b66468d6216b8
Opcode Fuzzy Hash: d547f96382ddb47af51d9cc29b1b85abbfcd8a0dd46a61b3a596026ad2d6d4ad
Instruction Fuzzy Hash: DF912371A04208BBDB11DF95C942BDEB7F9EB08346F10446BF900F7282D6789F098B69

Function 00457208 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0045723F
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 0045725B
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00457269
GetExitCodeProcess.KERNEL32(?), ref: 0045727A
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004572C1
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004572DD

Strings

Helper isn't responding; killing it., xrefs: 0045724B
Helper process exited, but failed to get exit code., xrefs: 004572B3
Stopping 64-bit helper process. (PID: %u), xrefs: 00457231
Helper process exited with failure code: 0x%x, xrefs: 004572A7
Helper process exited., xrefs: 00457289

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 6b2201595befcdbf0454e25f3f98579558f6d853a158eaa6821fe7e437e0bd5b
Instruction ID: cbbbea6dedd0d273467075bf502e8a2b7be663cd85a1a49bef8c8f37b48c8077
Opcode Fuzzy Hash: 6b2201595befcdbf0454e25f3f98579558f6d853a158eaa6821fe7e437e0bd5b
Instruction Fuzzy Hash: 89215C70608B009AC720E779D441B5BB7D4AF08305F04897FBC9ACB283D678E8489B6A

Function 00452FEC Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC1C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC48

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004531C3,?,00000000,00453287), ref: 00453113
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004531C3,?,00000000,00453287), ref: 0045324F

Part of subcall function 0042E670: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451E7B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E68F

Strings

RegCreateKeyEx, xrefs: 00453087
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045302B
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045305B
, xrefs: 00453075

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: 758553f8d2e594071fe37aa958d85f9a645975654b76cf36553100ddb6c8e864
Instruction ID: 2c0c5fe921886f73e21521b3bff8a538c4309916fb6f6cfb0a6381ca684f6e5a
Opcode Fuzzy Hash: 758553f8d2e594071fe37aa958d85f9a645975654b76cf36553100ddb6c8e864
Instruction Fuzzy Hash: C5812171A00609AFDB00DFE5C941BDEB7B9EB08345F54446AF901F7282D778AA09CB69

Function 004913E4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004524C4: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004915B5,_iu,?,00000000,004525FE), ref: 004525B3
Part of subcall function 004524C4: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004915B5,_iu,?,00000000,004525FE), ref: 004525C3

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00491461
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,004915B5), ref: 00491482
CreateWindowExA.USER32(00000000,STATIC,004915C4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004914A9
SetWindowLongA.USER32(?,000000FC,00490C3C), ref: 004914BC
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00491588,?,?,000000FC,00490C3C,00000000,STATIC,004915C4), ref: 004914EC
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00491560
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00491588,?,?,000000FC,00490C3C,00000000), ref: 0049156C

Part of subcall function 00452814: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004528FB

73EA5CF0.USER32(?,0049158F,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00491588,?,?,000000FC,00490C3C,00000000,STATIC), ref: 00491582

Strings

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 0049151B
STATIC, xrefs: 004914A2

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 170458502-2312673372
Opcode ID: 5955ee03ed027167db5067d7769f0f2e7a3333a957f84736b9c043bd00e9a10a
Instruction ID: 8fdd4e63cd422c3942ebc1833423ec4bc75e2ea9b26886e4930e7115e52d1235
Opcode Fuzzy Hash: 5955ee03ed027167db5067d7769f0f2e7a3333a957f84736b9c043bd00e9a10a
Instruction Fuzzy Hash: 10415270A04209AEDF00EBA5CD42F9E7BF8EB49714F51457AF500F72D2D6799E008BA8

Function 0042EBE0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042EBEC
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042EC00
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042EC0D
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042EC1A
GetWindowRect.USER32(?,00000000), ref: 0042EC66
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042ECA4

Strings

GetMonitorInfoA, xrefs: 0042EC14
user32.dll, xrefs: 0042EBFB
MonitorFromWindow, xrefs: 0042EC07
(, xrefs: 0042EC45

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: ab635a9dbd45ec810e9935963670e5bdc3844d9f2a3901bc6b7a360ecf31759e
Instruction ID: 4a37ecb70f16d0e534201d00fe1897e1a246a2af0c0267f068437e20043e9251
Opcode Fuzzy Hash: ab635a9dbd45ec810e9935963670e5bdc3844d9f2a3901bc6b7a360ecf31759e
Instruction Fuzzy Hash: 1221CF72301624AFD300DAAADC81F3B3698EB84B10F09452EF944EB382DA78DC048A59

Function 0045F2A8 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0045F2B4
GetModuleHandleA.KERNEL32(user32.dll), ref: 0045F2C8
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0045F2D5
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0045F2E2
GetWindowRect.USER32(?,00000000), ref: 0045F32E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0045F36C

Strings

(, xrefs: 0045F30D
MonitorFromWindow, xrefs: 0045F2CF
GetMonitorInfoA, xrefs: 0045F2DC
user32.dll, xrefs: 0045F2C3

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 0759357e475281c3d178149a1403ff3b79648049ae6c1278b3f2bdc8cf34fbc7
Instruction ID: 95483c6525a53468b4ec8186bc606c8502f0d91924da71a6d47f5662d43c45fd
Opcode Fuzzy Hash: 0759357e475281c3d178149a1403ff3b79648049ae6c1278b3f2bdc8cf34fbc7
Instruction Fuzzy Hash: 112192757456046BE3109A68CC81F3F3799DB88715F09453EFD84DB382DA78ED0C8A9A

Function 00454C98 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 248COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00454E69
7715E550.OLE32(00494A58,00000000,00000001,00494774,?,00000000,00454F64), ref: 00454CDA

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

7715E550.OLE32(00494764,00000000,00000001,00494774,?,00000000,00454F64), ref: 00454D00

Strings

IPropertyStore::Commit, xrefs: 00454E4E
IPersistFile::Save, xrefs: 00454EEB
CoCreateInstance, xrefs: 00454D0B
IPropertyStore::SetValue, xrefs: 00454DE9, 00454E35
IShellLink::QueryInterface, xrefs: 00454E8D

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: 7715E550String$AllocByteCharFreeMultiWide
String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue$IShellLink::QueryInterface
API String ID: 21690954-2052886881
Opcode ID: 5948eefd91c64643e410a8502d34ef97e64b0715af901c2b07599baa63df0646
Instruction ID: 0b21da03975bca805d8248ee8d2b37e628922fffcf98328ca7261b0fae796446
Opcode Fuzzy Hash: 5948eefd91c64643e410a8502d34ef97e64b0715af901c2b07599baa63df0646
Instruction Fuzzy Hash: AA915071A00104AFDB50DFA9C885F9E77F8AF89709F50406AF904EB262DB78DD48CB59

Function 004573E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004575BF,?,00000000,00457622,?,?,02113858,00000000), ref: 0045743D
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00457554,?,00000000,00000001,00000000,00000000,00000000,004575BF), ref: 0045749A
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00457554,?,00000000,00000001,00000000,00000000,00000000,004575BF), ref: 004574A7
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004574F3
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,0045752D,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00457554,?,00000000), ref: 00457519
GetLastError.KERNEL32(?,?,00000000,00000001,0045752D,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00457554,?,00000000), ref: 00457520

Part of subcall function 004520A4: GetLastError.KERNEL32(00000000,00452B15,00000005,00000000,00452B4A,?,?,00000000,00496628,00000004,00000000,00000000,00000000,?,00492A61,00000000), ref: 004520A7

Strings

TransactNamedPipe, xrefs: 004574B3
CreateEvent, xrefs: 0045744B

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: c1a3a8f9ea1166c106d188104454f7bffd3a84fcc42e4e20bcaa0ea938d488a9
Instruction ID: 79c6e3806f75cd6c2156c397a36c552c7ebc7e0cdca09418cd540dcb18b715b5
Opcode Fuzzy Hash: c1a3a8f9ea1166c106d188104454f7bffd3a84fcc42e4e20bcaa0ea938d488a9
Instruction Fuzzy Hash: 98418E70A04608BFDB15DF99D981F9EBBF8EB09710F5040B6F904E7792D6789E44CA28

Function 00455138 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0045529D,?,?,00000031,?), ref: 00455160
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00455166
LoadTypeLib.OLEAUT32(00000000,?), ref: 004551B3

Part of subcall function 004520A4: GetLastError.KERNEL32(00000000,00452B15,00000005,00000000,00452B4A,?,?,00000000,00496628,00000004,00000000,00000000,00000000,?,00492A61,00000000), ref: 004520A7

Strings

LoadTypeLib, xrefs: 004551BE
GetProcAddress, xrefs: 00455173
UnRegisterTypeLib, xrefs: 0045521F
UnRegisterTypeLib, xrefs: 00455156
OLEAUT32.DLL, xrefs: 0045515B
ITypeLib::GetLibAttr, xrefs: 004551E9

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: 1ed3e8c5a2aa991d601313e4c083ed3eccbaf9bc08da749f5376dbd3bf59aa27
Instruction ID: fb038adfd684185714a4e58cf340431a6a295a782a22b6c655451b98c415bd11
Opcode Fuzzy Hash: 1ed3e8c5a2aa991d601313e4c083ed3eccbaf9bc08da749f5376dbd3bf59aa27
Instruction Fuzzy Hash: DD31A571A00A04AFC711EFAACC61D6F77B9EB89B41B5044A6FD04D7352DA38D904CB29

Function 0042E274 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E379,?,?,00000001,00000000,?,?,00000001,00000000,00000002,00000000,0047BE41), ref: 0042E29D
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E2A3
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E379,?,?,00000001,00000000,?,?,00000001), ref: 0042E2F1

Strings

kernel32.dll, xrefs: 0042E298
Locale, xrefs: 0042E2E0
GetUserDefaultUILanguage, xrefs: 0042E293
Control Panel\Desktop\ResourceLocale, xrefs: 0042E300
.DEFAULT\Control Panel\International, xrefs: 0042E2C8

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 45ed28070ffb47697e526778f64ff79688c24bec5b2b36becef891b4b1b2b151
Instruction ID: d6249f7fc2f92a5c557ffc1224eecf0a88ec9f0d2c320431a8896816ae334499
Opcode Fuzzy Hash: 45ed28070ffb47697e526778f64ff79688c24bec5b2b36becef891b4b1b2b151
Instruction Fuzzy Hash: 80212670B00215EBDB00EAA7DC55B9F77A9EB44315FD04477A900E7281DB7C9E05DB58

Function 00416CF0 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00416D83
SaveDC.GDI32(?), ref: 00416D97
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416DBA
RestoreDC.GDI32(?,?), ref: 00416DD5
CreateSolidBrush.GDI32(00000000), ref: 00416E55
FrameRect.USER32(?,?,?), ref: 00416E88
DeleteObject.GDI32(?), ref: 00416E92
CreateSolidBrush.GDI32(00000000), ref: 00416EA2
FrameRect.USER32(?,?,?), ref: 00416ED5
DeleteObject.GDI32(?), ref: 00416EDF

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 2d5a952dda77e96b055630d762204063f474f2b74445c94d99100d457d81a94c
Instruction ID: 01d81588b69ff1f480347e903aed9c185fc6c29f227380d1fa6610f1b9ad60dd
Opcode Fuzzy Hash: 2d5a952dda77e96b055630d762204063f474f2b74445c94d99100d457d81a94c
Instruction Fuzzy Hash: A8513C712086449BDB50EF69C8C0B9B77E8EF48314F15566AFD48CB286C738EC81CB99

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Function 00422158 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004221A3
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004221C1
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221CE
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221DB
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221E8
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004221F5
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422202
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042220F
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0042222D
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422249

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 05b40914ec909e1c9740d8afeb2cf42751dc2338b7eead5136cc8733da9e1836
Instruction ID: e98f5eede000e984507cfb68b46ad6efe0a5c83d9602cc3651cf502f29ecaa29
Opcode Fuzzy Hash: 05b40914ec909e1c9740d8afeb2cf42751dc2338b7eead5136cc8733da9e1836
Instruction Fuzzy Hash: 23213370380744BAE720D725DD8BF9B7BD89B04708F0444A5BA487F2D7C6F9AE40869C

Function 0047C34C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 170windowCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(10000000), ref: 0047C4F4
FreeLibrary.KERNEL32(00000000), ref: 0047C508
SendNotifyMessageA.USER32(000203EC,00000496,00002710,00000000), ref: 0047C57A

Strings

DeinitializeSetup, xrefs: 0047C405
Not restarting Windows because Setup is being run from the debugger., xrefs: 0047C529
Restarting Windows., xrefs: 0047C555
Deinitializing Setup., xrefs: 0047C36A
GetCustomSetupExitCode, xrefs: 0047C3A9

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: efad5fb6bae037c2cf07564e1a1779af0bcde21ed03e767c6d92b2780cbdc405
Instruction ID: 90f5f2579ebd2cd042589c700d0c35de107af6cb7106057c8f5cc839c7e64824
Opcode Fuzzy Hash: efad5fb6bae037c2cf07564e1a1779af0bcde21ed03e767c6d92b2780cbdc405
Instruction Fuzzy Hash: 5851B130614200AFD721DB79DC95BAA7BE4EB59314F50C57BEC08C72A2DB38A845CB5D

Function 00457C10 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 130registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00457B28: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00457C5A,00000000,00457DA7,?,00000000,00000000,00000000), ref: 00457B75

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00457DA7,?,00000000,00000000,00000000), ref: 00457CB6
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00457DA7,?,00000000,00000000,00000000), ref: 00457D1C

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

Strings

v2.0.50727, xrefs: 00457CA8
.NET Framework version %s not found, xrefs: 00457D56
v1.1.4322, xrefs: 00457D0E
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00457C6A
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00457CD0
.NET Framework not found, xrefs: 00457D6A

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$v1.1.4322$v2.0.50727
API String ID: 2976201327-1070292914
Opcode ID: 38dafa01eb145cd46e344ec0d302f40d6a4ca12a07449fb32f1c0fadfb05638c
Instruction ID: 1181c51870a89a76828bf4cdafa164266e6ab86bcafa1da5c5d87414d128b815
Opcode Fuzzy Hash: 38dafa01eb145cd46e344ec0d302f40d6a4ca12a07449fb32f1c0fadfb05638c
Instruction Fuzzy Hash: 5F41C730A081495FCB00DF65E851BEE77B6EF49309F5544BBE840DB292D739AA0ECB58

Function 004733A0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004732C8: GetWindowThreadProcessId.USER32(00000000), ref: 004732D0
Part of subcall function 004732C8: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004733C7,0pI,00000000), ref: 004732E3
Part of subcall function 004732C8: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 004732E9

SendMessageA.USER32(00000000,0000004A,00000000,Z7G), ref: 004733D5
GetTickCount.KERNEL32 ref: 0047341A
GetTickCount.KERNEL32 ref: 00473424
MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00473479

Strings

CallSpawnServer: Unexpected response: $%x, xrefs: 0047340A
CallSpawnServer: Unexpected status: %d, xrefs: 00473462
0pI, xrefs: 004733A7
Z7G, xrefs: 004733C7, 004733CA

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: 0pI$CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d$Z7G
API String ID: 613034392-2401662188
Opcode ID: 8feb52f6250f747c5a664b1527b2b5cd8d32300bfcf5c1eaa96ed0b76df53d0f
Instruction ID: 8dd7748eb102d70c53ef4d50441e40eca7a6ef9e476b6454bb3470e68b985026
Opcode Fuzzy Hash: 8feb52f6250f747c5a664b1527b2b5cd8d32300bfcf5c1eaa96ed0b76df53d0f
Instruction Fuzzy Hash: 6F31C434F002259ADB10EFB999467EEB2E09F04305F50813BB548EB382DA7C8E01979D

Function 0045DFD8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0045E013
GetActiveWindow.USER32 ref: 0045E077
CoInitialize.OLE32(00000000), ref: 0045E08B
SHBrowseForFolder.SHELL32(?), ref: 0045E0A2
7712D120.OLE32(0045E0E3,00000000,?,?,?,?,?,00000000,0045E167), ref: 0045E0B7
SetActiveWindow.USER32(?,0045E0E3,00000000,?,?,?,?,?,00000000,0045E167), ref: 0045E0CD
SetActiveWindow.USER32(?,?,0045E0E3,00000000,?,?,?,?,?,00000000,0045E167), ref: 0045E0D6

Strings

A, xrefs: 0045E04B

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ActiveWindow$7712BrowseD120FolderInitializeMalloc
String ID: A
API String ID: 3129831556-3554254475
Opcode ID: 4c93aed7974da8df2999b89a302ce796433789b5a6ec67c560a89b0d32607bd6
Instruction ID: 6bfd7eabbe9e682b3dde037a987c9ea474e9b057d6f32f0a8e83a6328ca7ae7b
Opcode Fuzzy Hash: 4c93aed7974da8df2999b89a302ce796433789b5a6ec67c560a89b0d32607bd6
Instruction Fuzzy Hash: D0314471D00218AFDB04EFA6E886A9EBBF8EF09704F51447AF804E7252D7785A04CF59

Function 00418BC4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 00418BE0
GetSystemMetrics.USER32(0000000D), ref: 00418BE8
6F9C2980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418BEE

Part of subcall function 00409920: 6F9BC400.COMCTL32((fI,000000FF,00000000,00418C1C,00000000,00418C78,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00409924

6FA2CB00.COMCTL32((fI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C3E
6FA2C740.COMCTL32(00000000,?,(fI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418C49
6FA2CB00.COMCTL32((fI,00000001,?,?,00000000,?,(fI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000), ref: 00418C5C
6F9C0860.COMCTL32((fI,00418C7F,?,00000000,?,(fI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000,0000000E), ref: 00418C72

Strings

(fI, xrefs: 00418C14, 00418C2C, 00418C3A, 00418C58, 00418C6E, 00418C3D, 00418C5B, 00418C71

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: MetricsSystem$C0860C2980C400C740
String ID: (fI
API String ID: 624341609-4122540895
Opcode ID: 65e0913070e1a46d1e4049ee6121461fcfbb365fe4eb4b9520eb625876ba3720
Instruction ID: ebdf7d90a3a22d50ab8fd643d9f8c48181b88e499e337cf830e96f2c39c8652b
Opcode Fuzzy Hash: 65e0913070e1a46d1e4049ee6121461fcfbb365fe4eb4b9520eb625876ba3720
Instruction Fuzzy Hash: 19113675744204BADB50EBF5DC82F5E77B8DB48704F50406AB604E72D2E6799D408768

Function 0045B990 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045B999
GetProcAddress.KERNEL32(00000000,inflate), ref: 0045B9A9
GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045B9B9
GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045B9C9

Strings

inflateInit_, xrefs: 0045B993
inflateReset, xrefs: 0045B9C3
inflateEnd, xrefs: 0045B9B3
inflate, xrefs: 0045B9A3

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: cdec3d2289940290433f74bcfb90cd33ccdd8b1be43608ea6e51ef040730019a
Instruction ID: 02f39ce5c28d2ed3ade6aba6a28faafd9b0cc1bc692c698d2602f952355582ec
Opcode Fuzzy Hash: cdec3d2289940290433f74bcfb90cd33ccdd8b1be43608ea6e51ef040730019a
Instruction Fuzzy Hash: 020121B0518300DADB24DF379C81B263695E764356F14893BA944552A2D77C0549EBDC

Function 0041A84C Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041A929
73EA4D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A963
SetBkColor.GDI32(?,?), ref: 0041A978
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041A9C2
SetTextColor.GDI32(00000000,00000000), ref: 0041A9CD
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041A9DD
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AA1C
SetTextColor.GDI32(00000000,00000000), ref: 0041AA26
SetBkColor.GDI32(00000000,?), ref: 0041AA33

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: 70494902a934abd88d8421d1aeec792968b072de73e514355a54ff46ed356d3f
Instruction ID: 69ae49bf6c4e82acacdff2fe07525d2a8d99776db7c40e28fbb8516f53671917
Opcode Fuzzy Hash: 70494902a934abd88d8421d1aeec792968b072de73e514355a54ff46ed356d3f
Instruction Fuzzy Hash: B461D6B5A00505EFCB40EFA9D985E9AB7F8EF48314B14816AF518DB252C734ED41CF58

Function 00456334 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0042D7A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7B3

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,004564E8,?, /s ",?,regsvr32.exe",?,004564E8), ref: 0045645A

Strings

CreateProcess, xrefs: 0045644C
Spawning 32-bit RegSvr32: , xrefs: 004563E1
/s ", xrefs: 004563A3
regsvr32.exe", xrefs: 0045637B
/u, xrefs: 00456396
Spawning 64-bit RegSvr32: , xrefs: 004563BF
D, xrefs: 00456410
0x%x, xrefs: 0045647D

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: edf60017c2564d3275548d2cadab5662920130db2b9ae15ca25aa1c268591cd9
Instruction ID: 0727363c7f1249558044398805bdccd0d7d16a74982410126c53be3864fdc62d
Opcode Fuzzy Hash: edf60017c2564d3275548d2cadab5662920130db2b9ae15ca25aa1c268591cd9
Instruction Fuzzy Hash: 1B41E570E403086BDB10EFD5D881B9DB7F9AF49305F91407BA904BB296D7789A09CB1D

Function 0044CBAC Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044CBDD
GetSysColor.USER32(00000014), ref: 0044CBE4
SetTextColor.GDI32(00000000,00000000), ref: 0044CBFC
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CC25
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044CC2F
GetSysColor.USER32(00000010), ref: 0044CC36
SetTextColor.GDI32(00000000,00000000), ref: 0044CC4E
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CC77
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CCA2

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 123d1c78d96388b48013e2d686bd4fbc3c46f036129ba804cfc4942d94a5bc27
Instruction ID: 1caa52e0a57a24b19c6a51c3cca57839e66ec70a0d40fc0ec19372c69ab55c34
Opcode Fuzzy Hash: 123d1c78d96388b48013e2d686bd4fbc3c46f036129ba804cfc4942d94a5bc27
Instruction Fuzzy Hash: 1D21CFB42015007FC710FB2ACD8AE9BBBECDF19319B05457A7958EB3A3C678DD408669

Function 00452814 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004528FB

Strings

[rename], xrefs: 0045295E, 0045299A
MoveFileEx, xrefs: 00452B0B
NUL, xrefs: 004529BD
WININIT.INI, xrefs: 004528A9
o1I, xrefs: 00452938, 00452948, 0045297B, 00452A13, 00452A1E, 00452A06
.tmp, xrefs: 004528B7

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]$o1I
API String ID: 390214022-2878587892
Opcode ID: 180da5cb8003d792c816aeea415edf5bd33e2b8e779ba911190ea486055d5340
Instruction ID: cc9533ecac0167aba3f68936dda73933724a2a20dcf6fda83704f45a3cd3408f
Opcode Fuzzy Hash: 180da5cb8003d792c816aeea415edf5bd33e2b8e779ba911190ea486055d5340
Instruction Fuzzy Hash: C1912274A002099BDB11EFA5D982BDEB7B5EF49305F508067E800B7392D7B86E09CB59

Function 00490C88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00450088: SetEndOfFile.KERNEL32(?,?,0045AA1E,00000000,0045ABA9,?,00000000,00000002,00000002), ref: 0045008F

Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,00496628,00492DAD,00000000,00492E02,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3

GetWindowThreadProcessId.USER32(00000000,?), ref: 00490D19
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00490D2D
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00490D47
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00490D53
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00490D59
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00490D6C

Strings

Deleting Uninstall data files., xrefs: 00490C8F

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: f2578554030a24c7267b533a633fac1857f9ff088767cb74f3f53633749f6caa
Instruction ID: fe893ce7c7fc4f02ce2c16f04c74f522583f7d0dd1eba0bd56840a119b19c503
Opcode Fuzzy Hash: f2578554030a24c7267b533a633fac1857f9ff088767cb74f3f53633749f6caa
Instruction Fuzzy Hash: 2A217371358240AEEB10A7A6EC42B273B9CDB54318F50063BF5049B2E3DA7CAC44D76D

Function 0046C118 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046C215,?,?,?,?,00000000), ref: 0046C17F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046C215), ref: 0046C196
AddFontResourceA.GDI32(00000000), ref: 0046C1B3
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046C1C7

Strings

Failed to set value in Fonts registry key., xrefs: 0046C188
Failed to open Fonts registry key., xrefs: 0046C19D
AddFontResource, xrefs: 0046C1D1

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: d0cfe69457fce7bbbc28504f119b2d4c3be8b6de6538d31fc16afe2da0dcfddb
Instruction ID: 8ea992291a1dd30632b8682880332e8f2f5ba9678f4ac26e890d70cee17ca1cd
Opcode Fuzzy Hash: d0cfe69457fce7bbbc28504f119b2d4c3be8b6de6538d31fc16afe2da0dcfddb
Instruction Fuzzy Hash: 8221E570B402047AE710EAA68C92F7A639CDB45748F504477BD40EB2C2E67C9D05966E

Function 0045F6E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416380: GetClassInfoA.USER32(00400000,?,?), ref: 004163EF
Part of subcall function 00416380: UnregisterClassA.USER32(?,00400000), ref: 0041641B
Part of subcall function 00416380: RegisterClassA.USER32(?), ref: 0041643E

GetVersion.KERNEL32 ref: 0045F718
SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0045F756
SHGetFileInfo.SHELL32(0045F7F4,00000000,?,00000160,00004011), ref: 0045F773
LoadCursorA.USER32(00000000,00007F02), ref: 0045F791
SetCursor.USER32(00000000,00000000,00007F02,0045F7F4,00000000,?,00000160,00004011), ref: 0045F797
SetCursor.USER32(?,0045F7D7,00007F02,0045F7F4,00000000,?,00000160,00004011), ref: 0045F7CA

Strings

Explorer, xrefs: 0045F732

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: e3239e46c257503266597b56140d29e20775804faaf584886ec342b17592225d
Instruction ID: 7ff7faf5247c26d25335c70635a1860a407a0e5f323aeaa6378cd2fc5b7ea516
Opcode Fuzzy Hash: e3239e46c257503266597b56140d29e20775804faaf584886ec342b17592225d
Instruction Fuzzy Hash: B121E7317403046BE710BBB98C47F9A76989B09709F4144BFBB05EA6C3DA7C9C09866D

Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(00496420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(005B49D0,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(?,00000000,00008000,005B49D0,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(005B2BB8,?,00000000,00008000,005B49D0,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(00496420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(00496420,00401B6F), ref: 00401B62

Strings

1[, xrefs: 00401ADB, 00401AF5, 00401AFD

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: 1[
API String ID: 3782394904-3738508114
Opcode ID: d7983087b8bcbabcafc2c9d8a305f4a93e6fa46b606c4ef3e584c6169f95cf8d
Instruction ID: bf2c7a4256457c5f50c71aa29f18f829c6f6e2c919ab822836d088e606c14c70
Opcode Fuzzy Hash: d7983087b8bcbabcafc2c9d8a305f4a93e6fa46b606c4ef3e584c6169f95cf8d
Instruction Fuzzy Hash: 5D118F30A403405EEB15ABE99D82F263BE59761B4CF56407BF80067AF1D77C9850C76E

Function 004019CC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(00496420,00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(00496420,00401A89,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

1[, xrefs: 004019FA
`dI, xrefs: 00401A4B
`dI, xrefs: 00401A55

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: `dI$`dI$1[
API String ID: 730355536-2633759563
Opcode ID: f176e8b5bc4d8de55a84342bec8c86950c68c795945543f3ab918003abf5a290
Instruction ID: 5e78e1d922e44001d172df758a9733a16a6df98b74bc9f0da5c534ca1700ba01
Opcode Fuzzy Hash: f176e8b5bc4d8de55a84342bec8c86950c68c795945543f3ab918003abf5a290
Instruction Fuzzy Hash: EC01C0706442405EFB19ABE99802B253ED4D795B88F13803FF440A6AF1C67C4840CB2D

Function 00458518 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045869A,?,00000000,00000000,00000000,?,00000006,?,00000000,00491FBA,?,00000000,0049205D), ref: 004585DE

Part of subcall function 00452EB8: FindClose.KERNEL32(000000FF,00452FAE), ref: 00452F9D

Strings

Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004585B8
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00458653
Failed to delete directory (%d)., xrefs: 00458674
Stripped read-only attribute., xrefs: 004585A0
Failed to delete directory (%d). Will retry later., xrefs: 004585F7
Deleting directory: %s, xrefs: 00458567
Failed to strip read-only attribute., xrefs: 004585AC

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: d02289ac0552954b959a3ec27135d6527882d3cbb7a983ba8985732d5b1c3507
Instruction ID: dd70d7a7e9406b9190765920557ab5b8ad56b684bc2d1b190e3df41212a100e3
Opcode Fuzzy Hash: d02289ac0552954b959a3ec27135d6527882d3cbb7a983ba8985732d5b1c3507
Instruction Fuzzy Hash: 3B418630B042489BCB10DB6988427AE76E59B8930AF55857FAC05B7393DF7C890D8B5A

Function 00422DC0 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00422E14
GetCapture.USER32 ref: 00422E23
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422E29
ReleaseCapture.USER32 ref: 00422E2E
GetActiveWindow.USER32 ref: 00422E3D
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422EBC
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422F20
GetActiveWindow.USER32 ref: 00422F2F

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 8d225d8a55f9a88f292a2c30a551b716c13a14df50b62869e123561c13ee422b
Instruction ID: 3dc7d5c5dffcbd9cfc95175fcc265abaf37585ce791e678acf2218af3f88607c
Opcode Fuzzy Hash: 8d225d8a55f9a88f292a2c30a551b716c13a14df50b62869e123561c13ee422b
Instruction Fuzzy Hash: 19416270B00244AFDB50EBA9DA42B9E77F1EF04304F5540BAF404AB3A2D7B99E40DB18

Function 004293F0 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000), ref: 004293FA
GetTextMetricsA.GDI32(00000000), ref: 00429403

Part of subcall function 0041A158: CreateFontIndirectA.GDI32(?), ref: 0041A217

SelectObject.GDI32(00000000,00000000), ref: 00429412
GetTextMetricsA.GDI32(00000000,?), ref: 0042941F
SelectObject.GDI32(00000000,00000000), ref: 00429426
73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0042942E
GetSystemMetrics.USER32(00000006), ref: 00429453
GetSystemMetrics.USER32(00000006), ref: 0042946D

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
String ID:
API String ID: 361401722-0
Opcode ID: aa0e22ae2bb85fef1fe3d4d4a9dea72362df36d5d975f8d53732e0b8776d61f5
Instruction ID: 6143225b0a8ca3b977d6363335e7cd80f7f8ea5cda66b8f0fa851fdc2eb08b32
Opcode Fuzzy Hash: aa0e22ae2bb85fef1fe3d4d4a9dea72362df36d5d975f8d53732e0b8776d61f5
Instruction Fuzzy Hash: 360104917087103BF710B2769CC2F6B6188DB9435CF44003FFA469A3D3D56C8C45866A

Function 0041DD94 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,00418FC9,00493201), ref: 0041DD97
73EA4620.GDI32(00000000,0000005A,00000000,?,00418FC9,00493201), ref: 0041DDA1
73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00418FC9,00493201), ref: 0041DDAE
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DDBD
GetStockObject.GDI32(00000007), ref: 0041DDCB
GetStockObject.GDI32(00000005), ref: 0041DDD7
GetStockObject.GDI32(0000000D), ref: 0041DDE3
LoadIconA.USER32(00000000,00007F00), ref: 0041DDF4

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ObjectStock$A4620A480A570IconLoad
String ID:
API String ID: 2905290459-0
Opcode ID: 79ba34301ffdcd870fce82e69020cd4fb5d8953881da513776c9bfc891f1925d
Instruction ID: bf46a9fe5e63f1af167cdf0a983a4ac464f15f0dd566559e746e50b59b955e29
Opcode Fuzzy Hash: 79ba34301ffdcd870fce82e69020cd4fb5d8953881da513776c9bfc891f1925d
Instruction Fuzzy Hash: A11130706453419AE740BF655992BA63690DB64748F01813FF609AF2D2DB7A0C448B5E

Function 0045FAF8 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 0045FBFC
SetCursor.USER32(00000000,00000000,00007F02,00000000,0045FC91), ref: 0045FC02
SetCursor.USER32(?,0045FC79,00007F02,00000000,0045FC91), ref: 0045FC6C

Strings

, xrefs: 0045FE77
Internal error: Item already expanding, xrefs: 0045FB99
, xrefs: 0045FE92

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: 2a5e59fbc60391709db9e707cfb1b81175e986b7537cdf1dfc64ada719463c73
Instruction ID: 7a834110d2e8282c1345bf2880c47fa17af2e43f078088a6ac64f542608522eb
Opcode Fuzzy Hash: 2a5e59fbc60391709db9e707cfb1b81175e986b7537cdf1dfc64ada719463c73
Instruction Fuzzy Hash: 81B14B30600604DFD711EF69C586B9ABBF1AF05305F1485BAE845AB7A3C778AD4CCB1A

Function 00408688 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004088D0,?,?,?,?,00000000,00000000,00000000,?,004098D7,00000000,004098EA), ref: 004086A2

Part of subcall function 004084D0: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004964C0,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE

Part of subcall function 0040851C: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040871E,?,?,?,00000000,004088D0), ref: 0040852F

Strings

m/d/yy, xrefs: 00408771
AMPM, xrefs: 0040886D
mmmm d, yyyy, xrefs: 00408793
:mm:ss, xrefs: 0040889E
:mm, xrefs: 00408884

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: d28892a32a3756e591db26ccf56d4423c4b5dcf68a3e55eb2d1216e614db25d0
Instruction ID: f7723302c3cbbcbb01f246a146743d61dec29c667e41bc47a3323a0acc4546db
Opcode Fuzzy Hash: d28892a32a3756e591db26ccf56d4423c4b5dcf68a3e55eb2d1216e614db25d0
Instruction Fuzzy Hash: CB514A35B00248ABDB01FBAA8941A9F7769DB98308F50D47FA141BB3C6DE3DDA05871D

Function 00411664 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00411869), ref: 004116FC
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 004117BA

Part of subcall function 00411A1C: CreatePopupMenu.USER32 ref: 00411A36

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411846

Part of subcall function 00411A1C: CreateMenu.USER32 ref: 00411A40

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 0041182D

Strings

,, xrefs: 0041170F
?, xrefs: 00411716

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 81cf1368c6a983362ffd0b97e47859e0159252f4e06a36b3365d64b72bbd56ad
Instruction ID: 3f3527f43cca8a4f6c45e7f3696c032b38f9f6d147acb0657ff8a7652be0e8fd
Opcode Fuzzy Hash: 81cf1368c6a983362ffd0b97e47859e0159252f4e06a36b3365d64b72bbd56ad
Instruction Fuzzy Hash: CC511774A001409BDB10EF6ADC81ADA7BF9BF49304B1585BBF904E73A6D738C942CB58

Function 0041BDD3 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041BE98
GetObjectA.GDI32(?,00000018,?), ref: 0041BEA7
GetBitmapBits.GDI32(?,?,?), ref: 0041BEF8
GetBitmapBits.GDI32(?,?,?), ref: 0041BF06
DeleteObject.GDI32(?), ref: 0041BF0F
DeleteObject.GDI32(?), ref: 0041BF18
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BF35

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: c7b0e75b457b54f40c973da1b74c3022c367d96584a0130cfc4ac672875a8614
Instruction ID: 2920a3410ecffe373541ee6f53742fd475180ef7da711f6faed1b6e94a947089
Opcode Fuzzy Hash: c7b0e75b457b54f40c973da1b74c3022c367d96584a0130cfc4ac672875a8614
Instruction Fuzzy Hash: 0C510571E00219AFCB14DFA9D8819EEB7F9EF48314B11446AF914E7391D738AD81CB64

Function 0041CE48 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CE6E
73EA4620.GDI32(00000000,00000026), ref: 0041CE8D
73E98830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CEF3
73E922A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CF02
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CF6C
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041CFAA
73E98830.GDI32(?,?,00000001,0041CFDC,00000000,00000026), ref: 0041CFCF

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Stretch$E98830$A4620BitsE922Mode
String ID:
API String ID: 4209919087-0
Opcode ID: 132354002ca2fdf89728bebe702e6aaf01ac2d906efdfd832a76dcf97bd27496
Instruction ID: 0295d75a013be80ecc2d975aeb153abe1d20fbb24d7cab5e263b7fb8805ed029
Opcode Fuzzy Hash: 132354002ca2fdf89728bebe702e6aaf01ac2d906efdfd832a76dcf97bd27496
Instruction Fuzzy Hash: 6A512970644600AFDB14DFA8C985FABBBF9AF08304F10459AF544DB292C778ED80CB58

Function 00455548 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 0045559A

Part of subcall function 004241EC: GetWindowTextA.USER32(?,?,00000100), ref: 0042420C

Part of subcall function 0041EE14: GetCurrentThreadId.KERNEL32 ref: 0041EE63
Part of subcall function 0041EE14: 73EA5940.USER32(00000000,0041EDC4,00000000,00000000,0041EE80,?,00000000,0041EEB7,?,0042E908,?,00000001), ref: 0041EE69

Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00455601
TranslateMessage.USER32(?), ref: 0045561F
DispatchMessageA.USER32(?), ref: 00455628

Strings

[Paused] , xrefs: 004555D0

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Message$TextWindow$A5940CurrentDispatchSendThreadTranslate
String ID: [Paused]
API String ID: 1715333840-4230553315
Opcode ID: 3a95339d3b00b4d4c014ba20a0af633e860cba05bef6b97c8997cd6cdd85c36c
Instruction ID: 1ea6cdf9f8c4d0006da5c53b80d4ab4df920001bdb03266b2b95788fb80fd04e
Opcode Fuzzy Hash: 3a95339d3b00b4d4c014ba20a0af633e860cba05bef6b97c8997cd6cdd85c36c
Instruction Fuzzy Hash: AA31E6309046886ECB11DBB5DC51BEEBBB8EB49314F91447BE804E7292D73C9909CB2D

Function 00467594 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,004676D3), ref: 00467650
LoadCursorA.USER32(00000000,00007F02), ref: 0046765E
SetCursor.USER32(00000000,00000000,00007F02,00000000,004676D3), ref: 00467664
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,004676D3), ref: 0046766E
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,004676D3), ref: 00467674

Strings

CheckPassword, xrefs: 004675F8

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: a0f55fa05c8be1d69f749fc9697138d56db45261ab8bfaff53ea542b656ce6f5
Instruction ID: 0acf26c21a080d5da0313e65daee1c9aa77075bbb7fadc865c3b9f3c1b589fde
Opcode Fuzzy Hash: a0f55fa05c8be1d69f749fc9697138d56db45261ab8bfaff53ea542b656ce6f5
Instruction Fuzzy Hash: 2131B334648744AFD711EB79C88AF9A7BE4AF05318F1580B6B8049F3A2D7789E40CB4D

Function 00457E90 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00457F4B

Strings

Failed to load .NET Framework DLL "%s", xrefs: 00457F30
.NET Framework CreateAssemblyCache function failed, xrefs: 00457F6E
Fusion.dll, xrefs: 00457EEB
Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00457F56
CreateAssemblyCache, xrefs: 00457F42

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: 6892959eac5292d5a5ac2a2cadbd2d0bd37bbeac1c13b492763255e4aa9e87a2
Instruction ID: a43b4c24682a544c2646696e4a275acb35fc84741e5fc719d5cb135cb267c29f
Opcode Fuzzy Hash: 6892959eac5292d5a5ac2a2cadbd2d0bd37bbeac1c13b492763255e4aa9e87a2
Instruction Fuzzy Hash: 5331A771E046096FCB11EFA5D881A9FB7B4AF04715F50857AF814A7382DB3899088799

Function 0041C0B8 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB8: GetObjectA.GDI32(?,00000018), ref: 0041BFC5

GetFocus.USER32 ref: 0041C0D8
73E9A570.USER32(?), ref: 0041C0E4
73E98830.GDI32(?,?,00000000,00000000,0041C163,?,?), ref: 0041C105
73E922A0.GDI32(?,?,?,00000000,00000000,0041C163,?,?), ref: 0041C111
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C128
73E98830.GDI32(?,00000000,00000000,0041C16A,?,?), ref: 0041C150
73E9A480.USER32(?,?,0041C16A,?,?), ref: 0041C15D

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: E98830$A480A570BitsE922FocusObject
String ID:
API String ID: 2688936647-0
Opcode ID: b5ec816d879f7673cf2204928d24ade75243476a1e646848f60b5da6794254d2
Instruction ID: be6d8328aec04e85a436dd0cf8ae2147a44d9b66c6d411dca3268b31211d8f12
Opcode Fuzzy Hash: b5ec816d879f7673cf2204928d24ade75243476a1e646848f60b5da6794254d2
Instruction Fuzzy Hash: B2116A71A40618BFDB10DBA9CC86FAFB7FCEF48700F54446AB514E7281D6789D008B68

Function 0047E3D8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0047E490), ref: 0047E475

Strings

WinNT, xrefs: 0047E425
ProductType, xrefs: 0047E414
ServerNT, xrefs: 0047E459
System\CurrentControlSet\Control\ProductOptions, xrefs: 0047E3FC
LanmanNT, xrefs: 0047E43F

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: 3fe8207b4309967a2eec740b8de24a374655ee6a60c09589a25f0ee3bbab2cf7
Instruction ID: 46a45326e1d9b5ff3e072bf084057b1a8ce9b2520be3d98a23739a38d90d80f2
Opcode Fuzzy Hash: 3fe8207b4309967a2eec740b8de24a374655ee6a60c09589a25f0ee3bbab2cf7
Instruction Fuzzy Hash: 8F11BB30714204AADB10DA778806BDA3AA8EB09358F51C5B7A908E7392EB7C9901C75C

Function 0041B3D2 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B3E0
SelectObject.GDI32(?,00000000), ref: 0041B3EF
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B41B
SelectObject.GDI32(00000000,00000000), ref: 0041B429
SelectObject.GDI32(?,00000000), ref: 0041B437
DeleteDC.GDI32(00000000), ref: 0041B440
DeleteDC.GDI32(?), ref: 0041B449

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 5d8119482a24acdf9dbc4f71c87d898742faec31f652e860e6f74a5bb4e0366a
Instruction ID: 073f11bba2386bee955988a390c3df6f0cbda7ed7a331810ab0cae2060ca734e
Opcode Fuzzy Hash: 5d8119482a24acdf9dbc4f71c87d898742faec31f652e860e6f74a5bb4e0366a
Instruction Fuzzy Hash: F9114C72E40659ABDF10D6D9D985FAFB3BCEF08704F048456B614FB242C678A8418B54

Function 0048FCB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,?,00000000), ref: 0048FCC5

Part of subcall function 0041A158: CreateFontIndirectA.GDI32(?), ref: 0041A217

SelectObject.GDI32(00000000,00000000), ref: 0048FCE7
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,0049023D), ref: 0048FCFB
GetTextMetricsA.GDI32(00000000,?), ref: 0048FD1D
73E9A480.USER32(00000000,00000000,0048FD47,0048FD40,?,00000000,?,?,00000000), ref: 0048FD3A

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 0048FCF2

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1435929781-222967699
Opcode ID: 3db6766931fef7b11a742d2f2d9c48b6603b492ecea0d86a82d8ef65d75c1a51
Instruction ID: be2ae6e373cd916ce709c39e3fbc403556832e2453e100614d5f9d9249756fbf
Opcode Fuzzy Hash: 3db6766931fef7b11a742d2f2d9c48b6603b492ecea0d86a82d8ef65d75c1a51
Instruction Fuzzy Hash: BE018876604604BFEB01EBA5CC45F5FB3ECDB49704F510476B604E7281D678AD008B68

Function 00423304 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0042331F
WindowFromPoint.USER32(?,?), ref: 0042332C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042333A
GetCurrentThreadId.KERNEL32 ref: 00423341
SendMessageA.USER32(00000000,00000084,?,?), ref: 0042335A
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423371
SetCursor.USER32(00000000), ref: 00423383

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 60706cbef7e7fd969e6117079794ea181f59045882c2055e97c618c29bc945ad
Instruction ID: 4e500bdd1cb7c406dcecfc45487f359b17b305850d12e3c552a5b3a09f906ed3
Opcode Fuzzy Hash: 60706cbef7e7fd969e6117079794ea181f59045882c2055e97c618c29bc945ad
Instruction Fuzzy Hash: EC01D4223043103AD620BB795C86E3F26A8CFC5B55F50417FB909BE283DA3D8D0163AD

Function 0048FAD8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 0048FAE8
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0048FAF5
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0048FB02

Strings

MonitorFromRect, xrefs: 0048FAEF
user32.dll, xrefs: 0048FAE3
GetMonitorInfoA, xrefs: 0048FAFC

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: 06817d94493c4b11f4ceaf649244f67311709392a4fb54af9b6a7fbece0388f4
Instruction ID: 57668858e8c0b0289ac4f884962ff5c073460ec000cf1e14312be6c8289e998d
Opcode Fuzzy Hash: 06817d94493c4b11f4ceaf649244f67311709392a4fb54af9b6a7fbece0388f4
Instruction Fuzzy Hash: 1BF0F652B41B1466D620357A8CA2E7FA1CDCB95770F140937BE04A7382E95DAC0E43BD

Function 0045BD64 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045BD6D
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045BD7D
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045BD8D

Strings

BZ2_bzDecompressInit, xrefs: 0045BD67
BZ2_bzDecompress, xrefs: 0045BD77
BZ2_bzDecompressEnd, xrefs: 0045BD87

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: e6e2d7970eb20b2f2d3a2813d8870e9f0062fcf45f3e9ec5bea086149b4b188d
Instruction ID: 56c68a15e36e3577f8296096390340765d2f33f8892a2948cb77f36bf455d425
Opcode Fuzzy Hash: e6e2d7970eb20b2f2d3a2813d8870e9f0062fcf45f3e9ec5bea086149b4b188d
Instruction Fuzzy Hash: 55F01DB2D18700DADB04DF32AC8176236A5E768316F14803BAA45562A2D77C084CCB5C

Function 0044C210 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleacc.dll,?,0044EABD), ref: 0044C21F
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C230
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C240

Strings

oleacc.dll, xrefs: 0044C21A
LresultFromObject, xrefs: 0044C22A
CreateStdAccessibleObject, xrefs: 0044C23A

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2238633743-1050967733
Opcode ID: 070ab4bd4afa3ae6b6d67b7cdbce7e38f91889c9ccd0faa5c964c3c5c3461b15
Instruction ID: 433fed67622e38403ad12c2b69c23a269c66bc576510ece0f105dc57e33200d4
Opcode Fuzzy Hash: 070ab4bd4afa3ae6b6d67b7cdbce7e38f91889c9ccd0faa5c964c3c5c3461b15
Instruction Fuzzy Hash: 76F0FEB0A427018AEB50ABF5DDC57123294F32070CF1951BBA001561A1C7FE5588CA2D

Function 0042E754 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 20libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0049036E,QueryCancelAutoPlay,0049324C), ref: 0042E76A
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E770
InterlockedExchange.KERNEL32(00496660,00000001), ref: 0042E781
ChangeWindowMessageFilter.USER32(0000C1D7,00000001), ref: 0042E792

Strings

ChangeWindowMessageFilter, xrefs: 0042E760
user32.dll, xrefs: 0042E765

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressChangeExchangeFilterHandleInterlockedMessageModuleProcWindow
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 1365377179-2498399450
Opcode ID: fa00e12cc4cdf4861ecf6d36c6a3bf7660c016f9e535c548e0154396b519efb6
Instruction ID: 0b0503ffc39751afc322a6ee3a4e58809baba8ea613a81ff3af562a8b1a90306
Opcode Fuzzy Hash: fa00e12cc4cdf4861ecf6d36c6a3bf7660c016f9e535c548e0154396b519efb6
Instruction Fuzzy Hash: 7FE0ECA1741310EAEA207BA27D8AF5A39949764715F51403BF104651E2C6BD0C40C91C

Function 00474088 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00493242), ref: 0047408E
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047409B
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004740AB

Strings

VerSetConditionMask, xrefs: 00474095
VerifyVersionInfoW, xrefs: 004740A5
kernel32.dll, xrefs: 00474089

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: 5eed5f223692949adde618fed31680a65b1dac78b626770854a6ad78c0fe1b78
Instruction ID: 0d19a0d9c31f114b981f83037a23f21ddb5836e87f543a540fedd059151603c0
Opcode Fuzzy Hash: 5eed5f223692949adde618fed31680a65b1dac78b626770854a6ad78c0fe1b78
Instruction Fuzzy Hash: B0C0C9E1285780EDAA00A7B11CC29B72548C590B29720813B7148792D2D67C0808CF2C

Function 0041B5DC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B6B5
73E9A570.USER32(?), ref: 0041B6C1
73E98830.GDI32(00000000,?,00000000,00000000,0041B78C,?,?), ref: 0041B6F6
73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041B78C,?,?), ref: 0041B702
73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B76A,?,00000000,0041B78C,?,?), ref: 0041B730
73E98830.GDI32(00000000,00000000,00000000,0041B771,?,?,00000000,00000000,0041B76A,?,00000000,0041B78C,?,?), ref: 0041B764

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: E98830$A570A6310E922Focus
String ID:
API String ID: 184897721-0
Opcode ID: 07ef95a0fb610648cfd8636f7bb4d0994a53704ba577931f4d82accc70482d19
Instruction ID: 06dd750ffd38faa4806619bbf82afcbb6c92213719a6bc319da55d16d67b79f4
Opcode Fuzzy Hash: 07ef95a0fb610648cfd8636f7bb4d0994a53704ba577931f4d82accc70482d19
Instruction Fuzzy Hash: 8E512C70A00609AFDF11DFA9C895AEEBBB8FF49704F104466F510A7390D7789981CBA9

Function 0041B8AC Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B987
73E9A570.USER32(?), ref: 0041B993
73E98830.GDI32(00000000,?,00000000,00000000,0041BA59,?,?), ref: 0041B9CD
73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041BA59,?,?), ref: 0041B9D9
73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BA37,?,00000000,0041BA59,?,?), ref: 0041B9FD
73E98830.GDI32(00000000,00000000,00000000,0041BA3E,?,?,00000000,00000000,0041BA37,?,00000000,0041BA59,?,?), ref: 0041BA31

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: E98830$A570A6310E922Focus
String ID:
API String ID: 184897721-0
Opcode ID: 6e3cb66e1f03a8473b81b7a24d1d9b736a83310d04235b0cfb06a94d2ee0ce24
Instruction ID: 49b1e422d63778e1935042bf56866254f806bc58ba08b8974fd4ee1451f7b7cb
Opcode Fuzzy Hash: 6e3cb66e1f03a8473b81b7a24d1d9b736a83310d04235b0cfb06a94d2ee0ce24
Instruction Fuzzy Hash: 4F512B74A006089FCB11DFA9C895AAEBBF9FF48700F118066F904EB750D7389D40CBA8

Function 0041B478 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B4EE
73E9A570.USER32(?,00000000,0041B5C8,?,?,?,?), ref: 0041B4FA
73EA4620.GDI32(?,00000068,00000000,0041B59C,?,?,00000000,0041B5C8,?,?,?,?), ref: 0041B516
73ECE680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B59C,?,?,00000000,0041B5C8,?,?,?,?), ref: 0041B533
73ECE680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B59C,?,?,00000000,0041B5C8), ref: 0041B54A
73E9A480.USER32(?,?,0041B5A3,?,?), ref: 0041B596

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: E680$A4620A480A570Focus
String ID:
API String ID: 2226671993-0
Opcode ID: dffe9a4686f16107f5e26edd6f51779d739af283e940a3615cd9a04b614b528f
Instruction ID: a6e4b16520c9e4bc630ca31e265eea6a5194191570467489af8bdb357d288b52
Opcode Fuzzy Hash: dffe9a4686f16107f5e26edd6f51779d739af283e940a3615cd9a04b614b528f
Instruction Fuzzy Hash: 2D41C571A04254AFDF10DFA9C885AAFBBB5EF49704F1484AAE900E7351D2389D10CBA5

Function 0045B728 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,0045B7F4,?,?,?,?,00000000), ref: 0045B793
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045B860,?,00000000,0045B7F4,?,?,?,?,00000000), ref: 0045B7D2

Strings

MACHINE, xrefs: 0045B776
CLASSES_ROOT, xrefs: 0045B758
CURRENT_USER, xrefs: 0045B767
USERS, xrefs: 0045B785

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: c7af221143c3757ba6277ed71e4eb1831b258c6f2836e0d3f8732b0bdbf4d2ee
Instruction ID: e717c2d1a7dc230ecc2a2e6fa1343dbc2c1f959998bf22c76ea0b4b3804cf210
Opcode Fuzzy Hash: c7af221143c3757ba6277ed71e4eb1831b258c6f2836e0d3f8732b0bdbf4d2ee
Instruction Fuzzy Hash: 59117835204608AFDB11EAA2C941B6A76ADD788306F608077AD0456783D77C5F0A959D

Function 0041BCFC Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BD45
GetSystemMetrics.USER32(0000000C), ref: 0041BD4F
73E9A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD59
73EA4620.GDI32(00000000,0000000E,00000000,0041BDCC,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD80
73EA4620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BDCC,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD8D
73E9A480.USER32(00000000,00000000,0041BDD3,0000000E,00000000,0041BDCC,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDC6

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: A4620MetricsSystem$A480A570
String ID:
API String ID: 4120540252-0
Opcode ID: 1c903c0536bb10720712021bcda66a401c12054db1b22576e6386974878fa910
Instruction ID: 8181195c8b7ace5e518c23098daf85fccaa127339f370ed271397b7e8efdaee2
Opcode Fuzzy Hash: 1c903c0536bb10720712021bcda66a401c12054db1b22576e6386974878fa910
Instruction Fuzzy Hash: 1F212C74E046499FEB04EFA9C941BEEB7B4EB48714F10402AF514B7680D7785940CFA9

Function 00479270 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0047927E
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,00468BAA), ref: 004792A4
GetWindowLongA.USER32(?,000000EC), ref: 004792B4
SetWindowLongA.USER32(?,000000EC,00000000), ref: 004792D5
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 004792E9
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00479305

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: 037c1e32dd2642cc50d0277f9f736c0c320296323ac053b412311dd49e28eafc
Instruction ID: 4d45455b4d1dd4b2c508ae6452d3c78deeda3d3e7450a597efbdbc1d096824fd
Opcode Fuzzy Hash: 037c1e32dd2642cc50d0277f9f736c0c320296323ac053b412311dd49e28eafc
Instruction Fuzzy Hash: B9015EB5641310ABD700E768DD81F263B98AB1E330F0606AAB959DF3E7C639DC048B18

Function 0041B1E0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041A650: CreateBrushIndirect.GDI32 ref: 0041A6BB

UnrealizeObject.GDI32(00000000), ref: 0041B1EC
SelectObject.GDI32(?,00000000), ref: 0041B1FE
SetBkColor.GDI32(?,00000000), ref: 0041B221
SetBkMode.GDI32(?,00000002), ref: 0041B22C
SetBkColor.GDI32(?,00000000), ref: 0041B247
SetBkMode.GDI32(?,00000001), ref: 0041B252

Part of subcall function 00419FC8: GetSysColor.USER32(?), ref: 00419FD2

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: af92fd76f0ea33d52ebd072e8e43ea1c00ff5cbe0803c9f3aa53dd55169beb2c
Instruction ID: 2be34f36c4bf399c8fa5e8a938e63ded300dcfd20fe04f8c9e05bbd916d2a40e
Opcode Fuzzy Hash: af92fd76f0ea33d52ebd072e8e43ea1c00ff5cbe0803c9f3aa53dd55169beb2c
Instruction Fuzzy Hash: 84F0BFB1511101ABCE00FFBAD9CAE4B27A89F443097048057B944DF19BC63CDC504B3E

Function 00472460 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 004724B6
73EA59E0.USER32(00000000,000000FC,00472414,00000000,00472646,?,00000000,0047266B), ref: 004724DD
GetACP.KERNEL32(00000000,00472646,?,00000000,0047266B), ref: 0047251A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00472560

Strings

COMBOBOX, xrefs: 004724AF

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ClassInfoMessageSend
String ID: COMBOBOX
API String ID: 1455646776-1136563877
Opcode ID: 2494eb77be1e0edaf4ac2089fb308deb96536dac66c833c5e7946f84bffa6ab9
Instruction ID: cb5c9aae2de1f6f31ba47a78a2c89e9f0e2bb96aecd870e4ce07d9e094be5fb6
Opcode Fuzzy Hash: 2494eb77be1e0edaf4ac2089fb308deb96536dac66c833c5e7946f84bffa6ab9
Instruction Fuzzy Hash: F4514F74A04205AFC710DF65DA85EDAB7F5EB49304F1581BBF808AB3A2C778AD41CB58

Function 004924B8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C

ShowWindow.USER32(?,00000005,00000000,0049271D,?,?,00000000), ref: 004924EE

Part of subcall function 0042D7A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7B3

Part of subcall function 00407210: SetCurrentDirectoryA.KERNEL32(00000000,?,00492516,00000000,004926E9,?,?,00000005,00000000,0049271D,?,?,00000000), ref: 0040721B

Part of subcall function 0042D328: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3B6,?,?,00000000,?,?,00492520,00000000,004926E9,?,?,00000005), ref: 0042D35D

Strings

Uninstall, xrefs: 004924D4
.dat, xrefs: 00492535
.msg, xrefs: 00492554
IMsg, xrefs: 004925C2

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: d8b767a4e34b569ce73df8f101cabac2d674949f6b0fce57bb6887b20208c213
Instruction ID: 355638249edcb87860175999b9826d121cd81d9e81ad854bfd2fce74e3c3dc59
Opcode Fuzzy Hash: d8b767a4e34b569ce73df8f101cabac2d674949f6b0fce57bb6887b20208c213
Instruction Fuzzy Hash: 08317534A10204AFCB01FFA5DD5299E7FB5EB49304F91847AF400A7752CB78AD01CB98

Function 0048D6E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 92registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

RegCloseKey.ADVAPI32(?,0048D7DE,?,?,00000001,00000000,00000000,0048D7F9), ref: 0048D7C7

Strings

PI, xrefs: 0048D729
%s\%s_is1, xrefs: 0048D758
Inno Setup CodeFile: , xrefs: 0048D78A
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0048D73A

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseOpen
String ID: PI$%s\%s_is1$Inno Setup CodeFile: $Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-2023862778
Opcode ID: 631d1d32ed976d7a2296184d5c0d2f3cf8c369661ad41bfb37e5f76fcf4f9ba7
Instruction ID: 2fcff84c3ae67162e3ffacf77063da78f15bdb16a6a8b48b49f63a94f6242022
Opcode Fuzzy Hash: 631d1d32ed976d7a2296184d5c0d2f3cf8c369661ad41bfb37e5f76fcf4f9ba7
Instruction Fuzzy Hash: 96314174E042089FDB11EFAADC51A9EBBF8EB48704F90487BE414E7391D7789A058B58

Function 0042E7D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042E802
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E808
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042E831

Strings

ShutdownBlockReasonCreate, xrefs: 0042E7F8
user32.dll, xrefs: 0042E7FD

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: a8508c04b9d2f5bfbb96bb821981feec28a03bb8c83af4d38bd3e4f3c08e389f
Instruction ID: ad48e71c188330483611c0ccbf5126987ea3f08380f38d7ba2466a98a55f956a
Opcode Fuzzy Hash: a8508c04b9d2f5bfbb96bb821981feec28a03bb8c83af4d38bd3e4f3c08e389f
Instruction Fuzzy Hash: 35F0C2D138066176E620B2BBAC82F6B158C8F94765F540036F148EB2C2EA6CC905426E

Function 00456268 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00456298
GetExitCodeProcess.KERNEL32(?,00492E02), ref: 004562B9
CloseHandle.KERNEL32(?,004562EC,?,?,00456B07,00000000,00000000), ref: 004562DF

Strings

GetExitCodeProcess, xrefs: 004562C2
MsgWaitForMultipleObjects, xrefs: 004562A5

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: b905d95b21eb16817882d878bed5eaf33046abd5eff07b3401a45a878f64f984
Instruction ID: 30010b37e156efe240ce284c3751ee9f3f87d85e2b6a261707359958cd490efa
Opcode Fuzzy Hash: b905d95b21eb16817882d878bed5eaf33046abd5eff07b3401a45a878f64f984
Instruction Fuzzy Hash: 9801A234604204AFDB10FBA98D12A2A77E8EB49710F9104B7F910E73D3DA7D9D08861C

Function 004732C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 004732D0
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004733C7,0pI,00000000), ref: 004732E3
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 004732E9

Strings

AllowSetForegroundWindow, xrefs: 004732D9
user32.dll, xrefs: 004732DE

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: d3186cc3dc794e7465d39709d056f6715875b1f20938bb44e2ef386321cd694c
Instruction ID: 249699eff17dbda02fe1af5a7c4854b1352fabbd495b9b7335dc6b3b1f0a0c65
Opcode Fuzzy Hash: d3186cc3dc794e7465d39709d056f6715875b1f20938bb44e2ef386321cd694c
Instruction Fuzzy Hash: DBD05E9020070275D9107AF54D47D5B224C8984712710857B3414F6183CD3CDA006A6D

Function 00416B9C Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00416BC2
SaveDC.GDI32(?), ref: 00416BF3
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416CB5), ref: 00416C54
RestoreDC.GDI32(?,?), ref: 00416C7B
EndPaint.USER32(00000000,?,00416CBC,00000000,00416CB5), ref: 00416CAF

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: c06abe95da4831753d63b9634986ca39a884699dacb8f14d7531f4240f3d7fe3
Instruction ID: 41fb8ea60d97978a9acdf236596d3a8a0d8a1996066437b2b943a95edf1585a8
Opcode Fuzzy Hash: c06abe95da4831753d63b9634986ca39a884699dacb8f14d7531f4240f3d7fe3
Instruction Fuzzy Hash: BF414E70A042049FDB14DB99C989FAA77F9EB48304F1580AEE4459B362D778DD40CB58

Function 00414770 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 004147A6
MulDiv.KERNEL32(?,?,?), ref: 004147C0
MulDiv.KERNEL32(?,?,?), ref: 004147E9
MulDiv.KERNEL32(?,?,?), ref: 00414814
MulDiv.KERNEL32(00000000,?,00000000), ref: 0041485C

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d6a748b1b1338860e82f27f8761871ff193d734180217a0f8d82b491afa6e7
Instruction ID: 41a7722d09b35ce9ade17cd18fdec9692d257bae8bd1aa266952c484067d5cda
Opcode Fuzzy Hash: 50d6a748b1b1338860e82f27f8761871ff193d734180217a0f8d82b491afa6e7
Instruction Fuzzy Hash: D3311F746047409FC320EB69C584BABB7E8AF89714F04991EF9E5C7791D738EC818B19

Function 0042973C Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429778
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004297A7
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 004297C3
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 004297EE
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042980C

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fe9210cf49636514123fe8028928f87ce2f158866a525e02be5b173165c2f537
Instruction ID: 5c059f72bad19c8464015bcf3ba3f3fa2ba546ca9f5ab3c2e37583cf1b766786
Opcode Fuzzy Hash: fe9210cf49636514123fe8028928f87ce2f158866a525e02be5b173165c2f537
Instruction Fuzzy Hash: 2E217F70710714BAE710ABA6DC82F5B77ACEB46708F90443EB501BB3D2DB78AD41865C

Function 0041BB28 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BB3A
GetSystemMetrics.USER32(0000000C), ref: 0041BB44
73E9A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BB82
73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BCED,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BBC9
DeleteObject.GDI32(00000000), ref: 0041BC0A

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: MetricsSystem$A570A6310DeleteObject
String ID:
API String ID: 3435189566-0
Opcode ID: cb0e2adf6529593e89f90c831e9305c3e05f521d232314fc64d16b3fc11dbc77
Instruction ID: e64c8cfb77975bfe1c5019289902123c5e37d94f13133d85ba8c481b6df62587
Opcode Fuzzy Hash: cb0e2adf6529593e89f90c831e9305c3e05f521d232314fc64d16b3fc11dbc77
Instruction Fuzzy Hash: 91316F74E00609EFDB00DFA5C941AAEB7F4EB48700F10846AF510AB781D7389E80DB98

Function 0046F304 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0045B728: SetLastError.KERNEL32(00000057,00000000,0045B7F4,?,?,?,?,00000000), ref: 0045B793

GetLastError.KERNEL32(00000000,00000000,00000000,0046F3D8,?,?,00000001,00497154), ref: 0046F391
GetLastError.KERNEL32(00000000,00000000,00000000,0046F3D8,?,?,00000001,00497154), ref: 0046F3A7

Strings

Setting permissions on registry key: %s\%s, xrefs: 0046F356
Could not set permissions on the registry key because it currently does not exist., xrefs: 0046F39B
Failed to set permissions on registry key (%d)., xrefs: 0046F3B8

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
API String ID: 1452528299-4018462623
Opcode ID: 788c315b7af78b705df02674c92daeb7f44be0388b74eefc3bf89a14f2c9356d
Instruction ID: ef7c6c74ecef8c5dcb146dfdc27ea61306564732d519a6a89d10c305d013d1cf
Opcode Fuzzy Hash: 788c315b7af78b705df02674c92daeb7f44be0388b74eefc3bf89a14f2c9356d
Instruction Fuzzy Hash: B421AA70A046445FCB00DBA9D8816AEBBE8EF49314F50417FE844E7392E7785D49876A

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: bbd83879051bbb61c82a419d540aea94b1d83442c47b8cdfd9cb13069dd9a881
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: bbd83879051bbb61c82a419d540aea94b1d83442c47b8cdfd9cb13069dd9a881
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Function 00414350 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

73E98830.GDI32(00000000,00000000,00000000), ref: 00414389
73E922A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414391
73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143A5
73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143AB
73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143B6

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: E922E98830$A480
String ID:
API String ID: 3692852386-0
Opcode ID: 194e3fff164acdd9274630c615ac113e6c237e1a8584744cad8ee02aea33715e
Instruction ID: 94861c3129a932f854b236b0087f7367a4de39103189020794ca85cb03cdcc47
Opcode Fuzzy Hash: 194e3fff164acdd9274630c615ac113e6c237e1a8584744cad8ee02aea33715e
Instruction Fuzzy Hash: 6F01DF7121C3806AD200B63E8C85A9F6BED8FCA314F15556EF498DB382CA7ACC018765

Function 004755B4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,00476DAD,?,00000000,00000000,00000001,00000000,00475851,?,00000000), ref: 00475815

Strings

Failed to parse "reg" constant, xrefs: 0047581C
Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00475689
pUG, xrefs: 004756AE

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant$pUG
API String ID: 3535843008-1176165611
Opcode ID: 3642018d57e9592f06bab58574b61b62b6ca112a26629dc16a5ab29dcfff1776
Instruction ID: a53c2b258f7a770121dbc7a1e713ee2373e0806090ae57177e88baa161e34d04
Opcode Fuzzy Hash: 3642018d57e9592f06bab58574b61b62b6ca112a26629dc16a5ab29dcfff1776
Instruction Fuzzy Hash: 93816274E00548AFCB10EF95D481ADEBBF9AF48314F50C16AE418BB391D778AE05CB99

Function 00424C50 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 0041EFE4: GetActiveWindow.USER32 ref: 0041EFE7
Part of subcall function 0041EFE4: GetCurrentThreadId.KERNEL32 ref: 0041EFFC
Part of subcall function 0041EFE4: 73EA5940.USER32(00000000,Function_0001EFC0), ref: 0041F002

Part of subcall function 00423118: GetSystemMetrics.USER32(00000000), ref: 0042311A

OffsetRect.USER32(?,?,?), ref: 00424D39
DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424DFC
OffsetRect.USER32(?,?,?), ref: 00424E0D

Part of subcall function 004234D4: GetCurrentThreadId.KERNEL32 ref: 004234E9
Part of subcall function 004234D4: SetWindowsHookExA.USER32(00000003,00423490,00000000,00000000), ref: 004234F9
Part of subcall function 004234D4: CreateThread.KERNEL32(00000000,000003E8,00423440,00000000,00000000), ref: 0042351D

Part of subcall function 00424A9C: SetTimer.USER32(00000000,00000001,?,00423424), ref: 00424AB7

Strings

KB, xrefs: 00424C63, 00424D41

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Thread$CurrentOffsetRect$A5940ActiveCreateDrawHookMetricsSystemTextTimerWindowWindows
String ID: KB
API String ID: 1334498448-1869488878
Opcode ID: fd017592340e6a7deae3be5c789b7c506f4553282bb9063ebaa9b04636988139
Instruction ID: 8a1ca8d85bab54549b4d9d093631307a73357c8a1ef7de59c5480922928757da
Opcode Fuzzy Hash: fd017592340e6a7deae3be5c789b7c506f4553282bb9063ebaa9b04636988139
Instruction Fuzzy Hash: D6811771A002189FDB14DFA8D884ADEBBB5FF48314F5045AAE904AB296DB38AD45CF44

Function 00406F0C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406F6B
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00406FE5
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 0040703D

Strings

Z, xrefs: 00406FA4

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: 92ba5960390d49c3d5abeb35786e3f2b2430fe15f73cbae2fbe59e8f9896e220
Instruction ID: f15ffb13b1197877662b480f320dceb00dd84bb003a9336f5ebe52512d9587e7
Opcode Fuzzy Hash: 92ba5960390d49c3d5abeb35786e3f2b2430fe15f73cbae2fbe59e8f9896e220
Instruction Fuzzy Hash: B2515170E042099FDB11EF55C941A9EBBB9FB09304F5041BAE540BB3D1C778AE418F5A

Function 0044C9F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0044CA82
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044CAAD
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044CB35

Strings

, xrefs: 0044CA67

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: dec825a9aee2c6b09e518825b83954473c9bd52475d7aaf62d715cc4f9536ee8
Instruction ID: f2b81961a5c9452665bafda12c1e8f4b26a8e6b06f7f6a997a3587ccb4a7b75e
Opcode Fuzzy Hash: dec825a9aee2c6b09e518825b83954473c9bd52475d7aaf62d715cc4f9536ee8
Instruction Fuzzy Hash: 6B516171900248AFDB50DFA5C8C5BDEBBF9EF49308F08447AE845EB251D778A944CB64

Function 0042E9CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,00000000,0042EB20,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042E9F6

Part of subcall function 0041A158: CreateFontIndirectA.GDI32(?), ref: 0041A217

SelectObject.GDI32(?,00000000), ref: 0042EA19
73E9A480.USER32(00000000,?,0042EB05,00000000,0042EAFE,?,00000000,00000000,0042EB20,?,?,?,?,00000000,00000000,00000000), ref: 0042EAF8

Strings

...\, xrefs: 0042EAAA

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: A480A570CreateFontIndirectObjectSelect
String ID: ...\
API String ID: 2998766281-983595016
Opcode ID: b314a03392ad466b231ea2b72e8a3a9b21c4fc795225b8958865863d61eb2cce
Instruction ID: f87e9a1f05be7c7dd371759d08ccf2a788e9820b1ab6f676742360811e2f955b
Opcode Fuzzy Hash: b314a03392ad466b231ea2b72e8a3a9b21c4fc795225b8958865863d61eb2cce
Instruction Fuzzy Hash: 66315270B00128ABDF11EB9AD841BAEBBB8FF48304F91447BF410A7291D7789E45CA59

Function 004524C4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004915B5,_iu,?,00000000,004525FE), ref: 004525B3
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004915B5,_iu,?,00000000,004525FE), ref: 004525C3

Strings

_iu, xrefs: 00452555
.tmp, xrefs: 00452567

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$_iu
API String ID: 3498533004-10593223
Opcode ID: 0390d67cb0cdb1cdfe7b265348a3f126b325b0e84e7214b7738f97ac8063fbc8
Instruction ID: e65077276ccf3fce125a3b1cef4711b6e1a57cb68d75bf9d1e013844d831b580
Opcode Fuzzy Hash: 0390d67cb0cdb1cdfe7b265348a3f126b325b0e84e7214b7738f97ac8063fbc8
Instruction Fuzzy Hash: CF31B870A40209ABCB11EBA5C942B9EBBB5AF45309F60447BF804B73C2E7785F05876D

Function 00416380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 004163EF
UnregisterClassA.USER32(?,00400000), ref: 0041641B
RegisterClassA.USER32(?), ref: 0041643E

Strings

@, xrefs: 00416399

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 5cbec8acbea9e71dae0b2083da7465dc5d1b6b33c382e5651f178c5e9f182fd1
Instruction ID: e8561198b81c08f142b3a544c89b4739d35f798691a26b07e42a1fbbf62ba06a
Opcode Fuzzy Hash: 5cbec8acbea9e71dae0b2083da7465dc5d1b6b33c382e5651f178c5e9f182fd1
Instruction Fuzzy Hash: 94316E706042058BD760EF68C981B9B77E5AB88308F04447FF985DB392DB39D9448B6E

Function 004928CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00493199,00000000,004929C2,?,?,00000000,00496628), ref: 0049293C
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00493199,00000000,004929C2,?,?,00000000,00496628), ref: 00492965
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0049297E

Strings

isRS-%.3u.tmp, xrefs: 0049291B

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: ca7de64efd1a81cfe0b197b1df468b3a71946ac3222c8e5426d60e2b27b10d4a
Instruction ID: f317836663e3456f6962b38be5478bf9a68de7f196930fcf54a7ed662431e31d
Opcode Fuzzy Hash: ca7de64efd1a81cfe0b197b1df468b3a71946ac3222c8e5426d60e2b27b10d4a
Instruction Fuzzy Hash: 682175B1E00219BFCF01EFA9C981AAFBBB8EF44314F10453BB814B72D1D6785E018A59

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Error, xrefs: 00404DB9
Runtime error at 00000000, xrefs: 00404DBE, 00404DD1

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 8c8c0f2434a4a7f5450b7d1f87c82a5e4d49965682bc3ad0c70a84493f0d02f9
Instruction ID: 7ca15834b35bf0f9f7e67f0c6f6a322a9a8b6c98d325c36795369cb21074e1e4
Opcode Fuzzy Hash: 8c8c0f2434a4a7f5450b7d1f87c82a5e4d49965682bc3ad0c70a84493f0d02f9
Instruction Fuzzy Hash: 9221B360A442418ADB11E7B9ECC1B163F919BE5348F06817BE700B73E6C67C884587AE

Function 00455014 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C6E0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C704

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00455068
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00455095

Strings

LoadTypeLib, xrefs: 00455073
RegisterTypeLib, xrefs: 004550A0

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: 10250a5388d3ee4e550ba31a3fe5ac1922547201747451197e41336d70963160
Instruction ID: a0afcb3eee2e7d482a942a29ca59f5276f9681079562e2f4f26ed5ddc6a25d5d
Opcode Fuzzy Hash: 10250a5388d3ee4e550ba31a3fe5ac1922547201747451197e41336d70963160
Instruction Fuzzy Hash: B3119A30B00A04BFDB11DFA6DD61A5EBBBDDB49B05B108476FD00D3692DA399D04C654

Function 004912C2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004912FB

Strings

/INITPROCWND=$%x , xrefs: 00491326
@, xrefs: 004912C8
(PI, xrefs: 00491348

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window
String ID: (PI$/INITPROCWND=$%x $@
API String ID: 2353593579-723503215
Opcode ID: 86e6223bfffcafd1a2f65b692b323bd489f5f98954c4b0d8703fa7141f283f5b
Instruction ID: 1f11efd2ee19ddf28ed764c7ee5ed9f3dfbff071989b61bae05a2d8f1a94ab96
Opcode Fuzzy Hash: 86e6223bfffcafd1a2f65b692b323bd489f5f98954c4b0d8703fa7141f283f5b
Instruction Fuzzy Hash: 4611C071A082099FDB01EBA5D841BAEBFB8EB48304F50447BE804E7692D6789904CB58

Function 00473B54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C

GetFocus.USER32 ref: 00473BBF
GetKeyState.USER32(0000007A), ref: 00473BD1
WaitMessage.USER32(?,00000000,00473BF8,?,00000000,00473C1F,?,?,00000001,00000000,?,?,?,?,0047AFF7,00000000), ref: 00473BDB

Strings

Wnd=$%x, xrefs: 00473BA3

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: 148b3ddb7fb618247b6546acefc5128578639e1ec72ed586d201cbdf9417bc3e
Instruction ID: 9b2db89c6fe012053fe9ee9db841d35393315fe18e075f30de14d411f09ec015
Opcode Fuzzy Hash: 148b3ddb7fb618247b6546acefc5128578639e1ec72ed586d201cbdf9417bc3e
Instruction Fuzzy Hash: A111A371604205AFC701FF65CC42ADEBBB8EB49704B51C4BAF408E7681D738AF00AA69

Function 004553F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045540D
SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045549F

Strings

4II, xrefs: 00455454
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00455439

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: MessageSend
String ID: 4II$Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)
API String ID: 3850602802-2462613993
Opcode ID: 21981b69b3b60292a9e34021e10eefbd607064df05416549cbbf09db8aab2aab
Instruction ID: b78d32421564deef5ec6d5e0726a4814eb3dcf40a391e8832c227d70dedd3d0b
Opcode Fuzzy Hash: 21981b69b3b60292a9e34021e10eefbd607064df05416549cbbf09db8aab2aab
Instruction Fuzzy Hash: 7411E5B1204240AFD700AB29AC81B6F7A9C9791309F05403FF9859F393D3794804C76A

Function 0046A538 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?), ref: 0046A540
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046A54F

Strings

%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046A5C4
(invalid), xrefs: 0046A5D2

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: 77c66de3cf485688cd8a454c74e7d13fa64a864e7151765c05c799678a767d6c
Instruction ID: 3d329a02b99cf0ad1c2443f5a734abd9e2d9e95f88f8d85801cc299a54af140a
Opcode Fuzzy Hash: 77c66de3cf485688cd8a454c74e7d13fa64a864e7151765c05c799678a767d6c
Instruction Fuzzy Hash: 6111F8A040C3919ED340DF2AC44432BBAE4AB89704F04892FF9D8D6381E779C948DBB7

Function 00452A5A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00452A67

Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,00496628,00492DAD,00000000,00492E02,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3

MoveFileA.KERNEL32(00000000,00000000), ref: 00452A8C

Part of subcall function 004520A4: GetLastError.KERNEL32(00000000,00452B15,00000005,00000000,00452B4A,?,?,00000000,00496628,00000004,00000000,00000000,00000000,?,00492A61,00000000), ref: 004520A7

Strings

MoveFile, xrefs: 00452A95
DeleteFile, xrefs: 00452A78

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3024442154-139070271
Opcode ID: cba485c4373cb9b3476474b8e686bddda4e38f58d72cb5e4c066a25f76e66c5c
Instruction ID: f8b9d45963fbba9a2c353dd22a61e6c6557ef6b5226e77028bb226458c331aba
Opcode Fuzzy Hash: cba485c4373cb9b3476474b8e686bddda4e38f58d72cb5e4c066a25f76e66c5c
Instruction Fuzzy Hash: 32F036757141055BE704FFA6DA5266F63ECEF4530AFA0443BB800B76C3EA7C9E094929

Function 0047E330 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047E371
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047E394

Strings

CSDVersion, xrefs: 0047E368
System\CurrentControlSet\Control\Windows, xrefs: 0047E33E

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 0901654d9ab6cc44d6c913291a9ded88af89d372fc2709b86358ce193460f02c
Instruction ID: 8efd12000c89c59f245f9e1a1bb94511b09fbcc5fab7c17f0dd19fd863842872
Opcode Fuzzy Hash: 0901654d9ab6cc44d6c913291a9ded88af89d372fc2709b86358ce193460f02c
Instruction Fuzzy Hash: EFF03675A40209E6DF10D6E28C45BDF77BCAB08708F1086A7EE14E7280E7789A44CB59

Function 00457B28 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00457C5A,00000000,00457DA7,?,00000000,00000000,00000000), ref: 00457B75

Strings

InstallRoot, xrefs: 00457B64
SOFTWARE\Microsoft\.NETFramework, xrefs: 00457B48
.NET Framework not found, xrefs: 00457B84

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: 23cb1f2033dc3865c53e7f2342fb28a5b001a15c0a0e235066296095a06ac94b
Instruction ID: d0e0819fb55c8f1190b2a98828cf62c2b63c39478ea79f7c0b5f5cfc857af762
Opcode Fuzzy Hash: 23cb1f2033dc3865c53e7f2342fb28a5b001a15c0a0e235066296095a06ac94b
Instruction Fuzzy Hash: 0DF0AF317041205BC710EB1AF851B4A6689DB9131AF54403BF980D7256D77DEC0A875A

Function 0042D7CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00452762,00000000,00452805,?,?,00000000,00000000,00000000,00000000,00000000,?,00452AD1,00000000), ref: 0042D7E6
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D7EC

Strings

kernel32.dll, xrefs: 0042D7E1
GetSystemWow64DirectoryA, xrefs: 0042D7DC

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 159a61d3abceb67132d836cbc908e23cdc840a77e135d0af2cc19f2b4bcaaff8
Instruction ID: 4db8f333c9a0d948aa4d288d669557f69a64c6eaa67e0ad6c3f7b03414b73d9c
Opcode Fuzzy Hash: 159a61d3abceb67132d836cbc908e23cdc840a77e135d0af2cc19f2b4bcaaff8
Instruction Fuzzy Hash: 23E04F61B44B1112D7107ABA9C83A5B10898B88724FA0843B79A5E72C7EDBCD94A1A7D

Function 0042E87C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042E7F8), ref: 0042E88A
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E890

Strings

user32.dll, xrefs: 0042E885
ShutdownBlockReasonDestroy, xrefs: 0042E880

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: 45ddc528c20c35e0718a7e9c00f94a1c84d7b78ddc924b0a461653c56359e4f8
Instruction ID: 93babc8de609d28a759936f35cc35ab5444e0eee9e0897fa3c7a0f5d424eaefa
Opcode Fuzzy Hash: 45ddc528c20c35e0718a7e9c00f94a1c84d7b78ddc924b0a461653c56359e4f8
Instruction Fuzzy Hash: 5FD0C992352B726A6A1075FB3CD19EB02CCCE517B53A40077F684E7342EAADCC0535AD

Function 0044F178 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00493215), ref: 0044F1B3
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F1B9

Strings

user32.dll, xrefs: 0044F1AE
NotifyWinEvent, xrefs: 0044F1A9

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1646373207-597752486
Opcode ID: 1b77f3625f350db58ab3348097a305bf1d639b9e1269e079a5da3a737ffde695
Instruction ID: 84f0676aae26238d79669219dc5dd421ce8b9c86ef8cbad31698c6a02a110ee9
Opcode Fuzzy Hash: 1b77f3625f350db58ab3348097a305bf1d639b9e1269e079a5da3a737ffde695
Instruction Fuzzy Hash: 25E012E0A01740DDEB10FBB5D942B0B3EA0EB5475DB01017BB4006619AC77C4C088B1D

Function 00492FE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00493266,00000001,00000000,0049328A), ref: 00492FEA
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00492FF0

Strings

user32.dll, xrefs: 00492FE5
DisableProcessWindowsGhosting, xrefs: 00492FE0

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 7dd0ed140dce1b1c3cfbac4273f952859e09270a56939a23c95a62daeb5fa57b
Instruction ID: 931628e3c560cbc195009d45a592bfebd759f3ec05311ed7f501d7576358ba43
Opcode Fuzzy Hash: 7dd0ed140dce1b1c3cfbac4273f952859e09270a56939a23c95a62daeb5fa57b
Instruction Fuzzy Hash: A1B09281281701A08C1076F20E42E5B0C18584072571400373400B10CBCEACCA00382D

Function 00460EAC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B08C: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F1A9,00493215), ref: 0044B0B3
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B0CB
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B0DD
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B0EF
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B101
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B113
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B125
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B137
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B149
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B15B
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B16D
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B17F
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B191
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B1A3
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B1B5
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B1C7
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B1D9
Part of subcall function 0044B08C: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B1EB

LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00493238), ref: 00460EBB
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00460EC1

Strings

shell32.dll, xrefs: 00460EB6
SHPathPrepareForWriteA, xrefs: 00460EB1

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2238633743-2683653824
Opcode ID: 93fe2c06cf711e01664fd138f27f9ab14834f9042b92f4705049898ce8c901dd
Instruction ID: c6d074b57e85807914eec84ee8616fe1a8135e5451870e443c9658575dc96a53
Opcode Fuzzy Hash: 93fe2c06cf711e01664fd138f27f9ab14834f9042b92f4705049898ce8c901dd
Instruction Fuzzy Hash: 4EB092D0A51B11E48E10B7B39C4390B1814C544B0E710493BB0607A083EB7E40044E6E

Function 00413C68 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00413CB6
GetDesktopWindow.USER32 ref: 00413D6E

Part of subcall function 00418E30: 6FA2C6F0.COMCTL32(?,00000000,00413F33,00000000,00414043,?,?,00496628), ref: 00418E4C
Part of subcall function 00418E30: ShowCursor.USER32(00000001,?,00000000,00413F33,00000000,00414043,?,?,00496628), ref: 00418E69

SetCursor.USER32(00000000,?,?,?,?,00413A63,00000000,00413A76), ref: 00413DAC

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: 86f28fd5b8e67e4ed68fb8d3243ff4e40f6b005c19925ef4854e6769390e0e23
Instruction ID: 370eb430aafb64f03e0c00a45e78fc31171da0b863367db60babd08861f95fe9
Opcode Fuzzy Hash: 86f28fd5b8e67e4ed68fb8d3243ff4e40f6b005c19925ef4854e6769390e0e23
Instruction Fuzzy Hash: 5C412A75600150AFCB10EF29F988B9677E1AB65325B17847FE404DB369DA38EC81CF58

Function 004089BC Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 004089DD
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408A4C
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408AE7
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408B26

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: 3ad30de8adde06992adcb1243033629fda3c93d42ee346dc6366a67b7f75c718
Instruction ID: d4d784650a0269eb12294142f4e6c1e51b8c8d651a7e98bb559ca79e8df8d1d5
Opcode Fuzzy Hash: 3ad30de8adde06992adcb1243033629fda3c93d42ee346dc6366a67b7f75c718
Instruction Fuzzy Hash: 8F3141706083809FD730EB65C945B9B77E89B86304F40483FB6C8EB2D1DB7999098B67

Function 0044E2F8 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E341

Part of subcall function 0044C984: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C9B6

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E3C5

Part of subcall function 0042BB24: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BB38

IsRectEmpty.USER32(?), ref: 0044E387
ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E3AA

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: 3f1c9d4db00e826481b178ab64ea00970205f687122e4d4c1c485c0144d2d05a
Instruction ID: f1327bf96be57b41a4daac13efecf4e5f8c8315b345326dd3a19bc45d13401f9
Opcode Fuzzy Hash: 3f1c9d4db00e826481b178ab64ea00970205f687122e4d4c1c485c0144d2d05a
Instruction Fuzzy Hash: 55115E72B0030027E210BA7E8C86B6B76C99B89748F04083FB646EB383DE7DDC054399

Function 004900D0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 00490134
OffsetRect.USER32(?,00000000,?), ref: 0049014F
OffsetRect.USER32(?,?,00000000), ref: 00490169
OffsetRect.USER32(?,00000000,?), ref: 00490184

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: d3f66989ff800960b4c0a82a6ffd76303d58a919d7c08028faeb7088e89b5ea7
Instruction ID: 0e3da5e30cc057e3d74a4c16cf1607cb24db427b0c3e95cd5a18fc3dad4c20bc
Opcode Fuzzy Hash: d3f66989ff800960b4c0a82a6ffd76303d58a919d7c08028faeb7088e89b5ea7
Instruction Fuzzy Hash: 52217CB6700201AFD700DE69CC85E6BB7EEEBC4300F14CA2AF694C7249D635ED448796

Function 00417188 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004171D0
SetCursor.USER32(00000000), ref: 00417213
GetLastActivePopup.USER32(?), ref: 0041723D
GetForegroundWindow.USER32(?), ref: 00417244

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: 5c878ef1f1aeb2db91bf3432714928a7f2f2769f3bd036598b9914e69cbbf5aa
Instruction ID: 86e626badbabc243afb65fecb2564bdd41232683b3d9035b7095670fd5686afe
Opcode Fuzzy Hash: 5c878ef1f1aeb2db91bf3432714928a7f2f2769f3bd036598b9914e69cbbf5aa
Instruction Fuzzy Hash: BA2183313086018ACB20AB69D889AD737F1AF45714F0645ABF8589B392D73DDC86CB59

Function 0048FD88 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(8B500000,00000008,?), ref: 0048FD9D
MulDiv.KERNEL32(50142444,00000008,?), ref: 0048FDB1
MulDiv.KERNEL32(F757C3E8,00000008,?), ref: 0048FDC5
MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 0048FDE3

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6335ae3c13ddf35d91c6dca3ece5bfa36ba83b479f3d3f49975b0228b2d303f4
Instruction ID: 0205f8053e5b888f5c8b1498a92a9aed559835e4432beced00229de2e9d93edf
Opcode Fuzzy Hash: 6335ae3c13ddf35d91c6dca3ece5bfa36ba83b479f3d3f49975b0228b2d303f4
Instruction Fuzzy Hash: 49112172604204ABCB40EEA9C8C4D9B77ECEF4D320B14416AF918DB246D634ED40CBA4

Function 0041F3F0 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041F3E0,?), ref: 0041F411
UnregisterClassA.USER32(0041F3E0,00400000), ref: 0041F43A
RegisterClassA.USER32(00494598), ref: 0041F444
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F47F

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: d848210eac8fa203de2a57be4a09b5e70b2efef1fc89853c1c9f6bba622f69a5
Instruction ID: 124ae18f6ccee6cd3f50944003dafe19b4a4e3b77e192b7b2acb4d1f887b2837
Opcode Fuzzy Hash: d848210eac8fa203de2a57be4a09b5e70b2efef1fc89853c1c9f6bba622f69a5
Instruction Fuzzy Hash: 390152712401047BCB10EBE8ED81E9B379CA769314B12413BBA05E72E1D6359C164BAD

Function 0040D170 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D187
LoadResource.KERNEL32(00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?,?,00477B64,0000000A,REGDLL_EXE), ref: 0040D1A1
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?,?,00477B64), ref: 0040D1BB
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?), ref: 0040D1C5

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: b3c15c4636e7b2139434bed422b55b0694fd43cf85b07dfc26612a38abd02691
Instruction ID: a2e4909c1946fcd89949086e6ecb513f2c22862e5b7fa6f76d970aa484769738
Opcode Fuzzy Hash: b3c15c4636e7b2139434bed422b55b0694fd43cf85b07dfc26612a38abd02691
Instruction Fuzzy Hash: BEF0FF726056046F9754EE9DA881D5B76ECDE48264320416AF908EB246DE38DD118B78

Function 00401548 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,00496450,?,?,?,004018B4), ref: 00401566
VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,00496450,?,?,?,004018B4), ref: 0040158B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,00496450,?,?,?,004018B4), ref: 004015B1

Strings

1[, xrefs: 00401599

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Virtual$Alloc$Free
String ID: 1[
API String ID: 3668210933-3738508114
Opcode ID: d2517b2848a3e48debd733cbcc194f1d7450fe1c69e1d9f9fa61647bd21528fe
Instruction ID: 5797ca947971a1fa5f0c07c4efe461a423a426aef50e25704ee96cdc5a06cd6d
Opcode Fuzzy Hash: d2517b2848a3e48debd733cbcc194f1d7450fe1c69e1d9f9fa61647bd21528fe
Instruction Fuzzy Hash: C5F0C8716403206AEB315A694C85F133AD4DBC5794F104075BE09FF3D9D6B8980082AC

Function 0046C4BC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 0046C50D

Strings

Failed to set NTFS compression state (%d)., xrefs: 0046C51E
Unsetting NTFS compression on file: %s, xrefs: 0046C4F3
Setting NTFS compression on file: %s, xrefs: 0046C4DB

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: 86807cbfd2226bd454e4e46b74c8b92495b6acb580f029ac175535f9750d921d
Instruction ID: 8a11723362a507f0333bc9965096a3e3adfce4be1f63418e8be67e25eb968b75
Opcode Fuzzy Hash: 86807cbfd2226bd454e4e46b74c8b92495b6acb580f029ac175535f9750d921d
Instruction Fuzzy Hash: E1016770E0825866CB04D7ED54812FDBBE49F4D314F84C1EFA499E7243EB791508879B

Function 00454788 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,OG,?,00000001,?,?,0047E34F,?,00000001,00000000), ref: 0042DC70

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,00459E8A,?,?,?,?,?,00000000,00459EB1), ref: 004547C4
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,00459E8A,?,?,?,?,?,00000000), ref: 004547CD
RemoveFontResourceA.GDI32(00000000), ref: 004547DA
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004547EE

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 46c8cad0b261e60d48b1d3e67bfe7d27a1d7efb6af96d1f02519370c88f59435
Instruction ID: 4674671b110c5257b68e85d971ffdb8cda5f86f627ed5b1345ff1e290f3286d1
Opcode Fuzzy Hash: 46c8cad0b261e60d48b1d3e67bfe7d27a1d7efb6af96d1f02519370c88f59435
Instruction Fuzzy Hash: A8F05EB575430136EA10B6B69C87F1B228C9F98749F10483BBA00EF2C3DA7CD805962D

Function 0046BBCC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 0046BC1D

Strings

Unsetting NTFS compression on directory: %s, xrefs: 0046BC03
Failed to set NTFS compression state (%d)., xrefs: 0046BC2E
Setting NTFS compression on directory: %s, xrefs: 0046BBEB

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: 9042e0bba0a45541bb3a6888451997e20af0478713a1f8326d793a8a88ac9600
Instruction ID: 69529bc4e5d6d07a91d00c664886aea47b6ace433f8fc03d3f3948ef3290ac7a
Opcode Fuzzy Hash: 9042e0bba0a45541bb3a6888451997e20af0478713a1f8326d793a8a88ac9600
Instruction Fuzzy Hash: 7B016730D0424866CB04D7AD54416DDBBE4DF4D304F44C1EFA858E7247EB79064887DB

Function 00477DA0 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00477DC1
GetLastError.KERNEL32 ref: 00477DCB
GetTickCount.KERNEL32 ref: 00477DD5
Sleep.KERNEL32(00000032), ref: 00477DE5

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: a2b42f5d817999fa87d8c8debf1c72a2dd1cd4bafa442c689adcebc18bd8fdf0
Instruction ID: 455298f4415a448e3fa874f92f6781e0756abc36bce73f1148afe723a625cd3c
Opcode Fuzzy Hash: a2b42f5d817999fa87d8c8debf1c72a2dd1cd4bafa442c689adcebc18bd8fdf0
Instruction Fuzzy Hash: C3E06D7230DA4446DA3635BF2C866FB4AACCFC6364B28553FE08DD6282C8984C06956A

Function 00473938 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,0047B594,?,?,00000001,00000000,00000002,00000000,0047BE41,?,?,?,?,?,00493309), ref: 00473941
OpenProcessToken.ADVAPI32(00000000,00000008,?,0047B594,?,?,00000001,00000000,00000002,00000000,0047BE41), ref: 00473947
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,0047B594,?,?,00000001,00000000,00000002,00000000,0047BE41), ref: 00473969
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,0047B594,?,?,00000001,00000000,00000002,00000000), ref: 0047397A

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: edfe2e214aa3a75ba4a1892ea1e575a857d4468868b2aecbb613d029d339128d
Instruction ID: bb68efe843bb787bbe1951a3fb92d0835bf9270be0aaf8c05fbae998de9023db
Opcode Fuzzy Hash: edfe2e214aa3a75ba4a1892ea1e575a857d4468868b2aecbb613d029d339128d
Instruction Fuzzy Hash: 94F030A16443016BD600EAB5CD82E9B77DCEB44354F04883A7E98D72D1E678DD18AB26

Function 004241B0 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(?), ref: 004241BC
IsWindowVisible.USER32(?), ref: 004241CD
IsWindowEnabled.USER32(?), ref: 004241D7
SetForegroundWindow.USER32(?), ref: 004241E1

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: fcfbdc667dfc271acfde3df3b5f004a8a61651cac52fe1164ff6abd3c1fed0d2
Instruction ID: 7a261241521d5f36110480f60a41559dbc21bd8b6604a945fb8666e4bf107b55
Opcode Fuzzy Hash: fcfbdc667dfc271acfde3df3b5f004a8a61651cac52fe1164ff6abd3c1fed0d2
Instruction Fuzzy Hash: 0DE08699B06531139E31FA251885ABB25ACCD54B883C60127BC04F7243DF1CCFA0C1AC

Function 00466FA4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 00467191
EnableMenuItem.USER32(00000000,00000000,00000000), ref: 00467197

Strings

CurPageChanged, xrefs: 0046731F

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Menu$EnableItemSystem
String ID: CurPageChanged
API String ID: 3692539535-2490978513
Opcode ID: b1f316c5989fff7e00d37c5493a715d64e5e6d0b5679f88fc60dbd8090725f93
Instruction ID: 85229a9a86c8d76f9b88dc92849b92cb22f01a3e3c9a9662cd7f180e88e3a99e
Opcode Fuzzy Hash: b1f316c5989fff7e00d37c5493a715d64e5e6d0b5679f88fc60dbd8090725f93
Instruction Fuzzy Hash: AFA1F734614204DFC711DB69D985EE973F5EB49308F2640F6F804AB322EB38AE41EB59

Function 0044FA84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044FB19
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044FB4A

Strings

open, xrefs: 0044FB3D

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: 8a0605ed0c381f0a74a086ec1471ed6555b23fb8dcfb2e81ee34f57c50cf0fe2
Instruction ID: 724f47e86b4f4745380ee9597168f1c8a72dce230288f2328438c3862ccb2892
Opcode Fuzzy Hash: 8a0605ed0c381f0a74a086ec1471ed6555b23fb8dcfb2e81ee34f57c50cf0fe2
Instruction Fuzzy Hash: F8214470E00244AFEB00DF69C992F9EB7F9EF45704F1085BAB500E7391D678BA45CA58

Function 00468AB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; showing wizard., xrefs: 00468B99
Failed to proceed to next wizard page; aborting., xrefs: 00468B85

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: 922b0376bd45f1a340fb446d45ca7413af626e1e06f02045d5dc725511932721
Instruction ID: be58dce371fc8eb70e9473287a00680558b91856d3b2c3d5b7f8b6b1509d7c4a
Opcode Fuzzy Hash: 922b0376bd45f1a340fb446d45ca7413af626e1e06f02045d5dc725511932721
Instruction Fuzzy Hash: 5C218E706042049FDB00EBA9E985E99B7F8EB05714F2541BFF404AB352DB38AE40CB59

Function 00453C84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 00453D18
GetLastError.KERNEL32(0000003C,00000000,00453D61,?,?,00000001,00000001), ref: 00453D29

Part of subcall function 00453970: WaitForInputIdle.USER32(00000001,00000032), ref: 0045399C
Part of subcall function 00453970: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004539BE
Part of subcall function 00453970: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 004539CD
Part of subcall function 00453970: CloseHandle.KERNEL32(00000001,004539FA,004539F3,?,00000031,00000080,00000000,?,?,00453D4B,00000080,0000003C,00000000,00453D61), ref: 004539ED

Strings

<, xrefs: 00453CCC

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Wait$CloseCodeErrorExecuteExitHandleIdleInputLastMultipleObjectsProcessShell
String ID: <
API String ID: 35504260-4251816714
Opcode ID: 0a489ccbbc1036629311ba8f0fc18be266887183308125755252c1f90736cb03
Instruction ID: 33ba34e09f30df1b12b73ce0116b213a2e15e307ba7a65c56a6979caf0e15077
Opcode Fuzzy Hash: 0a489ccbbc1036629311ba8f0fc18be266887183308125755252c1f90736cb03
Instruction Fuzzy Hash: 3C2153B0600209ABDB11DF65D8826DE7BF8AF09396F50443AF844E7381D7789E49CB98

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(00496420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(00496420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(00496420,00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,00496420,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(00496420,00401A89,00000000,00401A82,?,?,0040222E,00496460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: 3eb0375ff62f3d3bcca9cc60adac25dafbf9b9e3c2e27b1e4b69ca31af3a3358
Instruction ID: 5893b1754cd22d93ac955961316eccc987691ebf6da7ca014f8aac44d7effe1a
Opcode Fuzzy Hash: 3eb0375ff62f3d3bcca9cc60adac25dafbf9b9e3c2e27b1e4b69ca31af3a3358
Instruction Fuzzy Hash: 851101317042046FEB25ABB99F5A62A6AD4D795758B25087FF404F32D2D9BD8C02826C

Function 00446E48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 00446EFA

Strings

NIL Interface Exception, xrefs: 00446E9C
Unknown Method, xrefs: 00446ED3

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: 87cbfea59f1259fc6e468aac4867c83fbc8f3f1cc130e6dbee1779124e49575a
Instruction ID: 5f9b3b73cb94db711a986a3f2247f7757ae34ed1a40e252d8aaeb61a96a19159
Opcode Fuzzy Hash: 87cbfea59f1259fc6e468aac4867c83fbc8f3f1cc130e6dbee1779124e49575a
Instruction Fuzzy Hash: 3E1196706042489FEB10DFA5DC52AAEBBBCEB49704F52407AF900E7681D7799D04CA6A

Function 00490B34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00490BFC,?,00490BF0,00000000,00490BD7), ref: 00490BA2
CloseHandle.KERNEL32(00490C3C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00490BFC,?,00490BF0,00000000), ref: 00490BB9

Part of subcall function 00490A8C: GetLastError.KERNEL32(00000000,00490B24,?,?,?,?), ref: 00490AB0

Strings

D, xrefs: 00490B7C

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D
API String ID: 3798668922-2746444292
Opcode ID: 248f869aaca6227a9bc77a92f638e1a0db6285b6b497ba8db48b301b6d33914f
Instruction ID: 99184734163d0c92a4db66637d6494c9b23a30ba7254384d63fd9a46e8a5d762
Opcode Fuzzy Hash: 248f869aaca6227a9bc77a92f638e1a0db6285b6b497ba8db48b301b6d33914f
Instruction Fuzzy Hash: 790165B1644248AFDF00EBD1CC42F9FBBACDF48718F51007AB504E7291DA78AE048A58

Function 0042DB9C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DBB0
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DBF0

Strings

Inno Setup: No Icons, xrefs: 0042DBAE

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: 0890946b5df0c49e4954d7290b96ce305c787ba9704d15fe4295c439bd8e9102
Instruction ID: 08e9f6bdc79701da45a7e076aae250b208fcb3010747ef376bcb555be2d5621c
Opcode Fuzzy Hash: 0890946b5df0c49e4954d7290b96ce305c787ba9704d15fe4295c439bd8e9102
Instruction Fuzzy Hash: F5018431B8933069F73045266D41F6B558C9B85B64F65003BFA41AA3C0D6DCDC45E26A

Function 00491FC1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00453FD0: GetCurrentProcess.KERNEL32(00000028), ref: 00453FDF
Part of subcall function 00453FD0: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453FE5

SetForegroundWindow.USER32(?), ref: 00491FF3

Strings

Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0049201E
Restarting Windows., xrefs: 00491FD0

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
API String ID: 3179053593-4147564754
Opcode ID: 92e7afcc8831688dae5fd262e04e4039765fdd7336fda1d0c24d127371dd9238
Instruction ID: 09758fc62953ac5564f253f86018d0961132e27bbb4a61923f7fbbecd85c55b8
Opcode Fuzzy Hash: 92e7afcc8831688dae5fd262e04e4039765fdd7336fda1d0c24d127371dd9238
Instruction Fuzzy Hash: 7701BC747042807AEB01EB65EA02B9C2FA89B4430DF80407BF500AB293C6BD9A49C72D

Function 004713F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,00496628,00492DAD,00000000,00492E02,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3

MoveFileA.KERNEL32(00000000,00000000), ref: 00471456

Part of subcall function 004712A8: GetLastError.KERNEL32(00000000,00471394,?,?,?,00497138,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0047141B,00000001), ref: 004712C9

Strings

MoveFile, xrefs: 00471431
DeleteFile, xrefs: 0047140F

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: File$DeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3195829115-139070271
Opcode ID: 51569406b8907aa8f27be33c1290f694066cffae2399f79e6ee197169eb5c4fe
Instruction ID: 498d1f86d5cab30c0c02f2f8960253c4d30b0e1e307aae4f7005b10ea634dfd9
Opcode Fuzzy Hash: 51569406b8907aa8f27be33c1290f694066cffae2399f79e6ee197169eb5c4fe
Instruction Fuzzy Hash: 3AF062A010411067DF107B6E85836DA239C8F0235EB54C17BBD88BF3A3CA3D9C0287AE

Function 00455C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00455C42
FileTimeToLocalFileTime.KERNEL32(?,.2I,?), ref: 00455C4F

Strings

.2I, xrefs: 00455C47, 00455C5B, 00455C63, 00455C4A

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: .2I
API String ID: 1748579591-803348413
Opcode ID: aba8b51db9d65da12f539ddc2c0835b2624d8a3471dbf7fd6520d9ecd032998b
Instruction ID: 4f8a786cf5642c40ef90ebfca535d25145d1c27a2836ec24ad6e1980779010cb
Opcode Fuzzy Hash: aba8b51db9d65da12f539ddc2c0835b2624d8a3471dbf7fd6520d9ecd032998b
Instruction Fuzzy Hash: B7E0ED71D0060DABCF00EBE5DC418EEB7BCFA08314F40067BA814E3295E734A6098B94

Function 00454060 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 0045407F
Sleep.KERNEL32(?), ref: 0045408F
GetLastError.KERNEL32 ref: 004540A2
GetLastError.KERNEL32 ref: 004540AC

Memory Dump Source

Source File: 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3436774598.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437098062.0000000000494000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3437148351.0000000000496000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3438717270.00000000004A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_9MgoW3Y1ti.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 8b4360f2b479ea038ec97fb2a00d6f0221d541355e91bee91f30916643827583
Instruction ID: 017d81aa95838fcb6bb112513f86caaf4ff52444f8b7b5a451e770b39712fdff
Opcode Fuzzy Hash: 8b4360f2b479ea038ec97fb2a00d6f0221d541355e91bee91f30916643827583
Instruction Fuzzy Hash: B8F0F632A00524578E20A9AE998192F62CDDAC0B6D730052BEF04DF283D439CC854AAE

Analysis Process: recordpadsoundrecorder32.exePID: 6724, Parent PID: 5232COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.1%
Total number of Nodes:	460
Total number of Limit Nodes:	8

Executed Functions

Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B

Strings

o, xrefs: 00401BF2
GetAdaptersInfo, xrefs: 00401B6E
iphlpapi.dll, xrefs: 00401B58

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll$o
API String ID: 514930453-3667123677
Opcode ID: a3c77d1947fac9ed500e02c632cb5410261389502922d6f95d8c76429a6c9e05
Instruction ID: 2fcbbae68a7f2e143e0ba6fa3878dab2488d9b05c73812711a2b91e8578584ab
Opcode Fuzzy Hash: a3c77d1947fac9ed500e02c632cb5410261389502922d6f95d8c76429a6c9e05
Instruction Fuzzy Hash: E521A770904109AEEF119B65CD447EF7BB8EF41344F1440BAD504B22E1E7789985CB69

Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
GetLastError.KERNEL32 ref: 00401B0E
FindCloseChangeNotification.KERNELBASE(?), ref: 00401B3D

Strings

\\.\PhysicalDrive0, xrefs: 00401A63

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
String ID: \\.\PhysicalDrive0
API String ID: 3786717961-1180397377
Opcode ID: 87e5aa96cf8bbfa53ba141c063bc04efd036a70200bde10c5f99651d25558048
Instruction ID: 04828827cee311aa1ccd055820d70034eb57b3ddca3c9d8c28a7d5788a1782d0
Opcode Fuzzy Hash: 87e5aa96cf8bbfa53ba141c063bc04efd036a70200bde10c5f99651d25558048
Instruction Fuzzy Hash: 43318D71D00118EADB21AFA5CD849EFBBB9FF41750F20407AE554B22A0E7785E45CB98

Function 00402299 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StartServiceCtrlDispatcherA.ADVAPI32 ref: 0040229A

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: c003d29a70a172e29de59ed7b689d9b07ce4a3aef7e76657a3f1d292d186b6c5
Instruction ID: 7236fdf905961642a5bbbc3fb68be642bec8eaa1085a8ac3c622be18bd149764
Opcode Fuzzy Hash: c003d29a70a172e29de59ed7b689d9b07ce4a3aef7e76657a3f1d292d186b6c5
Instruction Fuzzy Hash: 55B0127330C10446C30057B8BE4C59F234CE38633AB104C37C04FE00E1D6B8C04A5524

Function 00402EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00402F16

Part of subcall function 00404034: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F4F,00000000), ref: 00404045
Part of subcall function 00404034: HeapDestroy.KERNEL32 ref: 00404084

GetCommandLineA.KERNEL32 ref: 00402F64
GetStartupInfoA.KERNEL32(?), ref: 00402F8F
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402FB2

Part of subcall function 0040300B: ExitProcess.KERNEL32 ref: 00403028

Strings

Y, xrefs: 00402F7E

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID: Y
API String ID: 2057626494-4136946213
Opcode ID: 2a5b16c506521380fd9b5f66b06519665ea10880a1b1eb47f363de886a19e373
Instruction ID: 31bd938ea51fadde60a3d0ec437c396cd65a6e637b97124abe794e54387ab133
Opcode Fuzzy Hash: 2a5b16c506521380fd9b5f66b06519665ea10880a1b1eb47f363de886a19e373
Instruction Fuzzy Hash: 19216DB1800615AAD714AFA6DE49A6E7FB8EB44719F10413FF505BB2D1DB385500CA58

Function 0040250E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNELBASE(?,Common AppData), ref: 0040D958

Strings

NL5$, xrefs: 00402519
Common AppData, xrefs: 0040257E

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: QueryValue
String ID: Common AppData$NL5$
API String ID: 3660427363-3642351906
Opcode ID: ed0e5acd8f8ece743e598616439700d4f440e59f7496dd527ca1e1139eb0ac89
Instruction ID: 3625f9f7bcec903c70c52d49b5d04ab8b5a9762ab31523acee7a4a548b3f6f63
Opcode Fuzzy Hash: ed0e5acd8f8ece743e598616439700d4f440e59f7496dd527ca1e1139eb0ac89
Instruction Fuzzy Hash: 6A019971C18B40FBCB054FB09E18A697F74AB46710715427BD851720F1D3B8885BEA4F

Function 00402845 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(?), ref: 004028F2
CommandLineToArgvW.SHELL32(00000000), ref: 004028F9
GetLocalTime.KERNEL32(0040C2B8), ref: 0040D3C6

Strings

/chk, xrefs: 0040D44C

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: CommandLine$ArgvLocalTime
String ID: /chk
API String ID: 3768950922-3837807730
Opcode ID: 58e77e24c0e44735d9c25947b9bd7a71b097def894af762cde97e617ba063816
Instruction ID: f8a697a6ba56cfa0421d3161c88fb5920d4a750ed1aa0ba2803a0c5cf8bd7934
Opcode Fuzzy Hash: 58e77e24c0e44735d9c25947b9bd7a71b097def894af762cde97e617ba063816
Instruction Fuzzy Hash: 59E06D75C08202EEC7007BE0AF098AC77B4AA08301320817FE556B51D0CB7C548AAB2F

Function 0040364D Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00403638,?,00000000,00000000,00402FC7,00000000,00000000), ref: 0040365D
TerminateProcess.KERNEL32(00000000,?,00403638,?,00000000,00000000,00402FC7,00000000,00000000), ref: 00403664
ExitProcess.KERNEL32 ref: 004036DE

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 45a62d5989472daa66da51cc5c0c53ccf8c07e521785adc499b880c08e76b42c
Instruction ID: 8ec911347a9f6ebe748c774e3fffa0e274c2dea28e60d441966e3dc67073ffcc
Opcode Fuzzy Hash: 45a62d5989472daa66da51cc5c0c53ccf8c07e521785adc499b880c08e76b42c
Instruction Fuzzy Hash: A201C831644300FAD6309F25FE84A5A7FA8A791351B10493FE440723D1CB3AA9848E1C

Function 0040D3AB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(0040C2B8), ref: 0040D3C6

Strings

/chk, xrefs: 0040D44C

Memory Dump Source

Source File: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: LocalTime
String ID: /chk
API String ID: 481472006-3837807730
Opcode ID: 719ccb32c6d0f1224c08b4e1637f7109be7b56e533cc931ac7d4392f13334026
Instruction ID: bfeb034239b7c7118683ac587487231c4a8ae608a4ee2d3b9eda992131e4dc08
Opcode Fuzzy Hash: 719ccb32c6d0f1224c08b4e1637f7109be7b56e533cc931ac7d4392f13334026
Instruction Fuzzy Hash: 4CE08630C18743E9D7117BA0CD088987FB1AB51314760463FE1A2754E1D73D549AEF4E

Function 0040269D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE ref: 0040269D

Strings

.exe, xrefs: 0040D616

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: CreateDirectory
String ID: .exe
API String ID: 4241100979-4119554291
Opcode ID: 6ff648dc406feb637f11e3f6b69f0d8219d4dba7ac56d197b0b02803ca9b4c05
Instruction ID: 7be0dad2239628ad1372a9b2e638fdce078da6a21a9524e3c9378f4dc9fd0076
Opcode Fuzzy Hash: 6ff648dc406feb637f11e3f6b69f0d8219d4dba7ac56d197b0b02803ca9b4c05
Instruction Fuzzy Hash: CFC04C38596131F2D51132D10E0EE5F641C5D8E745334403F7142700D349FC180A56BF

Function 00404034 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F4F,00000000), ref: 00404045

Part of subcall function 00403EEC: GetVersionExA.KERNEL32 ref: 00403F0B

HeapDestroy.KERNEL32 ref: 00404084

Part of subcall function 0040440B: HeapAlloc.KERNEL32(00000000,00000140,0040406D,000003F8), ref: 00404418

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
Instruction ID: 795a75c142ce263548137c971673ec0d69254cf7c95aacf64765c85fef2462b4
Opcode Fuzzy Hash: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
Instruction Fuzzy Hash: E9F065F060530199DB205F749F45B2A35989BC0765F10453FFB40F41D0EB788481990E

Function 00402571 Relevance: 3.0, APIs: 2, Instructions: 17
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE ref: 00402571
GetTickCount.KERNEL32 ref: 0040D486

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: CountCreateTick
String ID:
API String ID: 3069548982-0
Opcode ID: ee8128013bf5e90e42cdd554de5022e84e0101b2628d331728f9b3f566d64dcf
Instruction ID: ea209166fb0ef528cf99b9c0e38baeae1227fb332146ce63fc0e23087ad075ce
Opcode Fuzzy Hash: ee8128013bf5e90e42cdd554de5022e84e0101b2628d331728f9b3f566d64dcf
Instruction Fuzzy Hash: FCD05EB1D08109DBD7605BE0EE4EAE932785B04308F54403BEA8AF10C0DA7C955DA91E

Function 0040225A Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileA.KERNEL32(?), ref: 0040D906

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 8747868f841f3e86c60c04198b4c3812247f9f6c6e6f8a051b3cab23d1bc53d8
Instruction ID: 18315759b2a842b5bc47b7c566bd7707562d10a9491666b6158da95836141683
Opcode Fuzzy Hash: 8747868f841f3e86c60c04198b4c3812247f9f6c6e6f8a051b3cab23d1bc53d8
Instruction Fuzzy Hash: 7DC08CB0C14109EAC2105AA19E4A9AA3B6C4B0038CB2000B7720BB1081EA3C854EA67B

Function 0040D23A Relevance: 1.5, APIs: 1, Instructions: 9
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 0040D23D

Memory Dump Source

Source File: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 31de8d22fc593bc1c279bc5476df20698ba11a3bbf33a6183a20eb6f6725d707
Instruction ID: 8040d302770a520428a66105e482caf9ceff3af2c13684b85fe4baa54a86378e
Opcode Fuzzy Hash: 31de8d22fc593bc1c279bc5476df20698ba11a3bbf33a6183a20eb6f6725d707
Instruction Fuzzy Hash: 47C09B30708406CDE7555BB14A082B77764B644344B704D76E44BF05D0F739850F591E

Function 0040D11D Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32 ref: 0040D11E

Memory Dump Source

Source File: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 86451105a0139d872ac9f7691e3aa5979c091675fabf703e7b9c18d13448488a
Instruction ID: 5b145c32185f2fe23c23a9f3356da1e15a91333f529c69de665c0df8320d1f6d
Opcode Fuzzy Hash: 86451105a0139d872ac9f7691e3aa5979c091675fabf703e7b9c18d13448488a
Instruction Fuzzy Hash: C8B01270C05101FECB506F604F9801C35665500305330487AD103F10D0C73C4509FA2E

Function 00402914 Relevance: 1.5, APIs: 1, Instructions: 4
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE ref: 00402914

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f5db5590c29d013d9deb5da303e7320bdae192f81683c438447ff80dd5f1286a
Instruction ID: a672698ba65cf88ccc8542e474dbf54698bfe7b51bb9aee12de0e43c7b427ca3
Opcode Fuzzy Hash: f5db5590c29d013d9deb5da303e7320bdae192f81683c438447ff80dd5f1286a
Instruction Fuzzy Hash: E2A00271904514C6D64496949F4859877746504311751407ED152710D0D77C554A651D

Function 0040D639 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNELBASE ref: 0040D639

Memory Dump Source

Source File: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 30ccf38bae0651031a747be385cf41240ce9650c7b68b68cc0c0d266fe80d253
Instruction ID: 56e8f69265871bb44e1bd22ced2ad85af3968b80b96cf2c0600ba62ef43449e4
Opcode Fuzzy Hash: 30ccf38bae0651031a747be385cf41240ce9650c7b68b68cc0c0d266fe80d253
Instruction Fuzzy Hash: 51A00275504404EBCB090B919B0C67C7E31B748305F151069E142704A08B751655AF19

Non-executed Functions

Function 00402588 Relevance: 1.5, APIs: 1, Instructions: 11serviceCOMMON

Download Yara Rule

APIs

CreateServiceA.ADVAPI32(?,?,?,000F01FF), ref: 0040D586

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: CreateService
String ID:
API String ID: 1592570254-0
Opcode ID: b1d535fcba41d0c5bc0ec726a091b62f5efeb8c2f631be5d7d856abec158dcf1
Instruction ID: 55442d6bb3312950ba1be5e0f5e2ac9e55e18be424259f3225f08959e138762c
Opcode Fuzzy Hash: b1d535fcba41d0c5bc0ec726a091b62f5efeb8c2f631be5d7d856abec158dcf1
Instruction Fuzzy Hash: 73C04C74D8C402F6C2210AD00D4983510282585795331083B6E47B44C199B8044FB12F

Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(UID Finder 6.11.66,Function_0000235E), ref: 004023C1
SetServiceStatus.ADVAPI32(0040C408), ref: 00402420
GetLastError.KERNEL32 ref: 00402422
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
GetLastError.KERNEL32 ref: 00402450
SetServiceStatus.ADVAPI32(0040C408), ref: 00402480
CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
CloseHandle.KERNEL32 ref: 004024A1
SetServiceStatus.ADVAPI32(0040C408), ref: 004024CA

Strings

UID Finder 6.11.66, xrefs: 004023BC

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
String ID: UID Finder 6.11.66
API String ID: 3346042915-245170862
Opcode ID: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
Instruction ID: 4f107cf957cbd680cd4d605db27ce117804603c61eb7b626b01e69dba3e91430
Opcode Fuzzy Hash: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
Instruction Fuzzy Hash: 3521C570441214EBC2105F16EFE9A267FA8FBC5794B11823EE544B22B2CBB90549CFAD

Function 00406897 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00408650,00000001,00000000,00000000,00000103,00000001,00000000,?,00406357,00200020,00000000,?,00000000,00000000), ref: 004068D9
LCMapStringA.KERNEL32(00000000,00000100,0040864C,00000001,00000000,00000000,?,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 004068F5
LCMapStringA.KERNEL32(?,?,?,?,Wc@ ,?,00000103,00000001,00000000,?,00406357,00200020,00000000,?,00000000,00000000), ref: 0040693E
MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00406357,00200020,00000000,?,00000000,00000000), ref: 00406976
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069CE
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069E4
LCMapStringW.KERNEL32(?,?,?,00000000,Wc@ ,?,?,00406357,00200020,00000000,?,00000000), ref: 00406A17
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 00406A7F

Strings

Wc@ , xrefs: 00406A97, 00406A0A, 0040692F

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: Wc@
API String ID: 352835431-4128830131
Opcode ID: c59ed56cf9200d4eb4cbe2117608f716f3cf8688afb6deb225ba4043c85c6758
Instruction ID: c30aaca26a5f6a0372154cda3c497b92e07e281ea3e6606adb1712902525b657
Opcode Fuzzy Hash: c59ed56cf9200d4eb4cbe2117608f716f3cf8688afb6deb225ba4043c85c6758
Instruction Fuzzy Hash: 8A517E71A00209EBCF219F94CD45ADF7FB5FB49750F11812AF911B12A0D7398921DF69

Function 00403BE2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403BFD
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403C11
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403C3D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F74), ref: 00403C75
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F74), ref: 00403C97
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402F74), ref: 00403CB0
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403CC3
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403D01

Strings

t/@, xrefs: 00403CAB, 00403C9D

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: t/@
API String ID: 1823725401-3363397731
Opcode ID: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
Instruction ID: 879d38be92084954eaea71e49c87bd85cc2f9a5de8a3f101a3316a48e994b743
Opcode Fuzzy Hash: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
Instruction Fuzzy Hash: 3E31017350C2246EE7203F746CC483BBE9CEA4575AB15053FF982F3280DA398E8146AD

Function 004065B8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,004043C1,?,Microsoft Visual C++ Runtime Library,00012010,?,00408584,?,004085D4,?,?,?,Runtime Error!Program: ), ref: 004065CA
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004065E2
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004065F3
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406600

Strings

GetActiveWindow, xrefs: 004065ED
user32.dll, xrefs: 004065C5
GetLastActivePopup, xrefs: 004065F5
MessageBoxA, xrefs: 004065DC

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 1e827d42bf4979efd8fc0e05e1792a28396127eff3a42ececc528c363af0fc92
Instruction ID: db39845ca5f1b339293cd545309a4189fd77c948f0b46f5b4ed21715b02f5541
Opcode Fuzzy Hash: 1e827d42bf4979efd8fc0e05e1792a28396127eff3a42ececc528c363af0fc92
Instruction Fuzzy Hash: 46018871A40611EFC7208FB5AFC49277EE99B587407061D3FA541F2291DE7B8811CB6D

Function 0040674E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00408650,00000001,00000000,00000103,00000001,00000000,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 0040678D
GetStringTypeA.KERNEL32(00000000,00000001,0040864C,00000001,?,?,00000000,00000000,00000001), ref: 004067A7
GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 004067DB
MultiByteToWideChar.KERNEL32(Wc@ ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 00406813
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00406869
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 0040687B

Strings

Wc@ , xrefs: 00406810

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: Wc@
API String ID: 3852931651-4128830131
Opcode ID: 51aa12949cff19f931a0c8f8e78869120ffa08a7a0a03f1196022c1900c26aa0
Instruction ID: 956ec2585e1336e719d8d065e8dcf62e24d3c9f54db028b8b8152b0cc77897f4
Opcode Fuzzy Hash: 51aa12949cff19f931a0c8f8e78869120ffa08a7a0a03f1196022c1900c26aa0
Instruction Fuzzy Hash: 3F419F72501209EFCF20AF94DD85EAF3B79FB04754F11453AF902F2290C73989248BA9

Function 0040429D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040430A
GetStdHandle.KERNEL32(000000F4,00408584,00000000,?,00000000,00000000), ref: 004043E0
WriteFile.KERNEL32(00000000), ref: 004043E7

Strings

Runtime Error!Program: , xrefs: 00404370
Microsoft Visual C++ Runtime Library, xrefs: 004043B6
..., xrefs: 0040435C
<program name unknown>, xrefs: 0040431A

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: efc2387ad9e4ebc715aa49f254a253419fe4c6ba22f87958d70440b8e59437cd
Instruction ID: d8635e2a7f81e525e6493e1b235b12eebf94c6aed7416e9ae0bb5a91e3b582aa
Opcode Fuzzy Hash: efc2387ad9e4ebc715aa49f254a253419fe4c6ba22f87958d70440b8e59437cd
Instruction Fuzzy Hash: ED318572601219AEDF20AA60DE46FDA336CAF85304F1004BFF944B61D1DA78DE448A5D

Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
GetLastError.KERNEL32 ref: 00401F86
SizeofResource.KERNEL32(00000000), ref: 00401F93
LoadResource.KERNEL32(00000000), ref: 00401FAD
LockResource.KERNEL32(00000000), ref: 00401FB4
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
GetTickCount.KERNEL32 ref: 00401FFB
GlobalAlloc.KERNEL32(00000040,?), ref: 00402061

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
String ID:
API String ID: 564119183-0
Opcode ID: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
Instruction ID: 6227662f3afde43d5576465443d89a1ce2d87db52467ebd9ddb435d6f9af9923
Opcode Fuzzy Hash: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
Instruction Fuzzy Hash: 68316E31A00255AFDB105FB49F8896F7F68EF45344F10807AFE86F7291DA748845C7A8

Function 00403EEC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00403F0B
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403F40
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403FA0

Strings

__MSVCRT_HEAP_SELECT, xrefs: 00403F3B
__GLOBAL_HEAP_SELECTED, xrefs: 00403F7A

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 902e60ade4d92a6391f73bc102fd9c1f1b848196a8b58942b8a92e566e39241b
Instruction ID: f9b557e5926ae0cb1bea86ca91105dc92f8de38cdcecb6fe0ade7bda32980430
Opcode Fuzzy Hash: 902e60ade4d92a6391f73bc102fd9c1f1b848196a8b58942b8a92e566e39241b
Instruction Fuzzy Hash: B6312571D412886DEB319A705C45ADE7F7C8B06309F2400FBE685F62C2E6388FC98B19

Function 00403D14 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00403D6D
GetFileType.KERNEL32(00000800), ref: 00403E13
GetStdHandle.KERNEL32(-000000F6), ref: 00403E6C
GetFileType.KERNEL32(00000000), ref: 00403E7A
SetHandleCount.KERNEL32 ref: 00403EB1

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
Instruction ID: 9dbc4695f3205ced207c781c98d2c2eecf37425ec268f2c04ee58d1a3995b9ba
Opcode Fuzzy Hash: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
Instruction Fuzzy Hash: 7C5143716046458BD7218F38CD887663FA8AF02B26F15473EE4A2FB2E0C7389A45C74D

Function 004069AB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069CE
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069E4
LCMapStringW.KERNEL32(?,?,?,00000000,Wc@ ,?,?,00406357,00200020,00000000,?,00000000), ref: 00406A17
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 00406A7F
WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,Wc@ ,?,00000000,00000000,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 00406AA4

Strings

Wc@ , xrefs: 00406A0A

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: Wc@
API String ID: 352835431-4128830131
Opcode ID: 1312c45284bb9b0df6438f0e9267380287f1a9abf6012680dfeac5a7f92326d3
Instruction ID: 95b79f799a9dc74ab8783d7474949c37cbdd673329ec6272a6b224a97d77f72f
Opcode Fuzzy Hash: 1312c45284bb9b0df6438f0e9267380287f1a9abf6012680dfeac5a7f92326d3
Instruction Fuzzy Hash: C2113A32A00209ABCF229F98CD04ADEBFB6FF49350F11816AF911722A0D3368D61DF54

Function 0040319A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00402EAA), ref: 0040319F
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004031AF

Strings

KERNEL32, xrefs: 0040319A
IsProcessorFeaturePresent, xrefs: 004031A9

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 748c3a06171c204e9a1fd50ae91f73f3c4da2d806122e1fde3641ea021038800
Instruction ID: 8ffc782c345fbc4a568335a89d7931e33654b4b0dba7f91db9b0a41dc5523864
Opcode Fuzzy Hash: 748c3a06171c204e9a1fd50ae91f73f3c4da2d806122e1fde3641ea021038800
Instruction Fuzzy Hash: 25C08C70381B01A6EE602FB22F09B172C0C1B48B43F1800BE7A89F81C0CE7CC208813D

Function 00404C5C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,0040407A), ref: 00404C7D
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,0040407A), ref: 00404CA1
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,0040407A), ref: 00404CBB
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,0040407A), ref: 00404D7C
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,0040407A), ref: 00404D93

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
Instruction ID: 2da35cf39901cd0166ef30884cd3fae4f1f30d489fd3d975fdb0eff0fbde1f7b
Opcode Fuzzy Hash: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
Instruction Fuzzy Hash: 5531E2B15017019BE3208F28EE44B22B7A4EBC8754F11863EEA55B73E1E778AC44CB5C

Function 0040447E Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00008000,00004000,7622DFF0,?,00000000), ref: 004046D6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00404731
HeapFree.KERNEL32(00000000,?), ref: 00404743

Strings

t/@, xrefs: 0040447E

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Free$Virtual$Heap
String ID: t/@
API String ID: 2016334554-3363397731
Opcode ID: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
Instruction ID: 8d17195ec0ccff2424cf6b57804f20dfeb37273885bc82fd82189131503ce94b
Opcode Fuzzy Hash: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
Instruction Fuzzy Hash: 3EB19EB4A01205DFDB14CF44CAD0A69BBA1FB88314F25C1AEDA596F3A2D735ED41CB84

Function 0040606F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00406083

Strings

, xrefs: 004060CC
, xrefs: 004060A8

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
Instruction ID: 3e87ef9e1105c78bb2f85cebc7c09ea1e0cb28c4563d123519c4b9c13c46ffd4
Opcode Fuzzy Hash: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
Instruction Fuzzy Hash: 0C414831004258AAEB119B54CD99BFB3FE9DB06704F1501F6D587FB1D3C23949648BAE

Function 00404AB0 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404AD8
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404B0C
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404B26
HeapFree.KERNEL32(00000000,?,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404B3D

Memory Dump Source

Source File: 00000003.00000002.2198598494.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2198598494.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
Instruction ID: e332c3e7fbabb4a530177a7352d9393d0fbd82ec7ab2db7e11d44f19093e014a
Opcode Fuzzy Hash: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
Instruction Fuzzy Hash: 611116B0201601DFC7219F19EE85E22BBB5FB84720711463AF292E65F0D771A845CF5C

Analysis Process: recordpadsoundrecorder32.exePID: 5068, Parent PID: 5232COMMON

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	84.5%
Signature Coverage:	0.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	38

Executed Functions

Function 00B472A7 Relevance: 95.2, APIs: 41, Strings: 13, Instructions: 659
networksleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(0000EA60), ref: 00B46704
RtlEnterCriticalSection.NTDLL(00B771D8), ref: 00B4670F
RtlLeaveCriticalSection.NTDLL(00B771D8), ref: 00B46720
_memset.LIBCMT ref: 00B46775
_memset.LIBCMT ref: 00B46784
InternetOpenA.WININET(?), ref: 00B472B1
InternetSetOptionA.WININET(00000000,00000002,?), ref: 00B472D9
InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 00B472F1
InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 00B47309
_memset.LIBCMT ref: 00B47319
InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 00B47332
InternetReadFile.WININET(00000000,?,00001000,?), ref: 00B47354
InternetCloseHandle.WININET(00000000), ref: 00B47374
InternetCloseHandle.WININET(00000000), ref: 00B4737F
_memset.LIBCMT ref: 00B473C7
RtlEnterCriticalSection.NTDLL(00B771D8), ref: 00B473EA
RtlLeaveCriticalSection.NTDLL(00B771D8), ref: 00B473FB
_malloc.LIBCMT ref: 00B47494
RtlEnterCriticalSection.NTDLL(00B771D8), ref: 00B474A6
RtlLeaveCriticalSection.NTDLL(00B771D8), ref: 00B474B2
_memset.LIBCMT ref: 00B474CC
_memset.LIBCMT ref: 00B474DB
_memset.LIBCMT ref: 00B474EB
_memset.LIBCMT ref: 00B474FE
_memset.LIBCMT ref: 00B47514
_malloc.LIBCMT ref: 00B4758A
_memset.LIBCMT ref: 00B4759B
_strtok.LIBCMT ref: 00B475BB
_swscanf.LIBCMT ref: 00B475D2
_strtok.LIBCMT ref: 00B475E9
_free.LIBCMT ref: 00B475F5
Sleep.KERNEL32(000007D0), ref: 00B476ED
_memset.LIBCMT ref: 00B47761
RtlEnterCriticalSection.NTDLL(00B771D8), ref: 00B4776E
RtlLeaveCriticalSection.NTDLL(00B771D8), ref: 00B47780
_sprintf.LIBCMT ref: 00B4781E
RtlEnterCriticalSection.NTDLL(00000020), ref: 00B478E2
RtlLeaveCriticalSection.NTDLL(00000020), ref: 00B47916

Strings

updurls, xrefs: 00B47451, 00B47AFC
idle, xrefs: 00B47429, 00B47799
<htm, xrefs: 00B4738D
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 00B46735
auth_swith, xrefs: 00B47533
disconnect, xrefs: 00B47415, 00B4773E
auth_ip, xrefs: 00B4755F, 00B477F0
block, xrefs: 00B475A3
connect, xrefs: 00B47401, 00B4746C
, xrefs: 00B47A90
urls, xrefs: 00B47B32
updips, xrefs: 00B4743D, 00B477CC
%d;, xrefs: 00B47818

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: _memset$CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
API String ID: 696907137-1839899575
Opcode ID: a3a4b35e3a4b682c451cd2c9df1ec09b7de510df23a983f47d1a39571739500f
Instruction ID: b5d4b1c6698d0a02292355d3dcc3f716ab627d10d41e22c1723650ff55318d74
Opcode Fuzzy Hash: a3a4b35e3a4b682c451cd2c9df1ec09b7de510df23a983f47d1a39571739500f
Instruction Fuzzy Hash: 0732013168C381ABD734AB24DC45BAFB7E4EF86310F00089DF58997292DF749A08DB52

Function 00B46487 Relevance: 84.2, APIs: 42, Strings: 6, Instructions: 228
memorysleeplibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.NTDLL(00B771D8), ref: 00B464B6
GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 00B464CD
GetProcAddress.KERNEL32(00000000), ref: 00B464D6
GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 00B464E5
GetProcAddress.KERNEL32(00000000), ref: 00B464E8
GetTickCount.KERNEL32 ref: 00B464F4

Part of subcall function 00B4605A: _malloc.LIBCMT ref: 00B46068

GetVersionExA.KERNEL32(00B77030), ref: 00B46521
_memset.LIBCMT ref: 00B46540
_malloc.LIBCMT ref: 00B4654D

Part of subcall function 00B52F5C: __FF_MSGBANNER.LIBCMT ref: 00B52F73
Part of subcall function 00B52F5C: __NMSG_WRITE.LIBCMT ref: 00B52F7A
Part of subcall function 00B52F5C: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001), ref: 00B52F9F

_malloc.LIBCMT ref: 00B4655D
_malloc.LIBCMT ref: 00B46568
_malloc.LIBCMT ref: 00B46573
_malloc.LIBCMT ref: 00B4657E
_malloc.LIBCMT ref: 00B46589
_malloc.LIBCMT ref: 00B46594
_malloc.LIBCMT ref: 00B465A3
GetProcessHeap.KERNEL32(00000000,00000004), ref: 00B465BA
RtlAllocateHeap.NTDLL(00000000), ref: 00B465C3
GetProcessHeap.KERNEL32(00000000,00000400), ref: 00B465D2
RtlAllocateHeap.NTDLL(00000000), ref: 00B465D5
GetProcessHeap.KERNEL32(00000000,00000400), ref: 00B465E0
RtlAllocateHeap.NTDLL(00000000), ref: 00B465E3
_memset.LIBCMT ref: 00B465F6
_memset.LIBCMT ref: 00B46602
_memset.LIBCMT ref: 00B4660F
RtlEnterCriticalSection.NTDLL(00B771D8), ref: 00B4661D
RtlLeaveCriticalSection.NTDLL(00B771D8), ref: 00B4662A
_malloc.LIBCMT ref: 00B4664E
_malloc.LIBCMT ref: 00B4665C
_malloc.LIBCMT ref: 00B46663
_malloc.LIBCMT ref: 00B46689
QueryPerformanceCounter.KERNEL32(00000200), ref: 00B4669C
Sleep.KERNELBASE ref: 00B466AA
_malloc.LIBCMT ref: 00B466B6
_malloc.LIBCMT ref: 00B466C3
_memset.LIBCMT ref: 00B466D8
_memset.LIBCMT ref: 00B466E8
Sleep.KERNELBASE(0000EA60), ref: 00B46704
RtlEnterCriticalSection.NTDLL(00B771D8), ref: 00B4670F
RtlLeaveCriticalSection.NTDLL(00B771D8), ref: 00B46720
_memset.LIBCMT ref: 00B46775
_memset.LIBCMT ref: 00B46784

Strings

strcat, xrefs: 00B464D8
zGi, xrefs: 00B464FA
ntdll.dll, xrefs: 00B464C2, 00B464CC, 00B464DD
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 00B46735
cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 00B4666B
sprintf, xrefs: 00B464C7

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: _malloc$_memset$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat$zGi
API String ID: 2251652938-1892911702
Opcode ID: 0c42990c56f3bdbe9be32ee5e138efb0d4885039e5a7dd189455f649c0508d5e
Instruction ID: 29acb80add1c6bdd38f57e327cf2e4073121a731860c8fe71be0e060b6e5a754
Opcode Fuzzy Hash: 0c42990c56f3bdbe9be32ee5e138efb0d4885039e5a7dd189455f649c0508d5e
Instruction Fuzzy Hash: B171C872D8D340AFD3106F34AC49B5B7BE8AF46314F1008ADF949A7291DFB85845CBA6

Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B

Strings

GetAdaptersInfo, xrefs: 00401B6E
o, xrefs: 00401BF2
iphlpapi.dll, xrefs: 00401B58

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll$o
API String ID: 514930453-3667123677
Opcode ID: a3c77d1947fac9ed500e02c632cb5410261389502922d6f95d8c76429a6c9e05
Instruction ID: 2fcbbae68a7f2e143e0ba6fa3878dab2488d9b05c73812711a2b91e8578584ab
Opcode Fuzzy Hash: a3c77d1947fac9ed500e02c632cb5410261389502922d6f95d8c76429a6c9e05
Instruction Fuzzy Hash: E521A770904109AEEF119B65CD447EF7BB8EF41344F1440BAD504B22E1E7789985CB69

Function 00B4F955 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00B4F96B
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00B4F984
GetAdaptersInfo.IPHLPAPI(?,?), ref: 00B4F9A9
FreeLibrary.KERNEL32(00000000), ref: 00B4FA32

Strings

GetAdaptersInfo, xrefs: 00B4F97E
iphlpapi.dll, xrefs: 00B4F95F

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll
API String ID: 514930453-3114217049
Opcode ID: 0600b64ecbca86a792d1c1103acf6b6ff6a31c7735bd58500c65c34d16848de8
Instruction ID: 2a5a72c08d15cfc4cdd887e76b39e45ec72c3778ce51d07e5b384bf8df6a0fa1
Opcode Fuzzy Hash: 0600b64ecbca86a792d1c1103acf6b6ff6a31c7735bd58500c65c34d16848de8
Instruction Fuzzy Hash: E421A275E0420AABDB10CBA998846FEBBF8EF05310F1440F9E908E7251DB34CE45DBA1

Function 00B4F851 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00B4F870
DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 00B4F8AE
GetLastError.KERNEL32 ref: 00B4F90F
FindCloseChangeNotification.KERNELBASE(?), ref: 00B4F946

Strings

\\.\PhysicalDrive0, xrefs: 00B4F869

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
String ID: \\.\PhysicalDrive0
API String ID: 3786717961-1180397377
Opcode ID: 2f58a588217da73d52b3283c43bdf14edcdc861ee6bd5809bc4653df96a25bf9
Instruction ID: c5e57bcfc635345b9023f764b80e5eeadd7a26197bd4a4a6b296991df400ffd0
Opcode Fuzzy Hash: 2f58a588217da73d52b3283c43bdf14edcdc861ee6bd5809bc4653df96a25bf9
Instruction Fuzzy Hash: 6C317071E0421AEBDB14CF94D884BBEBBF9EB05754F2041A9E505A7280DB745F05EBA0

Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
GetLastError.KERNEL32 ref: 00401B0E
FindCloseChangeNotification.KERNELBASE(?), ref: 00401B3D

Strings

\\.\PhysicalDrive0, xrefs: 00401A63

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
String ID: \\.\PhysicalDrive0
API String ID: 3786717961-1180397377
Opcode ID: 87e5aa96cf8bbfa53ba141c063bc04efd036a70200bde10c5f99651d25558048
Instruction ID: 04828827cee311aa1ccd055820d70034eb57b3ddca3c9d8c28a7d5788a1782d0
Opcode Fuzzy Hash: 87e5aa96cf8bbfa53ba141c063bc04efd036a70200bde10c5f99651d25558048
Instruction Fuzzy Hash: 43318D71D00118EADB21AFA5CD849EFBBB9FF41750F20407AE554B22A0E7785E45CB98

Function 00B46443 Relevance: 84.2, APIs: 42, Strings: 6, Instructions: 245
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.NTDLL(00B771D8), ref: 00B464B6
GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 00B464CD
GetProcAddress.KERNEL32(00000000), ref: 00B464D6
GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 00B464E5
GetProcAddress.KERNEL32(00000000), ref: 00B464E8
GetTickCount.KERNEL32 ref: 00B464F4
GetVersionExA.KERNEL32(00B77030), ref: 00B46521
_memset.LIBCMT ref: 00B46540
_malloc.LIBCMT ref: 00B4654D
_malloc.LIBCMT ref: 00B4655D
_malloc.LIBCMT ref: 00B46568
_malloc.LIBCMT ref: 00B46573
_malloc.LIBCMT ref: 00B4657E
_malloc.LIBCMT ref: 00B46589
_malloc.LIBCMT ref: 00B46594
_malloc.LIBCMT ref: 00B465A3
GetProcessHeap.KERNEL32(00000000,00000004), ref: 00B465BA
RtlAllocateHeap.NTDLL(00000000), ref: 00B465C3
GetProcessHeap.KERNEL32(00000000,00000400), ref: 00B465D2
RtlAllocateHeap.NTDLL(00000000), ref: 00B465D5
GetProcessHeap.KERNEL32(00000000,00000400), ref: 00B465E0
RtlAllocateHeap.NTDLL(00000000), ref: 00B465E3
_memset.LIBCMT ref: 00B465F6

Strings

strcat, xrefs: 00B464D8
zGi, xrefs: 00B464FA
ntdll.dll, xrefs: 00B464C2, 00B464CC, 00B464DD
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 00B46735
cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 00B4666B
sprintf, xrefs: 00B464C7

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: _malloc$Heap$AllocateProcess$AddressHandleModuleProc_memset$CountCriticalInitializeSectionTickVersion
String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat$zGi
API String ID: 3095297975-1892911702
Opcode ID: 00f8fd22287712c616db3cec4d99f3e52e111fe7b1c12eb12934597ba3bd7c9a
Instruction ID: f211870dadaec9cf56bb2920304bfe8125e368099e096b3f68361f86b2a97633
Opcode Fuzzy Hash: 00f8fd22287712c616db3cec4d99f3e52e111fe7b1c12eb12934597ba3bd7c9a
Instruction Fuzzy Hash: E381D771A8D3409FD3106F75AC45B5B7BE4AF86314F0008AEF94997292DFB84849CBA6

Function 00B41CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00B41D11
GetLastError.KERNEL32 ref: 00B41D23

Part of subcall function 00B41712: __EH_prolog.LIBCMT ref: 00B41717

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00B41D59
GetLastError.KERNEL32 ref: 00B41D6B
__beginthreadex.LIBCMT ref: 00B41DB1
GetLastError.KERNEL32 ref: 00B41DC6
CloseHandle.KERNEL32(00000000), ref: 00B41DDD
CloseHandle.KERNEL32(00000000), ref: 00B41DEC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00B41E14
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00B41E1B

Strings

thread.exit_event, xrefs: 00B41D84
thread.entry_event, xrefs: 00B41D3C
thread, xrefs: 00B41DFB

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CloseErrorLast$CreateEventHandle$ChangeFindH_prologNotificationObjectSingleWait__beginthreadex
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 4246062733-3017686385
Opcode ID: 29ae36bb53e6bdad6db3117828aa0bb534164350db5c0af0d56373f3d828e6c6
Instruction ID: f5923474fa971112001ae3332181151ab2605bb3235778e86cb58ed21bb65cd2
Opcode Fuzzy Hash: 29ae36bb53e6bdad6db3117828aa0bb534164350db5c0af0d56373f3d828e6c6
Instruction Fuzzy Hash: 51318B71A043019FD700EF24C848B2BBBE5FB84755F1049ADF9558B2A1DB749D89CBA2

Function 00B44D86 Relevance: 16.8, APIs: 11, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B44D8B
RtlEnterCriticalSection.NTDLL(00B771D8), ref: 00B44DB7
RtlLeaveCriticalSection.NTDLL(00B771D8), ref: 00B44DC3

Part of subcall function 00B44BED: __EH_prolog.LIBCMT ref: 00B44BF2
Part of subcall function 00B44BED: InterlockedExchange.KERNEL32(?,00000000), ref: 00B44CF2

RtlEnterCriticalSection.NTDLL(00B771D8), ref: 00B44E93
RtlLeaveCriticalSection.NTDLL(00B771D8), ref: 00B44E99
RtlEnterCriticalSection.NTDLL(00B771D8), ref: 00B44EA0
RtlLeaveCriticalSection.NTDLL(00B771D8), ref: 00B44EA6
RtlEnterCriticalSection.NTDLL(00B771D8), ref: 00B450A7
RtlLeaveCriticalSection.NTDLL(00B771D8), ref: 00B450AD
RtlEnterCriticalSection.NTDLL(00B771D8), ref: 00B450B8
RtlLeaveCriticalSection.NTDLL(00B771D8), ref: 00B450C1

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
String ID:
API String ID: 2062355503-0
Opcode ID: a844a4f10fadb17461deec65689c91ad8ff45b3d921ef0c8003526d291bf1a96
Instruction ID: 5025b14d37636d88a91ec3bc92258dbdb51dc7845bcf4488927568c5f055df2c
Opcode Fuzzy Hash: a844a4f10fadb17461deec65689c91ad8ff45b3d921ef0c8003526d291bf1a96
Instruction Fuzzy Hash: 22B14771D4425DAFDF25DFA0C841BEDBBF4AF04304F14409AE808B6281DBB85A49DFA2

Function 00B47B9F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(0000EA60), ref: 00B46704
RtlEnterCriticalSection.NTDLL(00B771D8), ref: 00B4670F
RtlLeaveCriticalSection.NTDLL(00B771D8), ref: 00B46720
_memset.LIBCMT ref: 00B46775
_memset.LIBCMT ref: 00B46784
_free.LIBCMT ref: 00B47B4C

Part of subcall function 00B4534D: _malloc.LIBCMT ref: 00B4535D
Part of subcall function 00B4534D: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 00B4536F

Strings

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 00B46735

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalSection_memset$EnterFolderLeavePathSleepSpecial_free_malloc
String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
API String ID: 3548789407-1923541051
Opcode ID: 63faa01204cd44fd439316d86050b5127c545a009451e200bf428863ac66011c
Instruction ID: fe4ed3476006b73bd41763129f88a73fd3592ff006cbcf74f7864dfd0640b656
Opcode Fuzzy Hash: 63faa01204cd44fd439316d86050b5127c545a009451e200bf428863ac66011c
Instruction Fuzzy Hash: A411363194C3409FD711AF209C8476E7BE0EF57714F6008E9F982AB292CBA05E04E753

Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
GetLastError.KERNEL32 ref: 00401F86
SizeofResource.KERNEL32(00000000), ref: 00401F93
LoadResource.KERNEL32(00000000), ref: 00401FAD
LockResource.KERNEL32(00000000), ref: 00401FB4
GlobalAlloc.KERNELBASE(00000040,00000000), ref: 00401FBF
GetTickCount.KERNEL32 ref: 00401FFB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00402061

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
String ID:
API String ID: 564119183-0
Opcode ID: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
Instruction ID: 6227662f3afde43d5576465443d89a1ce2d87db52467ebd9ddb435d6f9af9923
Opcode Fuzzy Hash: cf410bcafb83c3e7ab838bb09d8b52e2eecc876fdde86efd7a07cb304e42b138
Instruction Fuzzy Hash: 68316E31A00255AFDB105FB49F8896F7F68EF45344F10807AFE86F7291DA748845C7A8

Function 00B426DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00B42706
CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 00B4272B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B65B03), ref: 00B42738

Part of subcall function 00B41712: __EH_prolog.LIBCMT ref: 00B41717

SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 00B42778
RtlLeaveCriticalSection.NTDLL(?), ref: 00B427D9

Strings

timer, xrefs: 00B42745

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
String ID: timer
API String ID: 4293676635-1792073242
Opcode ID: 74c673c753815f64d8c2e2370af6553aa55a37d7510201a60f834a0f93791c99
Instruction ID: 81357c5f7ac6c382653718f435eb6d12fabf12f0926e508c79b5c76a085151c7
Opcode Fuzzy Hash: 74c673c753815f64d8c2e2370af6553aa55a37d7510201a60f834a0f93791c99
Instruction Fuzzy Hash: 4331C1B1908701AFD310DF25C985B26BBE8FB48725F004AADF85583A80DB74EE04DBA1

Function 00B42B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000), ref: 00B42BE4
WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 00B42C07

Part of subcall function 00B4A4B7: WSAGetLastError.WS2_32(00000000,?,?,00B42A51), ref: 00B4A4C5

WSASetLastError.WS2_32 ref: 00B42CD3
select.WS2_32(?,?,00000000,00000000,00000000), ref: 00B42CE7

Strings

3', xrefs: 00B42C85

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Recvselect
String ID: 3'
API String ID: 886190287-280543908
Opcode ID: a50250d7544b0801b818df0835d8a8186d82348a6e6cf0fc56b997941bb0629c
Instruction ID: 08f87d3359292ffcacab6f4087871933dc0565c83470b929b6f2b56dfecf8231
Opcode Fuzzy Hash: a50250d7544b0801b818df0835d8a8186d82348a6e6cf0fc56b997941bb0629c
Instruction Fuzzy Hash: 0241BDB09193018FD710EF64C44476BBBE8FF84315F5009AEF895C3291EBB4DA44AB92

Function 00402EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00402F16

Part of subcall function 00404034: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F4F,00000000), ref: 00404045
Part of subcall function 00404034: HeapDestroy.KERNEL32 ref: 00404084

GetCommandLineA.KERNEL32 ref: 00402F64
GetStartupInfoA.KERNEL32(?), ref: 00402F8F
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402FB2

Part of subcall function 0040300B: ExitProcess.KERNEL32 ref: 00403028

Strings

Y, xrefs: 00402F7E

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID: Y
API String ID: 2057626494-4136946213
Opcode ID: 2a5b16c506521380fd9b5f66b06519665ea10880a1b1eb47f363de886a19e373
Instruction ID: 31bd938ea51fadde60a3d0ec437c396cd65a6e637b97124abe794e54387ab133
Opcode Fuzzy Hash: 2a5b16c506521380fd9b5f66b06519665ea10880a1b1eb47f363de886a19e373
Instruction Fuzzy Hash: 19216DB1800615AAD714AFA6DE49A6E7FB8EB44719F10413FF505BB2D1DB385500CA58

Function 00B429EE Relevance: 7.6, APIs: 5, Instructions: 79
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000), ref: 00B42A3B
closesocket.WS2_32 ref: 00B42A42
ioctlsocket.WS2_32(?,8004667E,00000000), ref: 00B42A89
WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 00B42A97
closesocket.WS2_32 ref: 00B42A9E

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocket$ioctlsocket
String ID:
API String ID: 1561005644-0
Opcode ID: 646a83dccd4749a29b929bcc98fec35fb0a139c60d1e7f15acf2869740f35cdf
Instruction ID: a421d66e2ef23a3701ba9cbae69614fb01e4809df09b36617ddf82344dd40a5b
Opcode Fuzzy Hash: 646a83dccd4749a29b929bcc98fec35fb0a139c60d1e7f15acf2869740f35cdf
Instruction Fuzzy Hash: 2D212575A00305ABDB20ABB88C08B6EB7E8EF44315F1545EAFD55C3291EEB4CE44EB51

Function 00B41BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B41BAC
RtlEnterCriticalSection.NTDLL ref: 00B41BBC
RtlLeaveCriticalSection.NTDLL ref: 00B41BEA
RtlEnterCriticalSection.NTDLL ref: 00B41C13
RtlLeaveCriticalSection.NTDLL ref: 00B41C56

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog
String ID:
API String ID: 1633115879-0
Opcode ID: 44dc98d814345a0d4780afbf9721fd8329688c26ccbd17ab5ad4849b989b4757
Instruction ID: 78621855228a00d2b5efa24b42d997935d0609bba6882436890a4b3325b73d33
Opcode Fuzzy Hash: 44dc98d814345a0d4780afbf9721fd8329688c26ccbd17ab5ad4849b989b4757
Instruction Fuzzy Hash: 5F218B75A04214AFCB14CF68C88479ABBF8FF48714F108989E8559B342DBB4EE41CBA0

Function 00402845 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26timeCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?), ref: 004028F2
CommandLineToArgvW.SHELL32(00000000), ref: 004028F9
GetLocalTime.KERNEL32(0040C2B8), ref: 0040D3C6

Strings

/chk, xrefs: 0040D44C

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: CommandLine$ArgvLocalTime
String ID: /chk
API String ID: 3768950922-3837807730
Opcode ID: 58e77e24c0e44735d9c25947b9bd7a71b097def894af762cde97e617ba063816
Instruction ID: f8a697a6ba56cfa0421d3161c88fb5920d4a750ed1aa0ba2803a0c5cf8bd7934
Opcode Fuzzy Hash: 58e77e24c0e44735d9c25947b9bd7a71b097def894af762cde97e617ba063816
Instruction Fuzzy Hash: 59E06D75C08202EEC7007BE0AF098AC77B4AA08301320817FE556B51D0CB7C548AAB2F

Function 00B42EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00B42EEE
WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00B42EFD
WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00B42F0C
setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 00B42F36

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Socketsetsockopt
String ID:
API String ID: 2093263913-0
Opcode ID: cac4c65e60711e601544ece4b3d0f2308f3559f132f27540d944449bec6c9cce
Instruction ID: 2778805bfba702345969a07abab7d50730d71ef2de0508b76fd6e937d925ab4f
Opcode Fuzzy Hash: cac4c65e60711e601544ece4b3d0f2308f3559f132f27540d944449bec6c9cce
Instruction Fuzzy Hash: 2001B571511204BBDB209F65DC88F9ABBA8EB8A721F0085A5F9188B191DAB489008BA0

Function 00B42DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B42D39: WSASetLastError.WS2_32(00000000), ref: 00B42D47
Part of subcall function 00B42D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 00B42D5C

WSASetLastError.WS2_32(00000000), ref: 00B42E6D
select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 00B42E83

Strings

3', xrefs: 00B42E22

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Sendselect
String ID: 3'
API String ID: 2958345159-280543908
Opcode ID: f893f37a923daa2b0fbe9ff24c91e73c713c96dbf554d623a599838d5fc41c1e
Instruction ID: 0413e535f7645353a313f0a358e7b364edc5e2d295c10f270b123c711e7a6dae
Opcode Fuzzy Hash: f893f37a923daa2b0fbe9ff24c91e73c713c96dbf554d623a599838d5fc41c1e
Instruction Fuzzy Hash: 3E31C2B0E112099FDF10EFA4C845BEE7BE9EF05314F4445E9FC0597281E7749A44ABA0

Function 00B42AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00B42AEA
connect.WS2_32(?,?,?), ref: 00B42AF5

Strings

3', xrefs: 00B42B3B

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ErrorLastconnect
String ID: 3'
API String ID: 374722065-280543908
Opcode ID: e5f540aa8c9792cf0dc5c26aa137976627127986e4e1b0379a955e4dd4c1fd7b
Instruction ID: b318ce7b8f999233fa95160c665f69d99ad91c763724ad5428750f14abee1711
Opcode Fuzzy Hash: e5f540aa8c9792cf0dc5c26aa137976627127986e4e1b0379a955e4dd4c1fd7b
Instruction Fuzzy Hash: 7721A470E11204ABCF10AFA8C415ABEBBF9EF44324F5485D9FC1993381DBB48B05AB91

Function 00B4353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B43543

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0f4b2e5c1e9efb2d09c90cfaa38843a313baafe71ca6ae62b935dea1ee2e5f27
Instruction ID: 69dbe524deaa5f79490b32d6dea68a39d3932c37985d0e5596c016e2007059a3
Opcode Fuzzy Hash: 0f4b2e5c1e9efb2d09c90cfaa38843a313baafe71ca6ae62b935dea1ee2e5f27
Instruction Fuzzy Hash: 52514CB1905216DFCB08DF68C441AAABBF0FF18720F15819EF8299B391D7749A10DFA1

Function 00B4369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 00B436A7

Part of subcall function 00B42420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00B42432
Part of subcall function 00B42420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00B42445
Part of subcall function 00B42420: RtlEnterCriticalSection.NTDLL(?), ref: 00B42454
Part of subcall function 00B42420: InterlockedExchange.KERNEL32(?,00000001), ref: 00B42469
Part of subcall function 00B42420: RtlLeaveCriticalSection.NTDLL(?), ref: 00B42470

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
String ID:
API String ID: 1601054111-0
Opcode ID: 83b1d17cdc21bb210cca1a4b1cddda973b8f0371331308f6ac206335290259f8
Instruction ID: 5c94a6cabfef0ae6db3c501b968d8e6fbaf95ef49adad31ef8157339b06598f0
Opcode Fuzzy Hash: 83b1d17cdc21bb210cca1a4b1cddda973b8f0371331308f6ac206335290259f8
Instruction Fuzzy Hash: 4011C4B5104209ABDF218F14CC85FAA3BE5EF40B64F144056FA96C72D0CB74DF60AB95

Function 00B520A0 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON

Download Yara Rule

APIs

__beginthreadex.LIBCMT ref: 00B520B6
CloseHandle.KERNEL32(?,?,?,?,?,00000002,00B4A937,00000000), ref: 00B520E7
ResumeThread.KERNELBASE(?,?,?,?,?,00000002,00B4A937,00000000), ref: 00B520F5

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CloseHandleResumeThread__beginthreadex
String ID:
API String ID: 1685284544-0
Opcode ID: 4190d4cedecf1f8b634e06fe9bf557666fb42b18edbc282fd5741541fa1f6ba4
Instruction ID: 76680cba8370a0564095044e2ee332122b2997bca8c7a47472ded3fd22b4202a
Opcode Fuzzy Hash: 4190d4cedecf1f8b634e06fe9bf557666fb42b18edbc282fd5741541fa1f6ba4
Instruction Fuzzy Hash: 77F0C8702412005BD7209F5CDC80F9173D8EF49725F14459AF944D73D1C7B1AC86CA90

Function 00B41AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00B7729C), ref: 00B41ABA
WSAStartup.WS2_32(00000002,00000000), ref: 00B41ACB
InterlockedExchange.KERNEL32(00B772A0,00000000), ref: 00B41AD7

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: Interlocked$ExchangeIncrementStartup
String ID:
API String ID: 1856147945-0
Opcode ID: 0328f15bb9361777ff98533b70b1c8ab31f1d8e0df5029b3439cbf8db0f24fae
Instruction ID: 6e4066079f12bf23bc53545de87f6d0032ae8a78e8e76ce29656a0d5aad8bf3b
Opcode Fuzzy Hash: 0328f15bb9361777ff98533b70b1c8ab31f1d8e0df5029b3439cbf8db0f24fae
Instruction Fuzzy Hash: 48D05E319DC2085BD22067B4AC0EA7877ACE706729F400292FD79C20E1EE946A1089A6

Function 0040D460 Relevance: 4.5, APIs: 3, Instructions: 8registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNELBASE ref: 0040D460
RegCloseKey.KERNELBASE(?), ref: 0040D469

Part of subcall function 004022CB: WaitForSingleObject.KERNEL32(00000000,004090A8), ref: 0040D307

ExitProcess.KERNEL32 ref: 0040DA91

Memory Dump Source

Source File: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: CloseExitObjectProcessSingleValueWait
String ID:
API String ID: 2192842637-0
Opcode ID: 1b9f23a41c0e40b0f9311fce3c8bd035e8c111fac712162ec3806c88e8d3c095
Instruction ID: 6b2c0eb9daf1d9ed9b036e29818b5d03816b1997dab4dfffd8741184c018fce9
Opcode Fuzzy Hash: 1b9f23a41c0e40b0f9311fce3c8bd035e8c111fac712162ec3806c88e8d3c095
Instruction Fuzzy Hash: EBC048B5804400ABC7402BF0AF5D91D3E68BB0830AB12587DB682B00A28E7840499F2D

Function 0040D3AB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(0040C2B8), ref: 0040D3C6

Strings

/chk, xrefs: 0040D44C

Memory Dump Source

Source File: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: LocalTime
String ID: /chk
API String ID: 481472006-3837807730
Opcode ID: 719ccb32c6d0f1224c08b4e1637f7109be7b56e533cc931ac7d4392f13334026
Instruction ID: bfeb034239b7c7118683ac587487231c4a8ae608a4ee2d3b9eda992131e4dc08
Opcode Fuzzy Hash: 719ccb32c6d0f1224c08b4e1637f7109be7b56e533cc931ac7d4392f13334026
Instruction Fuzzy Hash: 4CE08630C18743E9D7117BA0CD088987FB1AB51314760463FE1A2754E1D73D549AEF4E

Function 00B44BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B44BF2

Part of subcall function 00B41BA7: __EH_prolog.LIBCMT ref: 00B41BAC
Part of subcall function 00B41BA7: RtlEnterCriticalSection.NTDLL ref: 00B41BBC
Part of subcall function 00B41BA7: RtlLeaveCriticalSection.NTDLL ref: 00B41BEA
Part of subcall function 00B41BA7: RtlEnterCriticalSection.NTDLL ref: 00B41C13
Part of subcall function 00B41BA7: RtlLeaveCriticalSection.NTDLL ref: 00B41C56

Part of subcall function 00B4E0A6: __EH_prolog.LIBCMT ref: 00B4E0AB
Part of subcall function 00B4E0A6: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00B4E12A

InterlockedExchange.KERNEL32(?,00000000), ref: 00B44CF2

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
String ID:
API String ID: 1927618982-0
Opcode ID: 753151d662c19d2cbde4d0eaeabdf10dfbc9244e91e596a6f85c9926ab0d5069
Instruction ID: f0cfd7ff87b0a45baec5fbf273bfa9810343fb4fddbb50f4a11f72aeaf4b01d3
Opcode Fuzzy Hash: 753151d662c19d2cbde4d0eaeabdf10dfbc9244e91e596a6f85c9926ab0d5069
Instruction Fuzzy Hash: 7A512771D042489FDB15DFA8C885AEEBBF4FF18310F1480AAE805AB352DB709A44DB50

Function 00B42D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00B42D47
WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 00B42D5C

Part of subcall function 00B4A4B7: WSAGetLastError.WS2_32(00000000,?,?,00B42A51), ref: 00B4A4C5

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Send
String ID:
API String ID: 1282938840-0
Opcode ID: 2e0cc2a8b90d7fd01dfd0ddfffaf39319bdf88aaad3bb0c110ee4b36a3444cb4
Instruction ID: cafb647a51f3300382b0a20864f751feecdd752fe0d2b75bfba9c76d1ba40979
Opcode Fuzzy Hash: 2e0cc2a8b90d7fd01dfd0ddfffaf39319bdf88aaad3bb0c110ee4b36a3444cb4
Instruction Fuzzy Hash: B401A7B5905205EFD7206F94C88486BBBFCFF45365B2005BEF85993250DF749E00ABA1

Function 00B48398 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00B483B5
shutdown.WS2_32(?,00000002), ref: 00B483BE

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ErrorLastshutdown
String ID:
API String ID: 1920494066-0
Opcode ID: ef8c223e745f5f85b0933c6eadd5106798f23e04e60defda418fda80de318c6f
Instruction ID: e16cf82ac89b71f2e0cdeb7e06654636eb599633ed4924eb0b5fa491472709bf
Opcode Fuzzy Hash: ef8c223e745f5f85b0933c6eadd5106798f23e04e60defda418fda80de318c6f
Instruction Fuzzy Hash: DDF0FA71604310CFC720AF28E811B5A77E4FF08720F014888FDA5933D1CBB0AC008BA1

Function 00404034 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F4F,00000000), ref: 00404045

Part of subcall function 00403EEC: GetVersionExA.KERNEL32 ref: 00403F0B

HeapDestroy.KERNEL32 ref: 00404084

Part of subcall function 0040440B: HeapAlloc.KERNEL32(00000000,00000140,0040406D,000003F8), ref: 00404418

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
Instruction ID: 795a75c142ce263548137c971673ec0d69254cf7c95aacf64765c85fef2462b4
Opcode Fuzzy Hash: 785e23c1ed37029bd7fa1e4a136f418f238003ec06b3befa2c01f286c825b2ce
Instruction Fuzzy Hash: E9F065F060530199DB205F749F45B2A35989BC0765F10453FFB40F41D0EB788481990E

Function 00B45119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B4511E

Part of subcall function 00B43D7E: htons.WS2_32(?), ref: 00B43DA2
Part of subcall function 00B43D7E: htonl.WS2_32(00000000), ref: 00B43DB9
Part of subcall function 00B43D7E: htonl.WS2_32(00000000), ref: 00B43DC0

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: htonl$H_prologhtons
String ID:
API String ID: 4039807196-0
Opcode ID: 118c025f7a56e9b6b96b8e05b4a3b6834db219742291d5ace53bc8560a441fad
Instruction ID: cae347e9eecaef7a100b5900c66096742f4ae71a9f9e546d6b0ba16674602893
Opcode Fuzzy Hash: 118c025f7a56e9b6b96b8e05b4a3b6834db219742291d5ace53bc8560a441fad
Instruction Fuzzy Hash: 478133B1C0460E8FCF15DFA8D0809EEBBF5EB48310F1481AAE851B7241EA755B05EFA5

Function 00B7E77D Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,16049F3D), ref: 00B9F814

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B7A000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b7a000_recordpadsoundrecorder32.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3c4d18e7bfe1cd9132d015755601739588dfa2b39a92e35f03a92d99e666ccc2
Instruction ID: e2fc46ae09bd88c8fa4bf0162a953cb229e88131ea1b76d04580cd822f0ac339
Opcode Fuzzy Hash: 3c4d18e7bfe1cd9132d015755601739588dfa2b39a92e35f03a92d99e666ccc2
Instruction Fuzzy Hash: 8B416CB250C6049FE709BF29DCD5779BBE5EB54310F16093DE6C293340EA3569448B8B

Function 00B7E69B Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,16049F3D), ref: 00B9F814

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B7A000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b7a000_recordpadsoundrecorder32.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 172c2e20020e0095825ac449459bebe9d73a3d856d639e3976f14e1e61c77f24
Instruction ID: d77acd300fbed5944d23cb5544c3bb5124d32685a9600c825791669f165811fe
Opcode Fuzzy Hash: 172c2e20020e0095825ac449459bebe9d73a3d856d639e3976f14e1e61c77f24
Instruction Fuzzy Hash: 15314CB251C6009FE70DBF28CC95679BBE5FB68310F060A3DE6D683350EA3564448B4B

Function 00B7E6FF Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,16049F3D), ref: 00B9F814

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B7A000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b7a000_recordpadsoundrecorder32.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4e9b365c04a151068604c5e9ae79ebc7b4e58fc521cce118266fe5f1124640d2
Instruction ID: 4a5d5da7002d03d18692e7c565facb9b377a04e2f80244d1aa7514913a6ad229
Opcode Fuzzy Hash: 4e9b365c04a151068604c5e9ae79ebc7b4e58fc521cce118266fe5f1124640d2
Instruction Fuzzy Hash: FB215EB251D6009FE70DBF28D89567ABBE5FB58210F06093DEAC283340EA356554C78B

Function 00B4E96F Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B4E974

Part of subcall function 00B41A01: TlsGetValue.KERNEL32 ref: 00B41A0A

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: a42a2aa5daf7ff508375e57dbbea60b1c3189117e00fad5e24e6495471646218
Instruction ID: c0ef50bb48a91f9059c9a7d84680798d0446d755d9aedd2827fd2576e9744776
Opcode Fuzzy Hash: a42a2aa5daf7ff508375e57dbbea60b1c3189117e00fad5e24e6495471646218
Instruction Fuzzy Hash: 95214CB2904219AFDB04DFA8D581AFEBBF8FF48310F10416AE915A7241D771EA01DBA1

Function 00BB8560 Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00BD0475

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B7A000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b7a000_recordpadsoundrecorder32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 9689b5320f7d83666dfa80ad1824c8e75f1bfb00e509ed712c9617442d363f13
Instruction ID: 37b3d24475a9f9689ebb51c97cf571fbc4f23450f82d02ef48d2b5dcbcdc60ba
Opcode Fuzzy Hash: 9689b5320f7d83666dfa80ad1824c8e75f1bfb00e509ed712c9617442d363f13
Instruction Fuzzy Hash: 0611E2F3908624AFD3016A19DC40BBABBE8DF94771F17052EEBC8D3740EA71484086D6

Function 00B433B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00B433CC

Part of subcall function 00B432AB: __EH_prolog.LIBCMT ref: 00B432B0
Part of subcall function 00B432AB: RtlEnterCriticalSection.NTDLL(?), ref: 00B432C3
Part of subcall function 00B432AB: RtlLeaveCriticalSection.NTDLL(?), ref: 00B432EF

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
String ID:
API String ID: 1518410164-0
Opcode ID: 58e4f9616e4cee7be32dbe0c1dd83adaec1a766aa41bb9a5c30e54a806b3716b
Instruction ID: 11f464ddc9682f4fb2e56ecb4441bf95920c7184d4dad3a87625398db31ad9af
Opcode Fuzzy Hash: 58e4f9616e4cee7be32dbe0c1dd83adaec1a766aa41bb9a5c30e54a806b3716b
Instruction Fuzzy Hash: 47018071214606AFD704DF59D886F55BBE9FF44320B14835AE828872C0EB70EE11CBA4

Function 00B9C99B Relevance: 1.5, APIs: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00BD22D0

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B7A000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b7a000_recordpadsoundrecorder32.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: b7d4c12825b55ba4ab277430bda144fa6d94fb2f8286ff844c1a7990ea4778bf
Instruction ID: fb137dc9da0a69ed58a0749a5f52a92b3db4b44a4c3df55c06602de0e9adc1a9
Opcode Fuzzy Hash: b7d4c12825b55ba4ab277430bda144fa6d94fb2f8286ff844c1a7990ea4778bf
Instruction Fuzzy Hash: FC0129B250C604EFE3046F09DC8166EFBE9EFA5710F06482DEAD483310E771A8509B57

Function 00B4E4FF Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B4E504

Part of subcall function 00B426DB: RtlEnterCriticalSection.NTDLL(?), ref: 00B42706
Part of subcall function 00B426DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 00B4272B
Part of subcall function 00B426DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B65B03), ref: 00B42738
Part of subcall function 00B426DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 00B42778
Part of subcall function 00B426DB: RtlLeaveCriticalSection.NTDLL(?), ref: 00B427D9

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
String ID:
API String ID: 4293676635-0
Opcode ID: 030972c7619218f8a109bd016ca18b35d3be15fb63b21aaeeb001e3c7f1ca299
Instruction ID: 0115422a1b926eb4ad9071c279c26959fe31ab2b292b3799925b5c06bed2c320
Opcode Fuzzy Hash: 030972c7619218f8a109bd016ca18b35d3be15fb63b21aaeeb001e3c7f1ca299
Instruction Fuzzy Hash: 600190B1911B049FC718DF1AC544955FBF4EF88310B15C5AE94498B721E7B59A40DF90

Function 0040D7C5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028445289e1d17ca44fd6ddc857260208a147ec373c43258bce9f01103d35b43
Instruction ID: 35407e72e644422b4f690bcc2f847b3216d51792f8b5999b125aecd84f82dc6f
Opcode Fuzzy Hash: 028445289e1d17ca44fd6ddc857260208a147ec373c43258bce9f01103d35b43
Instruction Fuzzy Hash: 9FE0C260659403AEE98229D04EA497B3F4CD94138C3704536E2F3B21D3C727CD0B61EE

Function 00B4E2DE Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B4E2E3

Part of subcall function 00B53AFC: _malloc.LIBCMT ref: 00B53B14

Part of subcall function 00B4E4FF: __EH_prolog.LIBCMT ref: 00B4E504

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog$_malloc
String ID:
API String ID: 4254904621-0
Opcode ID: 874668bf94d4f9474ffa9a2972aaa5c9bea5f09f795cd3ad4fb6099ac6277073
Instruction ID: d5a38d82d35902163584b81d8b8a4dba61c93c0b530bf2a14fa58151bede18ad
Opcode Fuzzy Hash: 874668bf94d4f9474ffa9a2972aaa5c9bea5f09f795cd3ad4fb6099ac6277073
Instruction Fuzzy Hash: 18E0C2B1A10249AFDF0DEF6CD80272D77E1EB04700F0041EDB809D6340DF749A009614

Function 00B53402 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B55C0A: __getptd_noexit.LIBCMT ref: 00B55C0B
Part of subcall function 00B55C0A: __amsg_exit.LIBCMT ref: 00B55C18

Part of subcall function 00B53443: __getptd_noexit.LIBCMT ref: 00B53447
Part of subcall function 00B53443: __freeptd.LIBCMT ref: 00B53461
Part of subcall function 00B53443: RtlExitUserThread.NTDLL(?,00000000,?,00B53423,00000000), ref: 00B5346A

__XcptFilter.LIBCMT ref: 00B5342F

Part of subcall function 00B58D44: __getptd_noexit.LIBCMT ref: 00B58D48

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
String ID:
API String ID: 1405322794-0
Opcode ID: dda7035828d14a3b37c8cbeced5cb5602e7387e8b319936f60d4513efea73752
Instruction ID: bb1dde10f84e25c31f6e637c39db9064d70cdcdf5b61f35cb18149d47cf54b14
Opcode Fuzzy Hash: dda7035828d14a3b37c8cbeced5cb5602e7387e8b319936f60d4513efea73752
Instruction Fuzzy Hash: BEE0ECB59056009FDB08BBA4D916F2D77F5EF04712F2104D8F501AB3B2DA7599449A21

Function 00BA17B2 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 00BC1C30

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B7A000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B7A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b7a000_recordpadsoundrecorder32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 35cde6cefd71537a398ef40ed17dd88cd3098b09672855020db01a80ee65f499
Instruction ID: f9a9bfe7306d5a5b5087896d0752156a416a27041cb34c81b40bf7b6dceb8956
Opcode Fuzzy Hash: 35cde6cefd71537a398ef40ed17dd88cd3098b09672855020db01a80ee65f499
Instruction Fuzzy Hash: 28D017F285C208EBD3123A45EC8176BB6A0AB15340F1A0968D79202250FA26AA249AD7

Function 0040D07A Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE(?,00000000), ref: 0040DAAA

Memory Dump Source

Source File: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cb0e7b76a640d08c499b35eeede7cfcdb4648d5495989a2d1e2ae0225391a306
Instruction ID: c516dca2397b2fac07020e058ced903cfa4834765396f8b763ac0801263e45c8
Opcode Fuzzy Hash: cb0e7b76a640d08c499b35eeede7cfcdb4648d5495989a2d1e2ae0225391a306
Instruction Fuzzy Hash: 29C01234614115DFD7005F74CD447653B70FF05740F000626A442A5190DB7484065A15

Function 004026FF Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(80000002), ref: 0040D82C

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: eaf145f444873a6bff26022e61706261e4d44663e084ce3b01c6962bc98f21b3
Instruction ID: 5ec97b2eb3e3170ad95daf285be8c754b41faf33349fba5b10927a7075397fb8
Opcode Fuzzy Hash: eaf145f444873a6bff26022e61706261e4d44663e084ce3b01c6962bc98f21b3
Instruction Fuzzy Hash: 58C08C20A08218D8D7D01AE52E0C7AE2A06AB043B4F30032AA633730C0CB348082A6BE

Function 00B52110 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00B515C0: OpenEventA.KERNEL32(00100002,00000000,00000000,8D94DE02), ref: 00B51660
Part of subcall function 00B515C0: CloseHandle.KERNEL32(00000000), ref: 00B51675
Part of subcall function 00B515C0: ResetEvent.KERNEL32(00000000,8D94DE02), ref: 00B5167F
Part of subcall function 00B515C0: CloseHandle.KERNEL32(00000000,8D94DE02), ref: 00B516B4

TlsSetValue.KERNEL32(00000026,?), ref: 00B5215A

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$OpenResetValue
String ID:
API String ID: 1556185888-0
Opcode ID: 65be1f49ed838a500f760dd9df2a24c85b81679fdebb26fb27b8d719fd5492e0
Instruction ID: 64b23c0055a54850c78baa3d2f42ddb3a93fea947157ee954feaa56d971d31f6
Opcode Fuzzy Hash: 65be1f49ed838a500f760dd9df2a24c85b81679fdebb26fb27b8d719fd5492e0
Instruction Fuzzy Hash: B401A271A04604AFC710CFA8DC45B5ABBE8FB09771F104BAAF825D37D0DB7569048BA0

Function 00402810 Relevance: 1.3, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00402810

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 57a0741227dd9a16cd461ae8e65421ddc13f5886cd6de5791e0686322d83ea60
Instruction ID: 646227f3fef1f343ab71bcb68da16975c72f4075c55f098b44a112a7cca5064b
Opcode Fuzzy Hash: 57a0741227dd9a16cd461ae8e65421ddc13f5886cd6de5791e0686322d83ea60
Instruction Fuzzy Hash: FCE08C31800701EBC7014BA0CA8A6AABBB0BB00314F00803AE809725C0C3BC91AACBDA

Function 004022D9 Relevance: 1.3, APIs: 1, Instructions: 11sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 004022D9

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b4fe005c8e16b858d01d95fa0fd3f8ef258010f6ac9604675fd7048b94773a9b
Instruction ID: e72a41b6dfdddac10ecd88bf8a051ea5708ec34d9fa41edd5dfe4d5b4977cec8
Opcode Fuzzy Hash: b4fe005c8e16b858d01d95fa0fd3f8ef258010f6ac9604675fd7048b94773a9b
Instruction Fuzzy Hash: D7C08C7880D800F2D20113502F0DBB83224A706308F30403BF806300D14AFE012BA98F

Function 004028C5 Relevance: 1.3, APIs: 1, Instructions: 5sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 004028C5

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: e68fd7fce66a6d94e974ea7a7509de7a7ac7b8a460bc7d90a9001f94097f8646
Instruction ID: 5f572b3b01697d3602dd085a38fc554daa16ccd5b5a82f5d4f3345458a6bfba9
Opcode Fuzzy Hash: e68fd7fce66a6d94e974ea7a7509de7a7ac7b8a460bc7d90a9001f94097f8646
Instruction Fuzzy Hash: A1B01130888800EAC2000BA0AE08B303E30B30030AF20003AAA0A300E08A3A088EAA0F

Non-executed Functions

Function 00B50870 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B49A87: __EH_prolog.LIBCMT ref: 00B49A8C
Part of subcall function 00B49A87: _Allocate.LIBCPMT ref: 00B49AE3
Part of subcall function 00B49A87: _memmove.LIBCMT ref: 00B49B3A

_memset.LIBCMT ref: 00B508E9
FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 00B50952
GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 00B5095A

Strings

invalid string position, xrefs: 00B50AA6
Unknown error, xrefs: 00B509A9

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
String ID: Unknown error$invalid string position
API String ID: 1854462395-1837348584
Opcode ID: 6969b7fd472382d74edcd802d889abda4f3ad38123cc41d693a609a5e228b61a
Instruction ID: ce9b0079d20dea95aace6f1342dbee5fa784d77d168b372407053246d3b9d5f7
Opcode Fuzzy Hash: 6969b7fd472382d74edcd802d889abda4f3ad38123cc41d693a609a5e228b61a
Instruction Fuzzy Hash: 9B51BD70218341DFEB14EF29C890B2FBBE4EB98744F5009ADF88597292D771D688CB52

Function 00B594D8 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B54E46,?,?,?,00000001), ref: 00B594DD
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B594E6

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 153efa638e5de87395123b21be4e40c8865cfe00e60bd7c6a882096e875ec8c2
Instruction ID: a664059e3bc77699b57ecf22727a106df8b001141832d96af4a2574ce2f122cd
Opcode Fuzzy Hash: 153efa638e5de87395123b21be4e40c8865cfe00e60bd7c6a882096e875ec8c2
Instruction Fuzzy Hash: 6DB0923109C208EBCB012BD1EC09B893F28EB0466AF004410F60D460A0CFA654209AB1

Function 00B424E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B424E6
InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 00B424FC
RtlEnterCriticalSection.NTDLL(?), ref: 00B4250E
RtlLeaveCriticalSection.NTDLL(?), ref: 00B4256D
SetLastError.KERNEL32(00000000,?,7622DFB0), ref: 00B4257F
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7622DFB0), ref: 00B42599
GetLastError.KERNEL32(?,7622DFB0), ref: 00B425A2
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00B425F0
InterlockedDecrement.KERNEL32(00000002), ref: 00B4262F
InterlockedExchange.KERNEL32(00000000,00000000), ref: 00B4268E
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00B42699
InterlockedExchange.KERNEL32(00000000,00000001), ref: 00B426AD
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7622DFB0), ref: 00B426BD
GetLastError.KERNEL32(?,7622DFB0), ref: 00B426C7

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
String ID:
API String ID: 1213838671-0
Opcode ID: fc1dabadb10c8c057060da7a60fb1f831d0505343b09a57b0db1f77b67033ac1
Instruction ID: 38487c6d674f567233f0adc85f0a3a31769e7ba4b578e9396e35025444b99311
Opcode Fuzzy Hash: fc1dabadb10c8c057060da7a60fb1f831d0505343b09a57b0db1f77b67033ac1
Instruction Fuzzy Hash: 3B614171904609EFCB10DFA4D985AAEBBF8FF08314F5045AAF516E3290DB749A44EF60

Function 00B44603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B44608

Part of subcall function 00B53AFC: _malloc.LIBCMT ref: 00B53B14

htons.WS2_32(?), ref: 00B44669
htonl.WS2_32(?), ref: 00B4468C
htonl.WS2_32(00000000), ref: 00B44693
htons.WS2_32(00000000), ref: 00B44747
_sprintf.LIBCMT ref: 00B4475D

Part of subcall function 00B4893A: _memmove.LIBCMT ref: 00B4895A

htons.WS2_32(?), ref: 00B446B0

Part of subcall function 00B496E5: __EH_prolog.LIBCMT ref: 00B496EA
Part of subcall function 00B496E5: RtlEnterCriticalSection.NTDLL(00000020), ref: 00B49765
Part of subcall function 00B496E5: RtlLeaveCriticalSection.NTDLL(00000020), ref: 00B49783

Part of subcall function 00B41BA7: __EH_prolog.LIBCMT ref: 00B41BAC
Part of subcall function 00B41BA7: RtlEnterCriticalSection.NTDLL ref: 00B41BBC
Part of subcall function 00B41BA7: RtlLeaveCriticalSection.NTDLL ref: 00B41BEA
Part of subcall function 00B41BA7: RtlEnterCriticalSection.NTDLL ref: 00B41C13
Part of subcall function 00B41BA7: RtlLeaveCriticalSection.NTDLL ref: 00B41C56

Part of subcall function 00B4DEA1: __EH_prolog.LIBCMT ref: 00B4DEA6

htonl.WS2_32(?), ref: 00B4497C
htonl.WS2_32(00000000), ref: 00B44983
htonl.WS2_32(00000000), ref: 00B449C8
htonl.WS2_32(00000000), ref: 00B449CF
htons.WS2_32(?), ref: 00B449EF
htons.WS2_32(?), ref: 00B449F9

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
String ID:
API String ID: 1645262487-0
Opcode ID: c4995788c41d911c8b1b857fd0ee227c4cf49a7d7c96e55bfcf9aa5ce9412e04
Instruction ID: e9ffbcadb02ea1817fcb0527e1a8c3541a795b70267df912b5117f073895658c
Opcode Fuzzy Hash: c4995788c41d911c8b1b857fd0ee227c4cf49a7d7c96e55bfcf9aa5ce9412e04
Instruction Fuzzy Hash: 89024571C00259AEEF15DBA4C845BEEBBF8EF08304F14419AE505B7281DBB45B89DBA1

Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(UID Finder 6.11.66,Function_0000235E), ref: 004023C1
SetServiceStatus.ADVAPI32(0040C408), ref: 00402420
GetLastError.KERNEL32 ref: 00402422
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
GetLastError.KERNEL32 ref: 00402450
SetServiceStatus.ADVAPI32(0040C408), ref: 00402480
CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
CloseHandle.KERNEL32 ref: 004024A1
SetServiceStatus.ADVAPI32(0040C408), ref: 004024CA

Strings

UID Finder 6.11.66, xrefs: 004023BC

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
String ID: UID Finder 6.11.66
API String ID: 3346042915-245170862
Opcode ID: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
Instruction ID: 4f107cf957cbd680cd4d605db27ce117804603c61eb7b626b01e69dba3e91430
Opcode Fuzzy Hash: 8481bbef3285b0f9ebce9f82f4e1eb68b4ac82d1f0eae4c5cd12d91383da07eb
Instruction Fuzzy Hash: 3521C570441214EBC2105F16EFE9A267FA8FBC5794B11823EE544B22B2CBB90549CFAD

Function 00B582E2 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 00B582EA
_free.LIBCMT ref: 00B58303

Part of subcall function 00B52F24: HeapFree.KERNEL32(00000000,00000000,?,00B55C82,00000000,00000104,76230A60), ref: 00B52F38
Part of subcall function 00B52F24: GetLastError.KERNEL32(00000000,?,00B55C82,00000000,00000104,76230A60), ref: 00B52F4A

_free.LIBCMT ref: 00B58316
_free.LIBCMT ref: 00B58334
_free.LIBCMT ref: 00B58346
_free.LIBCMT ref: 00B58357
_free.LIBCMT ref: 00B58362
_free.LIBCMT ref: 00B58386
RtlEncodePointer.NTDLL(00A49120), ref: 00B5838D
_free.LIBCMT ref: 00B583A2
_free.LIBCMT ref: 00B583B8
_free.LIBCMT ref: 00B583E0

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: b27faec356a46db731ff1b2ad173c747b60fa3ce6bacfeae8368dd2d52fc3af1
Instruction ID: 78c24155c8636a59522d8d7558fea0068114406abf91c09c8b31956b36d85657
Opcode Fuzzy Hash: b27faec356a46db731ff1b2ad173c747b60fa3ce6bacfeae8368dd2d52fc3af1
Instruction Fuzzy Hash: 7C213D32906621DBCB266F14FC8165977E4FB06B2231900EAFC4CA72A1CF755C8DDBA4

Function 00406897 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00408650,00000001,00000000,00000000,00000103,00000001,00000000,?,00406357,00200020,00000000,?,00000000,00000000), ref: 004068D9
LCMapStringA.KERNEL32(00000000,00000100,0040864C,00000001,00000000,00000000,?,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 004068F5
LCMapStringA.KERNEL32(?,?,?,?,Wc@ ,?,00000103,00000001,00000000,?,00406357,00200020,00000000,?,00000000,00000000), ref: 0040693E
MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00406357,00200020,00000000,?,00000000,00000000), ref: 00406976
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069CE
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069E4
LCMapStringW.KERNEL32(?,?,?,00000000,Wc@ ,?,?,00406357,00200020,00000000,?,00000000), ref: 00406A17
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 00406A7F

Strings

Wc@ , xrefs: 00406A97, 00406A0A, 0040692F

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: Wc@
API String ID: 352835431-4128830131
Opcode ID: c59ed56cf9200d4eb4cbe2117608f716f3cf8688afb6deb225ba4043c85c6758
Instruction ID: c30aaca26a5f6a0372154cda3c497b92e07e281ea3e6606adb1712902525b657
Opcode Fuzzy Hash: c59ed56cf9200d4eb4cbe2117608f716f3cf8688afb6deb225ba4043c85c6758
Instruction Fuzzy Hash: 8A517E71A00209EBCF219F94CD45ADF7FB5FB49750F11812AF911B12A0D7398921DF69

Function 00403BE2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403BFD
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403C11
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403C3D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F74), ref: 00403C75
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402F74), ref: 00403C97
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402F74), ref: 00403CB0
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402F74), ref: 00403CC3
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403D01

Strings

t/@, xrefs: 00403CAB, 00403C9D

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: t/@
API String ID: 1823725401-3363397731
Opcode ID: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
Instruction ID: 879d38be92084954eaea71e49c87bd85cc2f9a5de8a3f101a3316a48e994b743
Opcode Fuzzy Hash: aff10945ecf90bbee9edc284fe0c12867232451494807f8f70b2732d2a40bc2d
Instruction Fuzzy Hash: 3E31017350C2246EE7203F746CC483BBE9CEA4575AB15053FF982F3280DA398E8146AD

Function 00B43423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B43428
GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 00B4346B
GetProcAddress.KERNEL32(00000000), ref: 00B43472
GetLastError.KERNEL32 ref: 00B43486
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00B434D7
RtlEnterCriticalSection.NTDLL(00000018), ref: 00B434ED
RtlLeaveCriticalSection.NTDLL(00000018), ref: 00B43518

Strings

CancelIoEx, xrefs: 00B43461
KERNEL32, xrefs: 00B43466

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
String ID: CancelIoEx$KERNEL32
API String ID: 2902213904-434325024
Opcode ID: 589098eed91f84a68e939206b454e52253106eeb0de618116d0def19d125a912
Instruction ID: 09f4387011983e7f2273047a65b0a935c25381164725982a832d69786f55c998
Opcode Fuzzy Hash: 589098eed91f84a68e939206b454e52253106eeb0de618116d0def19d125a912
Instruction Fuzzy Hash: EE318DB1904305DFDB11AF64C884AAA7BF8FF48711F1984E9F9159B391CB74DA00DBA1

Function 004065B8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,004043C1,?,Microsoft Visual C++ Runtime Library,00012010,?,00408584,?,004085D4,?,?,?,Runtime Error!Program: ), ref: 004065CA
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004065E2
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004065F3
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406600

Strings

GetLastActivePopup, xrefs: 004065F5
MessageBoxA, xrefs: 004065DC
user32.dll, xrefs: 004065C5
GetActiveWindow, xrefs: 004065ED

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 1e827d42bf4979efd8fc0e05e1792a28396127eff3a42ececc528c363af0fc92
Instruction ID: db39845ca5f1b339293cd545309a4189fd77c948f0b46f5b4ed21715b02f5541
Opcode Fuzzy Hash: 1e827d42bf4979efd8fc0e05e1792a28396127eff3a42ececc528c363af0fc92
Instruction Fuzzy Hash: 46018871A40611EFC7208FB5AFC49277EE99B587407061D3FA541F2291DE7B8811CB6D

Function 0040674E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00408650,00000001,00000000,00000103,00000001,00000000,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 0040678D
GetStringTypeA.KERNEL32(00000000,00000001,0040864C,00000001,?,?,00000000,00000000,00000001), ref: 004067A7
GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 004067DB
MultiByteToWideChar.KERNEL32(Wc@ ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00406357,00200020,00000000,?,00000000,00000000,00000001), ref: 00406813
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00406869
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 0040687B

Strings

Wc@ , xrefs: 00406810

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: Wc@
API String ID: 3852931651-4128830131
Opcode ID: 51aa12949cff19f931a0c8f8e78869120ffa08a7a0a03f1196022c1900c26aa0
Instruction ID: 956ec2585e1336e719d8d065e8dcf62e24d3c9f54db028b8b8152b0cc77897f4
Opcode Fuzzy Hash: 51aa12949cff19f931a0c8f8e78869120ffa08a7a0a03f1196022c1900c26aa0
Instruction Fuzzy Hash: 3F419F72501209EFCF20AF94DD85EAF3B79FB04754F11453AF902F2290C73989248BA9

Function 0040429D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040430A
GetStdHandle.KERNEL32(000000F4,00408584,00000000,?,00000000,00000000), ref: 004043E0
WriteFile.KERNEL32(00000000), ref: 004043E7

Strings

..., xrefs: 0040435C
Microsoft Visual C++ Runtime Library, xrefs: 004043B6
<program name unknown>, xrefs: 0040431A
Runtime Error!Program: , xrefs: 00404370

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: efc2387ad9e4ebc715aa49f254a253419fe4c6ba22f87958d70440b8e59437cd
Instruction ID: d8635e2a7f81e525e6493e1b235b12eebf94c6aed7416e9ae0bb5a91e3b582aa
Opcode Fuzzy Hash: efc2387ad9e4ebc715aa49f254a253419fe4c6ba22f87958d70440b8e59437cd
Instruction Fuzzy Hash: ED318572601219AEDF20AA60DE46FDA336CAF85304F1004BFF944B61D1DA78DE448A5D

Function 00B515C0 Relevance: 10.6, APIs: 7, Instructions: 132COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100002,00000000,00000000,8D94DE02), ref: 00B51660
CloseHandle.KERNEL32(00000000), ref: 00B51675
ResetEvent.KERNEL32(00000000,8D94DE02), ref: 00B5167F
CloseHandle.KERNEL32(00000000,8D94DE02), ref: 00B516B4
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,8D94DE02), ref: 00B5172A
CloseHandle.KERNEL32(00000000), ref: 00B5173F

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateOpenReset
String ID:
API String ID: 1285874450-0
Opcode ID: 67aac3b350ffc08d13fb8b19703e6dc776cc44bbe6e73be9277baf0b3589bdd8
Instruction ID: 4f974c1bf72c9af683aa4dc4112e0a70832c24810c4341a47556e34c6b8c210e
Opcode Fuzzy Hash: 67aac3b350ffc08d13fb8b19703e6dc776cc44bbe6e73be9277baf0b3589bdd8
Instruction Fuzzy Hash: 6F413071D04358ABDF11DFA8C848B9DB7F8EF09715F144699E818AB280D7749D09CB61

Function 00B42081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 00B420AC
SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 00B420CD
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00B420D8
InterlockedDecrement.KERNEL32(?), ref: 00B4213E
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 00B4217A
InterlockedDecrement.KERNEL32(?), ref: 00B42187
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00B421A6

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
String ID:
API String ID: 1171374749-0
Opcode ID: b495b3df417b36f368b4d2d0ea29b198683f9d4a957ec23187c2b8fe8ae9b1e8
Instruction ID: e95679fa7a70dbc2cef6858ea6da5b7de4cf884e1016dc0cd0703cb2dbc12b99
Opcode Fuzzy Hash: b495b3df417b36f368b4d2d0ea29b198683f9d4a957ec23187c2b8fe8ae9b1e8
Instruction Fuzzy Hash: E54147755087019FC321DF25C885A6BBBF9EFC8754F000A5EF49693290DB34EA05EBA2

Function 00B516D2 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B51E80: OpenEventA.KERNEL32(00100002,00000000,?,?,?,00B516DE,?,?), ref: 00B51EAF
Part of subcall function 00B51E80: CloseHandle.KERNEL32(00000000,?,?,00B516DE,?,?), ref: 00B51EC4
Part of subcall function 00B51E80: SetEvent.KERNEL32(00000000,00B516DE,?,?), ref: 00B51ED7

OpenEventA.KERNEL32(00100002,00000000,00000000,8D94DE02), ref: 00B51660
CloseHandle.KERNEL32(00000000), ref: 00B51675
ResetEvent.KERNEL32(00000000,8D94DE02), ref: 00B5167F
CloseHandle.KERNEL32(00000000,8D94DE02), ref: 00B516B4
__CxxThrowException@8.LIBCMT ref: 00B516E5

Part of subcall function 00B5450A: RaiseException.KERNEL32(?,?,00B4FB0D,?,?,?,?,?,?,?,00B4FB0D,?,00B70F68,?), ref: 00B5455F

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,8D94DE02), ref: 00B5172A
CloseHandle.KERNEL32(00000000), ref: 00B5173F

Part of subcall function 00B51BC0: GetCurrentProcessId.KERNEL32(?), ref: 00B51C19

WaitForSingleObject.KERNEL32(00000000,000000FF,8D94DE02), ref: 00B5174F

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
String ID:
API String ID: 2227236058-0
Opcode ID: e0bb5c9360107cc876e9fd3c76a11ed48031a1a2c9d33130e362444ac4590727
Instruction ID: 90e3df77e38679b4a0d6d80c0f0cff824902bb9605f3de3e2d6197e35bdb7d48
Opcode Fuzzy Hash: e0bb5c9360107cc876e9fd3c76a11ed48031a1a2c9d33130e362444ac4590727
Instruction Fuzzy Hash: 02315E71D00309ABDF21DBA88C49BADB7F8EF05316F1406D9EC18AB281DB609D098B61

Function 00B55D44 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00B55D44

Part of subcall function 00B584B2: RtlEncodePointer.NTDLL(00000000), ref: 00B584B5
Part of subcall function 00B584B2: __initp_misc_winsig.LIBCMT ref: 00B584D0
Part of subcall function 00B584B2: GetModuleHandleW.KERNEL32(kernel32.dll,?,00B71568,00000008,00000003,00B70F4C,?,00000001), ref: 00B59231
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00B59245
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00B59258
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00B5926B
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00B5927E
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00B59291
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00B592A4
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00B592B7
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00B592CA
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00B592DD
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00B592F0
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00B59303
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00B59316
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00B59329
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00B5933C
Part of subcall function 00B584B2: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00B5934F

__mtinitlocks.LIBCMT ref: 00B55D49
__mtterm.LIBCMT ref: 00B55D52

Part of subcall function 00B55DBA: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00B588E8
Part of subcall function 00B55DBA: _free.LIBCMT ref: 00B588EF
Part of subcall function 00B55DBA: RtlDeleteCriticalSection.NTDLL(00B73978), ref: 00B58911

__calloc_crt.LIBCMT ref: 00B55D77
__initptd.LIBCMT ref: 00B55D99
GetCurrentThreadId.KERNEL32 ref: 00B55DA0

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: b4cbec8863986752a2a8a32cc14d8087984809cef04eb31395d13c5065c84b82
Instruction ID: 8e8aa27e55e1d143c143a35916dfa5a9d0c4b64d8d933b4abcdead126a1b340b
Opcode Fuzzy Hash: b4cbec8863986752a2a8a32cc14d8087984809cef04eb31395d13c5065c84b82
Instruction Fuzzy Hash: E0F0F633109F221AE63437B47C1BB8A27E2DB01733F1002E9FD94E61E1FF1488494644

Function 00B53471 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,00B53423,00000000), ref: 00B5348B
GetProcAddress.KERNEL32(00000000), ref: 00B53492
RtlEncodePointer.NTDLL(00000000), ref: 00B5349E
RtlDecodePointer.NTDLL(00000001), ref: 00B534BB

Strings

combase.dll, xrefs: 00B53486
RoInitialize, xrefs: 00B5347A

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: a845a50bff3cd14853a1e971767e28be1ef0c0a1892174aa036d7ae59a6c302e
Instruction ID: 22dc1af34191e1ad474928a62a96dc1c00aec6b4b5acda7c466f2105b4a0a54c
Opcode Fuzzy Hash: a845a50bff3cd14853a1e971767e28be1ef0c0a1892174aa036d7ae59a6c302e
Instruction Fuzzy Hash: C5E0E5706D4740AADA105B71EC89F1637A4A711B0AF0041A4F90AE22E0CEB951888F20

Function 00B53546 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B53460), ref: 00B53560
GetProcAddress.KERNEL32(00000000), ref: 00B53567
RtlEncodePointer.NTDLL(00000000), ref: 00B53572
RtlDecodePointer.NTDLL(00B53460), ref: 00B5358D

Strings

RoUninitialize, xrefs: 00B5354F
combase.dll, xrefs: 00B5355B

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: f1801bd7ddbdc5b09c7b96b250e5d9aafd00d811ca58f37783410ec82f9de69e
Instruction ID: 05fd6690b95ccaffd6883904bf1c4a4cde33988a17f71d41d646b78168e37135
Opcode Fuzzy Hash: f1801bd7ddbdc5b09c7b96b250e5d9aafd00d811ca58f37783410ec82f9de69e
Instruction Fuzzy Hash: 81E0B6B05D4704ABDB109F70AD4DB063BA4B725B4AF1055A5F50BE32F0EFB85648CB10

Function 00B51EE0 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000026,8D94DE02,?,?,?,?,00000000,00B66A68,000000FF,00B5217A), ref: 00B51F1A
TlsSetValue.KERNEL32(00000026,00B5217A,?,?,00000000), ref: 00B51F87
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B51FB1
HeapFree.KERNEL32(00000000), ref: 00B51FB4

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: HeapValue$FreeProcess
String ID:
API String ID: 1812714009-0
Opcode ID: 4faa813172bdcbbc510f0a6e6f4ee19567efe6ad97aa7aac4135db66a030ee3a
Instruction ID: 959f297aa193c3c9391ae482acbbc432e253281a0f7fba54d3926dbc5ebd9efa
Opcode Fuzzy Hash: 4faa813172bdcbbc510f0a6e6f4ee19567efe6ad97aa7aac4135db66a030ee3a
Instruction Fuzzy Hash: C351AF315093049FDB20DF29C884B16BBE4FB45765F098AE8EC69972D0DB75EC08CB91

Function 00B65630 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00B65740
__FindPESection.LIBCMT ref: 00B6575A

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 3b47df28c4a0a526a9f279a58272a53bf192ce4351f07697f76ae7d1ee2cbc7b
Instruction ID: 073b786f9743c2cdb5d367108052eebf90d2d3ea660eb1a304337a8e52abcaa5
Opcode Fuzzy Hash: 3b47df28c4a0a526a9f279a58272a53bf192ce4351f07697f76ae7d1ee2cbc7b
Instruction Fuzzy Hash: FAA1A171A04A158FCB20CF18D880B6DB7E5FB45320F6542A9EC19EB391EB39ED51CB90

Function 00B41C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B41CB1
CloseHandle.KERNEL32(?), ref: 00B41CBA
InterlockedExchangeAdd.KERNEL32(00B77264,00000000), ref: 00B41CC6
TerminateThread.KERNEL32(?,00000000), ref: 00B41CD4
QueueUserAPC.KERNEL32(00B41E7C,?,00000000), ref: 00B41CE1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B41CEC

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
String ID:
API String ID: 1946104331-0
Opcode ID: 772e72f0dccb2d70a9c60509ebfde2b990ab89464a072d6a7994f35471ec367d
Instruction ID: 24ce10019442d6ca242d72d7032e9eb363ecab237792d35799092d122a4a5a99
Opcode Fuzzy Hash: 772e72f0dccb2d70a9c60509ebfde2b990ab89464a072d6a7994f35471ec367d
Instruction Fuzzy Hash: 4EF08C31588204BFD7205B9ADD0DC5BBBFCEB85B20B004299F56AC21E0DFA0AA008B30

Function 00403EEC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00403F0B
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403F40
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403FA0

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 00403F7A
__MSVCRT_HEAP_SELECT, xrefs: 00403F3B

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 902e60ade4d92a6391f73bc102fd9c1f1b848196a8b58942b8a92e566e39241b
Instruction ID: f9b557e5926ae0cb1bea86ca91105dc92f8de38cdcecb6fe0ade7bda32980430
Opcode Fuzzy Hash: 902e60ade4d92a6391f73bc102fd9c1f1b848196a8b58942b8a92e566e39241b
Instruction Fuzzy Hash: B6312571D412886DEB319A705C45ADE7F7C8B06309F2400FBE685F62C2E6388FC98B19

Function 00B518E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00B5192F

Part of subcall function 00B52483: std::exception::_Copy_str.LIBCMT ref: 00B5249C

Part of subcall function 00B50D00: __CxxThrowException@8.LIBCMT ref: 00B50D5E

std::exception::exception.LIBCMT ref: 00B5198E

Strings

$, xrefs: 00B51993
boost unique_lock owns already the mutex, xrefs: 00B5197D
boost unique_lock has no mutex, xrefs: 00B5191E

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
API String ID: 2140441600-46888669
Opcode ID: 2f0cd1cb4adcd3e04e6d285b5504987f402458aa3ee769afa1387c9b3d374a3a
Instruction ID: 6d8417576c2f882838a7ad3f414ecd108fa97190077dddd26e9ffd28d7c7dc6b
Opcode Fuzzy Hash: 2f0cd1cb4adcd3e04e6d285b5504987f402458aa3ee769afa1387c9b3d374a3a
Instruction Fuzzy Hash: 952126B14193809FD721EF24C45575BBBE4BB89B08F004E9DF8A587391DBB99908CB92

Function 00B54A2C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00B54A30

Part of subcall function 00B55C22: GetLastError.KERNEL32(76230A60,7622F550,00B55E10,00B52FE3,7622F550,?,00B4606D,00000104,76230A60,7622F550,ntdll.dll,?,?,?,00B46504), ref: 00B55C24
Part of subcall function 00B55C22: __calloc_crt.LIBCMT ref: 00B55C45
Part of subcall function 00B55C22: __initptd.LIBCMT ref: 00B55C67
Part of subcall function 00B55C22: GetCurrentThreadId.KERNEL32 ref: 00B55C6E
Part of subcall function 00B55C22: SetLastError.KERNEL32(00000000,00B4606D,00000104,76230A60,7622F550,ntdll.dll,?,?,?,00B46504), ref: 00B55C86

__calloc_crt.LIBCMT ref: 00B54A53
__get_sys_err_msg.LIBCMT ref: 00B54A71
__invoke_watson.LIBCMT ref: 00B54A8E

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00B54A3B, 00B54A61

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 109275364-798102604
Opcode ID: edf314b8fc8d6ac4d6092a01268b42c72d2494df2c3e732e2499b56ba449fc46
Instruction ID: a41fd87abb00db81d02f499141a1316860649e7b8b3c5256476f402829559ec7
Opcode Fuzzy Hash: edf314b8fc8d6ac4d6092a01268b42c72d2494df2c3e732e2499b56ba449fc46
Instruction Fuzzy Hash: 75F05933AC0B146BE732A51A5C8172B72CCDB907AFB0005F6FD4597102EB21CD8A029D

Function 00B42341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 00B42350
InterlockedExchange.KERNEL32(?,00000001), ref: 00B42360
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B42370
GetLastError.KERNEL32 ref: 00B4237A

Part of subcall function 00B41712: __EH_prolog.LIBCMT ref: 00B41717

Strings

pqcs, xrefs: 00B42388

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
String ID: pqcs
API String ID: 1619523792-2559862021
Opcode ID: ea1c21a017bc7dbbe7a17afe4fd57270cf118a626c956a8eb9b5cdc889517603
Instruction ID: 1c31d4a8fa961c31fedcabde228d7020e5e8f70444fb4261f18531f4c01aa9fd
Opcode Fuzzy Hash: ea1c21a017bc7dbbe7a17afe4fd57270cf118a626c956a8eb9b5cdc889517603
Instruction Fuzzy Hash: 32F05471944304AFD710AF749C0AAAB7BFCEB04705F0045A9F905D3150EFB4DA049BA1

Function 00B44030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B44035
GetProcessHeap.KERNEL32(00000000,?), ref: 00B44042
RtlAllocateHeap.NTDLL(00000000), ref: 00B44049
std::exception::exception.LIBCMT ref: 00B44063

Part of subcall function 00B4A678: __EH_prolog.LIBCMT ref: 00B4A67D
Part of subcall function 00B4A678: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 00B4A68C
Part of subcall function 00B4A678: __CxxThrowException@8.LIBCMT ref: 00B4A6AB

Strings

bad allocation, xrefs: 00B44058

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
String ID: bad allocation
API String ID: 3112922283-2104205924
Opcode ID: cc54330edd6dfe666e8db10a8bb7c6037ca1663e44eab29d6a74dd644ea9f6e7
Instruction ID: 909e6e7f4eb28d90f8a054ebee44453401fbc2a6cbbc1ae7890b5b85a34a0bed
Opcode Fuzzy Hash: cc54330edd6dfe666e8db10a8bb7c6037ca1663e44eab29d6a74dd644ea9f6e7
Instruction Fuzzy Hash: 17F08C72D44209ABDB10EFE0C809BAEBBB8EB04705F404598FA15A2280DBB85618CB61

Function 00403D14 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00403D6D
GetFileType.KERNEL32(00000800), ref: 00403E13
GetStdHandle.KERNEL32(-000000F6), ref: 00403E6C
GetFileType.KERNEL32(00000000), ref: 00403E7A
SetHandleCount.KERNEL32 ref: 00403EB1

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
Instruction ID: 9dbc4695f3205ced207c781c98d2c2eecf37425ec268f2c04ee58d1a3995b9ba
Opcode Fuzzy Hash: dbaca84f47ceea487b5a59e7f7eb21175bc7ba2e308e601fb33fec27d5f53662
Instruction Fuzzy Hash: 7C5143716046458BD7218F38CD887663FA8AF02B26F15473EE4A2FB2E0C7389A45C74D

Function 00B51C30 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B51A00: CloseHandle.KERNEL32(00000000,8D94DE02), ref: 00B51A51
Part of subcall function 00B51A00: WaitForSingleObject.KERNEL32(?,000000FF,8D94DE02,?,?,?,?,8D94DE02,00B519D3,8D94DE02), ref: 00B51A68

ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00B51CCE
ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00B51CEE
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00B51D27
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00B51D7B
SetEvent.KERNEL32(?), ref: 00B51D82

Part of subcall function 00B4418C: CloseHandle.KERNEL32(00000000,?,00B51CB5), ref: 00B441B0

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
String ID:
API String ID: 4166353394-0
Opcode ID: 699947bcfe1365255abd37b2ac5ea3fbe4ad4caa6149a7da235c079703b2521a
Instruction ID: 519689dc209f8b5a464241369e01e849c55ff8324f2be6d02770cc6cf764defc
Opcode Fuzzy Hash: 699947bcfe1365255abd37b2ac5ea3fbe4ad4caa6149a7da235c079703b2521a
Instruction Fuzzy Hash: 3241CE71640311ABDB259F2CCC80B1677E4EF45725F140AE8EC29DB2D5DB35DC0A8BA5

Function 00B4E0A6 Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B4E0AB

Part of subcall function 00B41A01: TlsGetValue.KERNEL32 ref: 00B41A0A

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00B4E12A
RtlEnterCriticalSection.NTDLL(?), ref: 00B4E146
InterlockedIncrement.KERNEL32(00B75190), ref: 00B4E16B
RtlLeaveCriticalSection.NTDLL(?), ref: 00B4E180

Part of subcall function 00B427F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 00B4284E

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
String ID:
API String ID: 1578506061-0
Opcode ID: 78785e7bc9ebd58947075e412aaf1740fbda6496b432f35846ab5f1aad40299e
Instruction ID: 6e705c4dee9dff82262556b930734d4af2108feacfee4df99058054533d75286
Opcode Fuzzy Hash: 78785e7bc9ebd58947075e412aaf1740fbda6496b432f35846ab5f1aad40299e
Instruction Fuzzy Hash: 70313AB1D453059FCB10DF68C944AAEBBF8FF08310F14499EE459E7641E774AA04DBA0

Function 00B60354 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00B60360

Part of subcall function 00B52F5C: __FF_MSGBANNER.LIBCMT ref: 00B52F73
Part of subcall function 00B52F5C: __NMSG_WRITE.LIBCMT ref: 00B52F7A
Part of subcall function 00B52F5C: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001), ref: 00B52F9F

_free.LIBCMT ref: 00B60373

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 36ef5d16de61f897a0cb3970c1a4464fa1fba487922210e1b0f9c78c79845eae
Instruction ID: 86dfaa10f44492248d03bdf9cc2e28686e305dd1673997c27f8fb66562c9bdd3
Opcode Fuzzy Hash: 36ef5d16de61f897a0cb3970c1a4464fa1fba487922210e1b0f9c78c79845eae
Instruction Fuzzy Hash: 1911A332519A11ABCB313B71AC4575B3BD8EB08367B1045E5FD499B2A0DF3889448AA8

Function 00B421D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B421DA
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00B421ED
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 00B42224
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 00B42237
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B42261

Part of subcall function 00B42341: InterlockedExchange.KERNEL32(?,00000001), ref: 00B42350
Part of subcall function 00B42341: InterlockedExchange.KERNEL32(?,00000001), ref: 00B42360
Part of subcall function 00B42341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B42370
Part of subcall function 00B42341: GetLastError.KERNEL32 ref: 00B4237A

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 1856819132-0
Opcode ID: 440aae11e65d27884e2c1429a53eebad1d87ebd568aff504a5618365e5cd16bf
Instruction ID: 459b5b654a9870d592c972372751a0e3babb3fcf064f664293428ab8a6665494
Opcode Fuzzy Hash: 440aae11e65d27884e2c1429a53eebad1d87ebd568aff504a5618365e5cd16bf
Instruction Fuzzy Hash: 77117271D08124EBCB11AFA4DC446AEBBF9FF44314F5041AAF815932A1DFB54A51EB90

Function 00B42298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B4229D
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00B422B0
TlsGetValue.KERNEL32 ref: 00B422E7
TlsSetValue.KERNEL32(?), ref: 00B42300
TlsSetValue.KERNEL32(?,?,?), ref: 00B4231C

Part of subcall function 00B42341: InterlockedExchange.KERNEL32(?,00000001), ref: 00B42350
Part of subcall function 00B42341: InterlockedExchange.KERNEL32(?,00000001), ref: 00B42360
Part of subcall function 00B42341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B42370
Part of subcall function 00B42341: GetLastError.KERNEL32 ref: 00B4237A

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 1856819132-0
Opcode ID: 622e140985eedaaac25dc7b0e1f5fed37394ebb4562533e7dc103f3257753d92
Instruction ID: a7530a115aee682fd941f725bab1d0bebae2152643277450db8cc00508b6a48d
Opcode Fuzzy Hash: 622e140985eedaaac25dc7b0e1f5fed37394ebb4562533e7dc103f3257753d92
Instruction Fuzzy Hash: 08116371D04118AFCB029FA4DC449AEBFF9FF44310F0441AAF81593261DF754A51EB90

Function 00B4BCC0 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4B113: __EH_prolog.LIBCMT ref: 00B4B118

__CxxThrowException@8.LIBCMT ref: 00B4BCDD

Part of subcall function 00B5450A: RaiseException.KERNEL32(?,?,00B4FB0D,?,?,?,?,?,?,?,00B4FB0D,?,00B70F68,?), ref: 00B5455F

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00B71D84,?,00000001), ref: 00B4BCF3
InterlockedExchange.KERNEL32(?,00000001), ref: 00B4BD06
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,00B71D84,?,00000001), ref: 00B4BD16
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00B4BD24

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
String ID:
API String ID: 2725315915-0
Opcode ID: e9f9062c50ca671942388f1c6e2bbc24635fae6655f1fad84e812b0da3f91a12
Instruction ID: 81e90c2cad39382d1c23e46efce0addc8bb0e5f1a89c90af6997e18b22d56864
Opcode Fuzzy Hash: e9f9062c50ca671942388f1c6e2bbc24635fae6655f1fad84e812b0da3f91a12
Instruction Fuzzy Hash: E101D1B2604204BFCB109BA4ECC9F9677ECEB04719F0444A4F625D71D0DFA4E9049B20

Function 00B42420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00B42432
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00B42445
RtlEnterCriticalSection.NTDLL(?), ref: 00B42454
InterlockedExchange.KERNEL32(?,00000001), ref: 00B42469
RtlLeaveCriticalSection.NTDLL(?), ref: 00B42470

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
String ID:
API String ID: 747265849-0
Opcode ID: 1b65befc9a88a49291b89c048c64fa8e53f23598f1a6355fe7c0c8c7dde94445
Instruction ID: 33d3e94388dd8df252becce8ba28d3a64781f95cb468f572d8a931554fb31ec1
Opcode Fuzzy Hash: 1b65befc9a88a49291b89c048c64fa8e53f23598f1a6355fe7c0c8c7dde94445
Instruction Fuzzy Hash: 49F01D72284214BBDA009BA0ED89F9A776CFB44715F804051F701D7491DFA5AA10DBB1

Function 00B41EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 00B41ED2
PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 00B41EEA
RtlEnterCriticalSection.NTDLL(?), ref: 00B41EF9
InterlockedExchange.KERNEL32(?,00000001), ref: 00B41F0E
RtlLeaveCriticalSection.NTDLL(?), ref: 00B41F15

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
String ID:
API String ID: 830998967-0
Opcode ID: 79ba8932905dc56a3732c05c6d832b6258a5fca95b6c6e673d62c6c48072acd9
Instruction ID: 9754865e83a8b1347cb85d08492f35c6988e4e50d4b18aa549fac252b2a87297
Opcode Fuzzy Hash: 79ba8932905dc56a3732c05c6d832b6258a5fca95b6c6e673d62c6c48072acd9
Instruction Fuzzy Hash: 8FF04932158205BBDB00AFA0ED88BDA776CFB04305F000011F20187491DFA5AA258BB0

Function 00B486FD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B48765
_memmove.LIBCMT ref: 00B48813

Strings

string too long, xrefs: 00B48798, 00B4883A
invalid string position, xrefs: 00B4878E

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 2b4760768514b7a0f45ecef29bb4eab23c0b8e53b6dada22903ac0ec4d5dd683
Instruction ID: bc8d3643959572b50db907bc89b5af30c6c5c2c3a39e1ab332100dfd57b5f860
Opcode Fuzzy Hash: 2b4760768514b7a0f45ecef29bb4eab23c0b8e53b6dada22903ac0ec4d5dd683
Instruction Fuzzy Hash: 0B41D231700305AFDB349E69D890A6EB7E9EB41750B2409ADF9568B681CF70EE04E7A0

Function 00B430AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00B430C3
WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 00B43102
_memcmp.LIBCMT ref: 00B43141

Strings

255.255.255.255, xrefs: 00B43139

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastString_memcmp
String ID: 255.255.255.255
API String ID: 1618111833-2422070025
Opcode ID: e3547ecd7e212132156d4096aea97e37ea07c35ca2dd4031a24a215493b8f803
Instruction ID: ba8c1a194a1cdb71399e3067179222be7f117b0d61ae719e45f75d1cf3abe221
Opcode Fuzzy Hash: e3547ecd7e212132156d4096aea97e37ea07c35ca2dd4031a24a215493b8f803
Instruction Fuzzy Hash: 8731EF71A003089FDB20AF64C881B6EB7E5FF41721F1885E9EC65A7390DB729B458B90

Function 00B41F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B41F5B
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 00B41FC5
GetLastError.KERNEL32(?,00000000), ref: 00B41FD2

Part of subcall function 00B41712: __EH_prolog.LIBCMT ref: 00B41717

Strings

iocp, xrefs: 00B41FE0

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog$CompletionCreateErrorLastPort
String ID: iocp
API String ID: 998023749-976528080
Opcode ID: 3b81df5b0676e66c583a6c85ec45398bf0292e383957563216b9d759a13be568
Instruction ID: 15879b95bb67e22c5223ce3c2113fad949d37db207b50d0b4c2d396db535187a
Opcode Fuzzy Hash: 3b81df5b0676e66c583a6c85ec45398bf0292e383957563216b9d759a13be568
Instruction Fuzzy Hash: AC21E5B1801B449FC720DF6AC50455AFBF8FFA4710B108A5FE8A683AA0D7B4A644CF91

Function 004069AB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069CE
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00406357,00200020,00000000,?,00000000), ref: 004069E4
LCMapStringW.KERNEL32(?,?,?,00000000,Wc@ ,?,?,00406357,00200020,00000000,?,00000000), ref: 00406A17
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 00406A7F
WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,Wc@ ,?,00000000,00000000,?,00000000,?,00406357,00200020,00000000,?,00000000), ref: 00406AA4

Strings

Wc@ , xrefs: 00406A0A

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: Wc@
API String ID: 352835431-4128830131
Opcode ID: 1312c45284bb9b0df6438f0e9267380287f1a9abf6012680dfeac5a7f92326d3
Instruction ID: 95b79f799a9dc74ab8783d7474949c37cbdd673329ec6272a6b224a97d77f72f
Opcode Fuzzy Hash: 1312c45284bb9b0df6438f0e9267380287f1a9abf6012680dfeac5a7f92326d3
Instruction Fuzzy Hash: C2113A32A00209ABCF229F98CD04ADEBFB6FF49350F11816AF911722A0D3368D61DF54

Function 00B53AFC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00B53B14

Part of subcall function 00B52F5C: __FF_MSGBANNER.LIBCMT ref: 00B52F73
Part of subcall function 00B52F5C: __NMSG_WRITE.LIBCMT ref: 00B52F7A
Part of subcall function 00B52F5C: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001), ref: 00B52F9F

std::exception::exception.LIBCMT ref: 00B53B32
__CxxThrowException@8.LIBCMT ref: 00B53B47

Part of subcall function 00B5450A: RaiseException.KERNEL32(?,?,00B4FB0D,?,?,?,?,?,?,?,00B4FB0D,?,00B70F68,?), ref: 00B5455F

Strings

bad allocation, xrefs: 00B53B27

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: b28cdd144111ceecafcd92a3fe096499038bfde9c529c9764b119743bd7ebb00
Instruction ID: 06df940667c5135d2d21d938d2884bd5c5a8efdf2ea0a2ebf414560353366793
Opcode Fuzzy Hash: b28cdd144111ceecafcd92a3fe096499038bfde9c529c9764b119743bd7ebb00
Instruction Fuzzy Hash: 3FE0A031501209AACF00FF50DC42BAE7BF8EB00742F0045D1FC18A5291DF709A1CC690

Function 00B437B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B437B6
__localtime64.LIBCMT ref: 00B437C1

Part of subcall function 00B525B0: __gmtime64_s.LIBCMT ref: 00B525C3

std::exception::exception.LIBCMT ref: 00B437D9

Part of subcall function 00B52483: std::exception::_Copy_str.LIBCMT ref: 00B5249C

Part of subcall function 00B4A4D6: __EH_prolog.LIBCMT ref: 00B4A4DB
Part of subcall function 00B4A4D6: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 00B4A4EA
Part of subcall function 00B4A4D6: __CxxThrowException@8.LIBCMT ref: 00B4A509

Strings

could not convert calendar time to UTC time, xrefs: 00B437CE

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
String ID: could not convert calendar time to UTC time
API String ID: 1963798777-2088861013
Opcode ID: fb521b73bb65e010a55907f3d6ceb7fe30d00ab6e85fea8cc8f987045c434dd0
Instruction ID: 44b632f8ea46c20cac3ff29bfdbfb44e79fca5dc638ee21b5072ed55e1a9627b
Opcode Fuzzy Hash: fb521b73bb65e010a55907f3d6ceb7fe30d00ab6e85fea8cc8f987045c434dd0
Instruction Fuzzy Hash: 60E06DB6C0120A9BCB10EF90D8057AEB7F8FB15304F0085D9E911A2241EBB847198A90

Function 0040319A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00402EAA), ref: 0040319F
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004031AF

Strings

KERNEL32, xrefs: 0040319A
IsProcessorFeaturePresent, xrefs: 004031A9

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 748c3a06171c204e9a1fd50ae91f73f3c4da2d806122e1fde3641ea021038800
Instruction ID: 8ffc782c345fbc4a568335a89d7931e33654b4b0dba7f91db9b0a41dc5523864
Opcode Fuzzy Hash: 748c3a06171c204e9a1fd50ae91f73f3c4da2d806122e1fde3641ea021038800
Instruction Fuzzy Hash: 25C08C70381B01A6EE602FB22F09B172C0C1B48B43F1800BE7A89F81C0CE7CC208813D

Function 00404C5C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,0040407A), ref: 00404C7D
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,0040407A), ref: 00404CA1
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,0040407A), ref: 00404CBB
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,0040407A), ref: 00404D7C
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,0040407A), ref: 00404D93

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
Instruction ID: 2da35cf39901cd0166ef30884cd3fae4f1f30d489fd3d975fdb0eff0fbde1f7b
Opcode Fuzzy Hash: 5cad5202a8731f25dba6dd4aaf0d633060e84280589fe69eb585605416c69a03
Instruction Fuzzy Hash: 5531E2B15017019BE3208F28EE44B22B7A4EBC8754F11863EEA55B73E1E778AC44CB5C

Function 0040447E Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00008000,00004000,7622DFF0,?,00000000), ref: 004046D6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00404731
HeapFree.KERNEL32(00000000,?), ref: 00404743

Strings

t/@, xrefs: 0040447E

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Free$Virtual$Heap
String ID: t/@
API String ID: 2016334554-3363397731
Opcode ID: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
Instruction ID: 8d17195ec0ccff2424cf6b57804f20dfeb37273885bc82fd82189131503ce94b
Opcode Fuzzy Hash: 3ffb46cc47d32c3f8fdb2cc0b40f733643667e7721e671ee35378e11fae462b1
Instruction Fuzzy Hash: 3EB19EB4A01205DFDB14CF44CAD0A69BBA1FB88314F25C1AEDA596F3A2D735ED41CB84

Function 00B5C399 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B5C42A
_memmove.LIBCMT ref: 00B5C49E
___AdjustPointer.LIBCMT ref: 00B5C4EF
_memmove.LIBCMT ref: 00B5C4F8

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: c97ab1566d170f771daeb105bbfb1e209366cda2527cc4e2b89dc1b12975440a
Instruction ID: 5820a28f357a41c6dec1ed86d5407c14e211b5931c71354f505865fe76271a1b
Opcode Fuzzy Hash: c97ab1566d170f771daeb105bbfb1e209366cda2527cc4e2b89dc1b12975440a
Instruction Fuzzy Hash: D44135356043025EEB245E68F842B7A7BF6DF64761F2404DDED46861D1EB31F988CA11

Function 00B512D0 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00B44149), ref: 00B5136F

Part of subcall function 00B43FDC: __EH_prolog.LIBCMT ref: 00B43FE1
Part of subcall function 00B43FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 00B43FF3

CloseHandle.KERNEL32(00000000), ref: 00B51364
CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,00B44149), ref: 00B513B0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00B44149), ref: 00B51481

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CloseHandle$Event$CreateH_prolog
String ID:
API String ID: 2825413587-0
Opcode ID: 84798d2a2f43daf2f6b88fa1c03d8e7025107ab8a9e30c6ec29c243109aa78a3
Instruction ID: fbc57622d542ef90cd4bb199daf8fc8a55360e12b12a2ddef06757f383b56d52
Opcode Fuzzy Hash: 84798d2a2f43daf2f6b88fa1c03d8e7025107ab8a9e30c6ec29c243109aa78a3
Instruction Fuzzy Hash: DD5100B1600345ABDB11CF28C894B5A77E4FF48329F190AA8FC6997390DB35DD09CB95

Function 00B5375D Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B537F3
__flush.LIBCMT ref: 00B53813
__write.LIBCMT ref: 00B53846
__flsbuf.LIBCMT ref: 00B53874

Part of subcall function 00B55E0B: __getptd_noexit.LIBCMT ref: 00B55E0B

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 535039d8e7933aaddd12432e96c3b7a4be113f1a95e655b1b9895bf12f0f7668
Instruction ID: 6fa04b36ea4c717daa54193eabddc01857623df10958497c5889e0cfbb210198
Opcode Fuzzy Hash: 535039d8e7933aaddd12432e96c3b7a4be113f1a95e655b1b9895bf12f0f7668
Instruction Fuzzy Hash: A74184B5A006059BDF2D8E69C890B6EB7E5EF44BA2B1481FDFC1587340D670DF498B50

Function 00B5FEC5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B5FEFB
__isleadbyte_l.LIBCMT ref: 00B5FF29
MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 00B5FF57
MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 00B5FF8D

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3b68f9932149fee0ea7ca10772f14eb6162cc8728385d265468438def003aff2
Instruction ID: 64fcd1ed532b50d5b919fc90823579a91aef817d4dca3f6e2d8a793be6b231c0
Opcode Fuzzy Hash: 3b68f9932149fee0ea7ca10772f14eb6162cc8728385d265468438def003aff2
Instruction Fuzzy Hash: 6131DC31601347AFDB219F64C845BBABBE9FF42312F1540E9EC64975A0DB30D859CB90

Function 00B43D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 00B43DA2

Part of subcall function 00B43BD3: __EH_prolog.LIBCMT ref: 00B43BD8
Part of subcall function 00B43BD3: std::bad_exception::bad_exception.LIBCMT ref: 00B43BED

htonl.WS2_32(00000000), ref: 00B43DB9
htonl.WS2_32(00000000), ref: 00B43DC0
htons.WS2_32(?), ref: 00B43DD4

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
String ID:
API String ID: 3882411702-0
Opcode ID: d64381878b97c034d0ccf49b0699fe87360c67993531b46e079330bd6d9b33d7
Instruction ID: fbe4e8f5e95887ce18dd5d5408c2dcf2ae8c0d3bc32c78ac7d8287eef2cfe7e1
Opcode Fuzzy Hash: d64381878b97c034d0ccf49b0699fe87360c67993531b46e079330bd6d9b33d7
Instruction Fuzzy Hash: D3118E35604309EFDF019F64D885AAAB7F8EF09714F0480A6FC09DF251DAB19E14DBA1

Function 00B4239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 00B423D0
RtlEnterCriticalSection.NTDLL(?), ref: 00B423DE
InterlockedExchange.KERNEL32(?,00000001), ref: 00B42401
RtlLeaveCriticalSection.NTDLL(?), ref: 00B42408

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
String ID:
API String ID: 4018804020-0
Opcode ID: ad69a58123dbd20601d8a41348959a992c74341bd6d1bbdb221ec1a364338976
Instruction ID: 86cbafa12a5d22f2ecde27c1a8da7910882b78170be1d64b0e885e972f1aa0c1
Opcode Fuzzy Hash: ad69a58123dbd20601d8a41348959a992c74341bd6d1bbdb221ec1a364338976
Instruction Fuzzy Hash: 2B11C231140204AFDB109F50D984B6ABBF8FF50708F1040ADF6019B150DBB5FE01EBA0

Function 00B5C7EB Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00B5C80F

Part of subcall function 00B5CEF6: __fltout2.LIBCMT ref: 00B5CF1F

__cftog_l.LIBCMT ref: 00B5C835
__cftoe_l.LIBCMT ref: 00B5C867

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 1d2302d1eb9dd4531df576eee70f17eb11816609dab50d83bb47457470335d20
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 4401403200024EBFCF126E84DC419EE3FB7BB19755B5885A5FE1959031D336C9B9AB81

Function 00B4247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00B424A9
RtlEnterCriticalSection.NTDLL(?), ref: 00B424B8
InterlockedExchange.KERNEL32(?,00000001), ref: 00B424CD
RtlLeaveCriticalSection.NTDLL(?), ref: 00B424D4

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
String ID:
API String ID: 4018804020-0
Opcode ID: 7e5adb443d7700c8f15d9cc06db2ed43c7f17fd0888fa561ae0d80434c99e737
Instruction ID: 6038ce5bd2919361c1e768f1474019b736f1669e02f9f5c111e18f6f8a0e038a
Opcode Fuzzy Hash: 7e5adb443d7700c8f15d9cc06db2ed43c7f17fd0888fa561ae0d80434c99e737
Instruction Fuzzy Hash: 4EF01972144205AFDB00AF69EC85B9ABBACFF44715F004059FA05CB191DBB5AA508BA0

Function 00B42004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B42009
RtlDeleteCriticalSection.NTDLL(?), ref: 00B42028
CloseHandle.KERNEL32(00000000), ref: 00B42037
CloseHandle.KERNEL32(00000000), ref: 00B4204E

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CriticalDeleteH_prologSection
String ID:
API String ID: 2456309408-0
Opcode ID: 381b7034ba625272309143025368b462fe12f1017015c116596366e943424acb
Instruction ID: 217f01e2e4edf3fe4b9f7b03d4f31f496db4049650c13864dd12480d38b8e709
Opcode Fuzzy Hash: 381b7034ba625272309143025368b462fe12f1017015c116596366e943424acb
Instruction Fuzzy Hash: E701D1B14047049FC3349F54E808BA9B7F4FF04705F0046ADF44683690CFB86A48DB54

Function 00B41E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B41E2B
SetEvent.KERNEL32(00000000), ref: 00B41E3F
SetEvent.KERNEL32(?), ref: 00B41E58
SleepEx.KERNEL32(000000FF,00000001), ref: 00B41E62

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: Event$H_prologSleep
String ID:
API String ID: 1765829285-0
Opcode ID: ea1b9fd97d37f619e81c82b281cde561f8ad85c0bcec2663580b7177742edae5
Instruction ID: 2ac428fbe4da74de34990b96c45b854ab67044503df8109abc1223d4309f8072
Opcode Fuzzy Hash: ea1b9fd97d37f619e81c82b281cde561f8ad85c0bcec2663580b7177742edae5
Instruction Fuzzy Hash: 9AF03A36644514EFCB109FA4D8C8B88BBA4FF09311F1081A9FA1ADB2D1CB799844CB61

Function 00B49F03 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B49F08
_memmove.LIBCMT ref: 00B4A002

Strings

&', xrefs: 00B49FE9

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog_memmove
String ID: &'
API String ID: 3529519853-655172784
Opcode ID: 8eda71911d924345173985342953a8a4317c3abd8942527df2fcdfa87949ade8
Instruction ID: a599b9dac3eccae83607b9a5d5b6c83a0b8d78f3e26bee924adc115b6bb58af8
Opcode Fuzzy Hash: 8eda71911d924345173985342953a8a4317c3abd8942527df2fcdfa87949ade8
Instruction Fuzzy Hash: 19619F71D00209DFCF20EFA4C981AEEBBF5EF58310F10819AE515AB281DB70AB45DB61

Function 0040606F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00406083

Strings

, xrefs: 004060A8
, xrefs: 004060CC

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
Instruction ID: 3e87ef9e1105c78bb2f85cebc7c09ea1e0cb28c4563d123519c4b9c13c46ffd4
Opcode Fuzzy Hash: 2bcc76b937e26bb30bc14eae63f2c8421862a1fe3dbd7d24f008297243196a7e
Instruction Fuzzy Hash: 0C414831004258AAEB119B54CD99BFB3FE9DB06704F1501F6D587FB1D3C23949648BAE

Function 00B49617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,00B48381,?,?,00000000), ref: 00B4967E
getsockname.WS2_32(?,?,?), ref: 00B49694

Strings

&', xrefs: 00B496C7

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: ErrorLastgetsockname
String ID: &'
API String ID: 566540725-655172784
Opcode ID: b6def39255e3b0e6f7a489ed14b4ee614a9392b8931f3d80a2b2e0c06071447b
Instruction ID: 22c0fd6fe2b911faa5e45cea769d0e3306f9334b8bccc8819c54ab0f21843e08
Opcode Fuzzy Hash: b6def39255e3b0e6f7a489ed14b4ee614a9392b8931f3d80a2b2e0c06071447b
Instruction Fuzzy Hash: 52219571A012089FDB10DF68D845ACEB7F5FF4C324F1185AAF819EB281DB34EA459B50

Function 00B4CC5D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B4CC62

Part of subcall function 00B4D23E: std::exception::exception.LIBCMT ref: 00B4D26D

Part of subcall function 00B4D9F4: __EH_prolog.LIBCMT ref: 00B4D9F9

Part of subcall function 00B53AFC: _malloc.LIBCMT ref: 00B53B14

Part of subcall function 00B4D29D: __EH_prolog.LIBCMT ref: 00B4D2A2

Strings

class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 00B4CC98
C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 00B4CC9F

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog$_mallocstd::exception::exception
String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
API String ID: 1953324306-1943798000
Opcode ID: 26478c12593e79d80317134e9f765659f867322629a05b9d9ea60a0422c3a6c4
Instruction ID: 48ecb44de363ec4e7ce752003fd62b4aba87b586c3c9d256cab5c17ecba30e0b
Opcode Fuzzy Hash: 26478c12593e79d80317134e9f765659f867322629a05b9d9ea60a0422c3a6c4
Instruction Fuzzy Hash: F521BF71E012489ADB04EFE8D855AADBBF4EF55700F0440EDF815A7291DFB09B44DB90

Function 00B4CD52 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B4CD57

Part of subcall function 00B4D315: std::exception::exception.LIBCMT ref: 00B4D342

Part of subcall function 00B4DB2B: __EH_prolog.LIBCMT ref: 00B4DB30

Part of subcall function 00B53AFC: _malloc.LIBCMT ref: 00B53B14

Part of subcall function 00B4D372: __EH_prolog.LIBCMT ref: 00B4D377

Strings

class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 00B4CD8D
C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 00B4CD94

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog$_mallocstd::exception::exception
String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
API String ID: 1953324306-412195191
Opcode ID: 02ba35d95dfb9b5cde03832ed714d7f23b1eac56d204dab08f43e569554f584a
Instruction ID: 871da3c3560f290c52fcdc706c5c2ffb179e3961c90315702888e5bba8236e8e
Opcode Fuzzy Hash: 02ba35d95dfb9b5cde03832ed714d7f23b1eac56d204dab08f43e569554f584a
Instruction Fuzzy Hash: CB21A071E042149ADB04EFE4D855AADBBF4EF05700F0441ADF90AA7392CF745B44DB91

Function 00B4534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00B4535D

Part of subcall function 00B52F5C: __FF_MSGBANNER.LIBCMT ref: 00B52F73
Part of subcall function 00B52F5C: __NMSG_WRITE.LIBCMT ref: 00B52F7A
Part of subcall function 00B52F5C: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001), ref: 00B52F9F

SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 00B4536F

Strings

\save.dat, xrefs: 00B45383

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: AllocateFolderHeapPathSpecial_malloc
String ID: \save.dat
API String ID: 4128168839-3580179773
Opcode ID: 0c2ad58a9294f6048351962d909f35832aeb7bcf23bfd0274cc8d0bc31d03306
Instruction ID: 96dfc2d75cbdeae1b13019253c28db1a08dce5856b23f171ea10ddd5824e5d7d
Opcode Fuzzy Hash: 0c2ad58a9294f6048351962d909f35832aeb7bcf23bfd0274cc8d0bc31d03306
Instruction Fuzzy Hash: D71171729056402BDB258E658C81E5FBFF7DF83790B1001E8FC8567203D6A20E06D260

Function 00B43965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B4396A
std::runtime_error::runtime_error.LIBCPMT ref: 00B439C1

Part of subcall function 00B41410: std::exception::exception.LIBCMT ref: 00B41428

Part of subcall function 00B4A5CC: __EH_prolog.LIBCMT ref: 00B4A5D1
Part of subcall function 00B4A5CC: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 00B4A5E0
Part of subcall function 00B4A5CC: __CxxThrowException@8.LIBCMT ref: 00B4A5FF

Strings

Day of month is not valid for year, xrefs: 00B439AC

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
String ID: Day of month is not valid for year
API String ID: 1404951899-1521898139
Opcode ID: 8c19000a72615073a8fa9bae5b53be8740fdcdf868a865325e64fbfe31b46060
Instruction ID: ebf01110fccab1e9eef2d94dd04a6a8413c40f9114fe082947bf492b54e0f857
Opcode Fuzzy Hash: 8c19000a72615073a8fa9bae5b53be8740fdcdf868a865325e64fbfe31b46060
Instruction Fuzzy Hash: 93018876914209AACF04EF94D5469EEB7F4FF14710F40459AFC00A3350EB744B55DB95

Function 00B4B0AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00B4FAC5
__CxxThrowException@8.LIBCMT ref: 00B4FADA

Part of subcall function 00B53AFC: _malloc.LIBCMT ref: 00B53B14

Strings

bad allocation, xrefs: 00B4FABA

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: bad allocation
API String ID: 4063778783-2104205924
Opcode ID: c097bcaab18a75b0ce6bd921880f79204b19355248122050a1fc0511a8dde2b1
Instruction ID: e01cd34dd214cca0821845dee4d2f1aed919619e6eae8dd04b1e7fc60bae1cdd
Opcode Fuzzy Hash: c097bcaab18a75b0ce6bd921880f79204b19355248122050a1fc0511a8dde2b1
Instruction Fuzzy Hash: C8F08270900309A69F04FAA88856AAF73ECEB04716B5005E6BA25D23C1EFB0EA089195

Function 00B43C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B43C1B
std::bad_exception::bad_exception.LIBCMT ref: 00B43C30

Part of subcall function 00B52467: std::exception::exception.LIBCMT ref: 00B52471

Part of subcall function 00B4A605: __EH_prolog.LIBCMT ref: 00B4A60A
Part of subcall function 00B4A605: __CxxThrowException@8.LIBCMT ref: 00B4A633

Strings

bad cast, xrefs: 00B43C28

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 1300498068-3145022300
Opcode ID: 9789b900725ed6471ec5a16353da69161fdb62d4e4cfd9d12c0e8217fc38db49
Instruction ID: eff7af5637a07f9db05dc65b137c497aeeeb8a0bbcf3ce5736787f0213105be8
Opcode Fuzzy Hash: 9789b900725ed6471ec5a16353da69161fdb62d4e4cfd9d12c0e8217fc38db49
Instruction Fuzzy Hash: 45F05532900604CBC708DF48D441AEAB7F4EF12311F0040EEFD05AB381CBB29A46CAD0

Function 00B43881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B43886
std::runtime_error::runtime_error.LIBCPMT ref: 00B438A5

Part of subcall function 00B41410: std::exception::exception.LIBCMT ref: 00B41428

Part of subcall function 00B4893A: _memmove.LIBCMT ref: 00B4895A

Strings

Day of month value is out of range 1..31, xrefs: 00B43894

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
String ID: Day of month value is out of range 1..31
API String ID: 3258419250-1361117730
Opcode ID: eae7ae2ee4959861e38d3c40ce5db7513fa88f8243029c173fb4c4966abd81f2
Instruction ID: e1ac20744359e3fbb6964a3dd66bfa6af176b403a9ae22d9bf6c1c9c4d664e35
Opcode Fuzzy Hash: eae7ae2ee4959861e38d3c40ce5db7513fa88f8243029c173fb4c4966abd81f2
Instruction Fuzzy Hash: 32E0D832E4051497D724AB94C912BEC77F4DB08B50F4045DAF801733C1DFB91A50D795

Function 00B438CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B438D2
std::runtime_error::runtime_error.LIBCPMT ref: 00B438F1

Part of subcall function 00B41410: std::exception::exception.LIBCMT ref: 00B41428

Part of subcall function 00B4893A: _memmove.LIBCMT ref: 00B4895A

Strings

Year is out of valid range: 1400..10000, xrefs: 00B438E0

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
String ID: Year is out of valid range: 1400..10000
API String ID: 3258419250-2344417016
Opcode ID: 402af5572cd9638aa362f9e32dd0d998e0e4a92f16681202638647245f7ec402
Instruction ID: bfc11c187f15fbc9f3df3a5014be43acf70212ee4a3557023c8df7d0e02cec1e
Opcode Fuzzy Hash: 402af5572cd9638aa362f9e32dd0d998e0e4a92f16681202638647245f7ec402
Instruction Fuzzy Hash: 6CE0DF72E406149BDB24EB98C822BECB7F8DB0CB20F0045DAF801A72C1DFB91A50C795

Function 00B43919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B4391E
std::runtime_error::runtime_error.LIBCPMT ref: 00B4393D

Part of subcall function 00B41410: std::exception::exception.LIBCMT ref: 00B41428

Part of subcall function 00B4893A: _memmove.LIBCMT ref: 00B4895A

Strings

Month number is out of range 1..12, xrefs: 00B4392C

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
String ID: Month number is out of range 1..12
API String ID: 3258419250-4198407886
Opcode ID: 06bbc03e274e01ef799e906fb204c034e833f0f5a48699130aa975177805ac18
Instruction ID: 463375a96e1ace4dc05a67d962a670b8e720438a5c4fb9f2b2eef3d0c6ea0a34
Opcode Fuzzy Hash: 06bbc03e274e01ef799e906fb204c034e833f0f5a48699130aa975177805ac18
Instruction Fuzzy Hash: 3EE09232E405149BD724AB948812BED77E4DB08710F0445DAE80563281DEB91A508795

Function 00B419C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00B419CC
GetLastError.KERNEL32 ref: 00B419D9

Part of subcall function 00B41712: __EH_prolog.LIBCMT ref: 00B41717

Strings

tss, xrefs: 00B419E8

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: AllocErrorH_prologLast
String ID: tss
API String ID: 249634027-1638339373
Opcode ID: fd8353b49e35c7a53d6ee760fc97886380a2f77051ac77fbdc33bbe03c4ea4f2
Instruction ID: 76527b943eb994a02211cd0442625bd177f62b98a34343d21f8e4e01bedd401d
Opcode Fuzzy Hash: fd8353b49e35c7a53d6ee760fc97886380a2f77051ac77fbdc33bbe03c4ea4f2
Instruction Fuzzy Hash: 77E08632D142105B83007B78EC0909BBBE49A44335F108BA6FDBA832E0EE7449449BD2

Function 00B43BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B43BD8
std::bad_exception::bad_exception.LIBCMT ref: 00B43BED

Part of subcall function 00B52467: std::exception::exception.LIBCMT ref: 00B52471

Part of subcall function 00B4A605: __EH_prolog.LIBCMT ref: 00B4A60A
Part of subcall function 00B4A605: __CxxThrowException@8.LIBCMT ref: 00B4A633

Strings

bad cast, xrefs: 00B43BE5

Memory Dump Source

Source File: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b41000_recordpadsoundrecorder32.jbxd

Yara matches

Similarity

API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 1300498068-3145022300
Opcode ID: 88bef0334837af587b1af51757fd34a98d6990af5122dacaf4e08fa11a4d494c
Instruction ID: bf48a7057c9af89c197855b1310069af10c57c426e2ca4c20a654dca799abd21
Opcode Fuzzy Hash: 88bef0334837af587b1af51757fd34a98d6990af5122dacaf4e08fa11a4d494c
Instruction Fuzzy Hash: 40E01A71901108DBC714EF54D652BA8BBF4EB15701F0481EDE90657390CB795A55CA85

Function 00404AB0 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404AD8
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404B0C
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404B26
HeapFree.KERNEL32(00000000,?,?,00000000,00404878,?,?,?,00000100,?,00000000), ref: 00404B3D

Memory Dump Source

Source File: 00000004.00000002.3436759372.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3436759372.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_recordpadsoundrecorder32.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
Instruction ID: e332c3e7fbabb4a530177a7352d9393d0fbd82ec7ab2db7e11d44f19093e014a
Opcode Fuzzy Hash: 326bc21520183113991a8339bf2de7ac4146e2f373772080d0e11da3f1adebb6
Instruction Fuzzy Hash: 611116B0201601DFC7219F19EE85E22BBB5FB84720711463AF292E65F0D771A845CF5C

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9MgoW3Y1ti.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Socks5Systemz

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe

C:\ProgramData\uit_66.dat

C:\ProgramData\urc_66.dat

C:\ProgramData\ures-a.dat

C:\ProgramData\ures-b.dat

C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)

C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)

C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy)

C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy)

C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy)

C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy)

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-1KIT8.tmp

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-377H9.tmp

Windows Analysis Report
9MgoW3Y1ti.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre