Edit tour

Windows Analysis Report
Deye Union - PO # 23081377.exe

Overview

General Information

Sample name:	Deye Union - PO # 23081377.exe
Analysis ID:	1480122
MD5:	b9b695185a83e88b77ffe37d56948d57
SHA1:	35b095b5b6448126c227436d6202878a0d93e7ab
SHA256:	c124677b62dde195f2df9174342199aa456dc61be86c6e3b1fba48a25ce8d9a5
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Potentially malicious time measurement code found

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Deye Union - PO # 23081377.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\Deye Union - PO # 23081377.exe" MD5: B9B695185A83E88B77FFE37D56948D57)

RegSvcs.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\Deye Union - PO # 23081377.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "cash@mpdxb-ae.com", "Password": "Khalid2020", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x149db:$a1: get_encryptedPassword 0x14cc7:$a2: get_encryptedUsername 0x147e7:$a3: get_timePasswordChanged 0x148e2:$a4: get_passwordField 0x149f1:$a5: set_encryptedPassword 0x16070:$a7: get_logins 0x15fd3:$a10: KeyLoggerEventArgs 0x15c3e:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182bc:$x1: $%SMTPDV$ 0x18322:$x2: $#TheHashHere%& 0x19919:$x3: %FTPDV$ 0x19a0d:$x4: $%TelegramDv$ 0x15c3e:$x5: KeyLoggerEventArgs 0x15fd3:$x5: KeyLoggerEventArgs 0x1993d:$m2: Clipboard Logs ID 0x19b5d:$m2: Screenshot Logs ID 0x19c6d:$m2: keystroke Logs ID 0x19f47:$m3: SnakePW 0x19b35:$m4: \SnakeKeylogger\
00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14bdb:$a1: get_encryptedPassword 0x14ec7:$a2: get_encryptedUsername 0x149e7:$a3: get_timePasswordChanged 0x14ae2:$a4: get_passwordField 0x14bf1:$a5: set_encryptedPassword 0x16270:$a7: get_logins 0x161d3:$a10: KeyLoggerEventArgs 0x15e3e:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c519:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b74b:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb7e:$a4: \Orbitum\User Data\Default\Login Data 0x1cbbd:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x157b4:$s1: UnHook 0x157bb:$s2: SetHook 0x157c3:$s3: CallNextHook 0x157d0:$s4: _hook
00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184bc:$x1: $%SMTPDV$ 0x18522:$x2: $#TheHashHere%& 0x19b19:$x3: %FTPDV$ 0x19c0d:$x4: $%TelegramDv$ 0x15e3e:$x5: KeyLoggerEventArgs 0x161d3:$x5: KeyLoggerEventArgs 0x19b3d:$m2: Clipboard Logs ID 0x19d5d:$m2: Screenshot Logs ID 0x19e6d:$m2: keystroke Logs ID 0x1a147:$m3: SnakePW 0x19d35:$m4: \SnakeKeylogger\
00000002.00000002.3917754601.00000000025EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3917754601.0000000002421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Deye Union - PO # 23081377.exe PID: 7572	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Deye Union - PO # 23081377.exe PID: 7572	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Deye Union - PO # 23081377.exe PID: 7572	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x139cb7:$a1: get_encryptedPassword 0x139f99:$a2: get_encryptedUsername 0x139acd:$a3: get_timePasswordChanged 0x139bc8:$a4: get_passwordField 0x139ccd:$a5: set_encryptedPassword 0x13c1a3:$a7: get_logins 0x13c106:$a10: KeyLoggerEventArgs 0x13bd71:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Deye Union - PO # 23081377.exe PID: 7572	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x13bd71:$x5: KeyLoggerEventArgs 0x13c106:$x5: KeyLoggerEventArgs 0x13ccdf:$x5: KeyLoggerEventArgs 0x13d040:$x5: KeyLoggerEventArgs 0x13e350:$m2: Clipboard Logs ID 0x13e447:$m2: Screenshot Logs ID 0x13e49d:$m2: keystroke Logs ID 0x13e5d2:$m3: SnakePW 0x13e433:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 7632	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7632	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7632	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x109bc:$a1: get_encryptedPassword 0x10c9e:$a2: get_encryptedUsername 0x107d2:$a3: get_timePasswordChanged 0x108cd:$a4: get_passwordField 0x109d2:$a5: set_encryptedPassword 0x12ea8:$a7: get_logins 0x12e0b:$a10: KeyLoggerEventArgs 0x12a76:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7632	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x12a76:$x5: KeyLoggerEventArgs 0x12e0b:$x5: KeyLoggerEventArgs 0x139e4:$x5: KeyLoggerEventArgs 0x13d45:$x5: KeyLoggerEventArgs 0x15055:$m2: Clipboard Logs ID 0x1514c:$m2: Screenshot Logs ID 0x151a2:$m2: keystroke Logs ID 0x152d7:$m3: SnakePW 0x15138:$m4: \SnakeKeylogger\
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.1b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.1b0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.1b0000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.1b0000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14bdb:$a1: get_encryptedPassword 0x14ec7:$a2: get_encryptedUsername 0x149e7:$a3: get_timePasswordChanged 0x14ae2:$a4: get_passwordField 0x14bf1:$a5: set_encryptedPassword 0x16270:$a7: get_logins 0x161d3:$a10: KeyLoggerEventArgs 0x15e3e:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.1b0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c519:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b74b:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb7e:$a4: \Orbitum\User Data\Default\Login Data 0x1cbbd:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.1b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x157b4:$s1: UnHook 0x157bb:$s2: SetHook 0x157c3:$s3: CallNextHook 0x157d0:$s4: _hook
2.2.RegSvcs.exe.1b0000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184bc:$x1: $%SMTPDV$ 0x18522:$x2: $#TheHashHere%& 0x19b19:$x3: %FTPDV$ 0x19c0d:$x4: $%TelegramDv$ 0x15e3e:$x5: KeyLoggerEventArgs 0x161d3:$x5: KeyLoggerEventArgs 0x19b3d:$m2: Clipboard Logs ID 0x19d5d:$m2: Screenshot Logs ID 0x19e6d:$m2: keystroke Logs ID 0x1a147:$m3: SnakePW 0x19d35:$m4: \SnakeKeylogger\
0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14bdb:$a1: get_encryptedPassword 0x14ec7:$a2: get_encryptedUsername 0x149e7:$a3: get_timePasswordChanged 0x14ae2:$a4: get_passwordField 0x14bf1:$a5: set_encryptedPassword 0x16270:$a7: get_logins 0x161d3:$a10: KeyLoggerEventArgs 0x15e3e:$a11: KeyLoggerEventArgsEventHandler
0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c519:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b74b:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb7e:$a4: \Orbitum\User Data\Default\Login Data 0x1cbbd:$a5: \Kometa\User Data\Default\Login Data
0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x157b4:$s1: UnHook 0x157bb:$s2: SetHook 0x157c3:$s3: CallNextHook 0x157d0:$s4: _hook
0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184bc:$x1: $%SMTPDV$ 0x18522:$x2: $#TheHashHere%& 0x19b19:$x3: %FTPDV$ 0x19c0d:$x4: $%TelegramDv$ 0x15e3e:$x5: KeyLoggerEventArgs 0x161d3:$x5: KeyLoggerEventArgs 0x19b3d:$m2: Clipboard Logs ID 0x19d5d:$m2: Screenshot Logs ID 0x19e6d:$m2: keystroke Logs ID 0x1a147:$m3: SnakePW 0x19d35:$m4: \SnakeKeylogger\
0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ddb:$a1: get_encryptedPassword 0x130c7:$a2: get_encryptedUsername 0x12be7:$a3: get_timePasswordChanged 0x12ce2:$a4: get_passwordField 0x12df1:$a5: set_encryptedPassword 0x14470:$a7: get_logins 0x143d3:$a10: KeyLoggerEventArgs 0x1403e:$a11: KeyLoggerEventArgsEventHandler
0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a719:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1994b:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d7e:$a4: \Orbitum\User Data\Default\Login Data 0x1adbd:$a5: \Kometa\User Data\Default\Login Data
0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x139b4:$s1: UnHook 0x139bb:$s2: SetHook 0x139c3:$s3: CallNextHook 0x139d0:$s4: _hook
0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x166bc:$x1: $%SMTPDV$ 0x16722:$x2: $#TheHashHere%& 0x17d19:$x3: %FTPDV$ 0x17e0d:$x4: $%TelegramDv$ 0x1403e:$x5: KeyLoggerEventArgs 0x143d3:$x5: KeyLoggerEventArgs 0x17d3d:$m2: Clipboard Logs ID 0x17f5d:$m2: Screenshot Logs ID 0x1806d:$m2: keystroke Logs ID 0x18347:$m3: SnakePW 0x17f35:$m4: \SnakeKeylogger\
Click to see the 15 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3917754601.0000000002421000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "cash@mpdxb-ae.com", "Password": "Khalid2020", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: Deye Union - PO # 23081377.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Deye Union - PO # 23081377.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Deye Union - PO # 23081377.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49705 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: Deye Union - PO # 23081377.exe, 00000000.00000003.1452103671.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Deye Union - PO # 23081377.exe, 00000000.00000003.1454934385.00000000038A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Deye Union - PO # 23081377.exe, 00000000.00000003.1452103671.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Deye Union - PO # 23081377.exe, 00000000.00000003.1454934385.00000000038A0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_0032DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0032DBBE
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002FC2A2 FindFirstFileExW,	0_2_002FC2A2
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_003368EE FindFirstFileW,FindClose,	0_2_003368EE
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_0033698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0033698F
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_0032D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0032D076
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_0032D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0032D3A9
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00339642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00339642
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_0033979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0033979D
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00339B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00339B2B
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00335C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00335C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0085F1F6h	2_2_0085F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0085FB80h	2_2_0085F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0085E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0085EB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_0085ED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3B791h	2_2_05E3B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E31A38h	2_2_05E31620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E31471h	2_2_05E311C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E302F1h	2_2_05E30040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3C041h	2_2_05E3BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E31011h	2_2_05E30D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3F009h	2_2_05E3ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E30751h	2_2_05E304A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3E759h	2_2_05E3E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3DEA9h	2_2_05E3DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3DA51h	2_2_05E3D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3D1A1h	2_2_05E3CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3C8F1h	2_2_05E3C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3F8B9h	2_2_05E3F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E31A38h	2_2_05E31610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3C499h	2_2_05E3C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3F461h	2_2_05E3F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E31A38h	2_2_05E31966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3BBE9h	2_2_05E3B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E30BB1h	2_2_05E30900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3EBB1h	2_2_05E3E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3E301h	2_2_05E3E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3D5F9h	2_2_05E3D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3CD49h	2_2_05E3CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E3FD11h	2_2_05E3FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E60741h	2_2_05E60498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E68945h	2_2_05E68608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E68459h	2_2_05E681B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E65441h	2_2_05E65198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E60FF1h	2_2_05E60D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E68001h	2_2_05E67D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E67BA9h	2_2_05E67900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E60B99h	2_2_05E608F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E67751h	2_2_05E674A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E602E9h	2_2_05E60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E672FAh	2_2_05E67050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E66E79h	2_2_05E66BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_05E633A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_05E633B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E66A21h	2_2_05E66778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E665C9h	2_2_05E66320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E66171h	2_2_05E65EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E65D19h	2_2_05E65A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05E658C1h	2_2_05E65618

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_0033CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0033CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.3917754601.000000000257C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000258A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000024E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.0000000002597000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.3917754601.000000000257C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000252C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000258A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000024E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000024DD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.0000000002597000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.3917754601.0000000002421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Deye Union - PO # 23081377.exe, 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.3917754601.000000000257C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000258A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.0000000002597000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.0000000002501000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.3917754601.0000000002421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3917754601.000000000257C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000252C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000258A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000024E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.0000000002597000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Deye Union - PO # 23081377.exe, 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000024E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.3917754601.00000000025E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: RegSvcs.exe, 00000002.00000002.3917754601.000000000257C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000252C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000258A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.0000000002597000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52697
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_0033EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0033EAFF

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_0033ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0033ED6A

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

0_2_0033EAFF

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_0032AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0032AA57

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_00359576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00359576

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Deye Union - PO # 23081377.exe PID: 7572, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Deye Union - PO # 23081377.exe PID: 7572, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7632, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: Deye Union - PO # 23081377.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Deye Union - PO # 23081377.exe, 00000000.00000000.1438360268.0000000000382000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d3570e3a-5
Source: Deye Union - PO # 23081377.exe, 00000000.00000000.1438360268.0000000000382000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f471f17f-f
Source: Deye Union - PO # 23081377.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_34230952-6
Source: Deye Union - PO # 23081377.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ea06aa03-4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_0032D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0032D5EB

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_00321201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00321201

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_0032E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0032E8F6

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002CBF40	0_2_002CBF40
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002C8060	0_2_002C8060
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00332046	0_2_00332046
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00328298	0_2_00328298
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002FE4FF	0_2_002FE4FF
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002F676B	0_2_002F676B
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00354873	0_2_00354873
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002ECAA0	0_2_002ECAA0
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002CCAF0	0_2_002CCAF0
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002DCC39	0_2_002DCC39
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002F6DD9	0_2_002F6DD9
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002DD065	0_2_002DD065
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002C90BC	0_2_002C90BC
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002DB119	0_2_002DB119
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002C91C0	0_2_002C91C0
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E1394	0_2_002E1394
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E1706	0_2_002E1706
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E781B	0_2_002E781B
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002C7920	0_2_002C7920
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002D997D	0_2_002D997D
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E19B0	0_2_002E19B0
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E7A4A	0_2_002E7A4A
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E1C77	0_2_002E1C77
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E7CA7	0_2_002E7CA7
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00313CD5	0_2_00313CD5
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_0034BE44	0_2_0034BE44
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002F9EEE	0_2_002F9EEE
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E1F32	0_2_002E1F32
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_032135C0	0_2_032135C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085F007	2_2_0085F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085C190	2_2_0085C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00856108	2_2_00856108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085B328	2_2_0085B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085C470	2_2_0085C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00856730	2_2_00856730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085C753	2_2_0085C753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00859858	2_2_00859858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00854AD9	2_2_00854AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085CA33	2_2_0085CA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085BBD3	2_2_0085BBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085CD10	2_2_0085CD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085BEB0	2_2_0085BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085B4F3	2_2_0085B4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085E517	2_2_0085E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085E528	2_2_0085E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00853573	2_2_00853573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0085DF79	2_2_0085DF79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3B4E8	2_2_05E3B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E38460	2_2_05E38460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E311C0	2_2_05E311C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E33870	2_2_05E33870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E30040	2_2_05E30040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E37B70	2_2_05E37B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3BD88	2_2_05E3BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E37D90	2_2_05E37D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3BD98	2_2_05E3BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E30D60	2_2_05E30D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3ED60	2_2_05E3ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E30D51	2_2_05E30D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3ED50	2_2_05E3ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3B4D7	2_2_05E3B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E304A0	2_2_05E304A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3E4A0	2_2_05E3E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3E4B0	2_2_05E3E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E30490	2_2_05E30490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3DC00	2_2_05E3DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3D7A8	2_2_05E3D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3D798	2_2_05E3D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3CEE9	2_2_05E3CEE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3CEF8	2_2_05E3CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3C648	2_2_05E3C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3C638	2_2_05E3C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3F600	2_2_05E3F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3F610	2_2_05E3F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3C1E0	2_2_05E3C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3C1F0	2_2_05E3C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3F1A9	2_2_05E3F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E311B0	2_2_05E311B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3F1B8	2_2_05E3F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3B940	2_2_05E3B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3B930	2_2_05E3B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E30900	2_2_05E30900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3E908	2_2_05E3E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E308F0	2_2_05E308F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3E8F8	2_2_05E3E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E33860	2_2_05E33860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3E049	2_2_05E3E049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3E058	2_2_05E3E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E30007	2_2_05E30007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E373E8	2_2_05E373E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3DBF1	2_2_05E3DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E373D8	2_2_05E373D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3D340	2_2_05E3D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3D350	2_2_05E3D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3CAA0	2_2_05E3CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3CA90	2_2_05E3CA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3FA68	2_2_05E3FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E3FA59	2_2_05E3FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6C9D8	2_2_05E6C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E611A0	2_2_05E611A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6BD38	2_2_05E6BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6B0A0	2_2_05E6B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E60498	2_2_05E60498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6D028	2_2_05E6D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6A408	2_2_05E6A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E68BED	2_2_05E68BED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6C388	2_2_05E6C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6B6E8	2_2_05E6B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6D670	2_2_05E6D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6AA58	2_2_05E6AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E68608	2_2_05E68608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E685FF	2_2_05E685FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6C9C8	2_2_05E6C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E681A0	2_2_05E681A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E681B0	2_2_05E681B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6518A	2_2_05E6518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E65198	2_2_05E65198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E60D48	2_2_05E60D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E67D48	2_2_05E67D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E67D58	2_2_05E67D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6BD28	2_2_05E6BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E60D39	2_2_05E60D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E67900	2_2_05E67900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E608E0	2_2_05E608E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E608F0	2_2_05E608F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E678F0	2_2_05E678F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E674A8	2_2_05E674A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E628B0	2_2_05E628B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E60488	2_2_05E60488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E67497	2_2_05E67497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E67047	2_2_05E67047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E60040	2_2_05E60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E67050	2_2_05E67050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E64430	2_2_05E64430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E60006	2_2_05E60006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E62807	2_2_05E62807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E62809	2_2_05E62809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6D018	2_2_05E6D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6A3F8	2_2_05E6A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E66BC1	2_2_05E66BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E66BD0	2_2_05E66BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E633A8	2_2_05E633A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E633B8	2_2_05E633B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6676A	2_2_05E6676A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E66778	2_2_05E66778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6C378	2_2_05E6C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E66320	2_2_05E66320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E63730	2_2_05E63730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E66310	2_2_05E66310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E65EC8	2_2_05E65EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6B6D9	2_2_05E6B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E65EB8	2_2_05E65EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E65A60	2_2_05E65A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6D661	2_2_05E6D661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E65A70	2_2_05E65A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E6AA48	2_2_05E6AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E65609	2_2_05E65609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E65618	2_2_05E65618

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: String function: 002C9CB3 appears 31 times
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: String function: 002DF9F2 appears 40 times
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: String function: 002E0A30 appears 46 times

Source: Deye Union - PO # 23081377.exe, 00000000.00000003.1454934385.00000000039CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Deye Union - PO # 23081377.exe
Source: Deye Union - PO # 23081377.exe, 00000000.00000003.1454474080.0000000003823000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Deye Union - PO # 23081377.exe
Source: Deye Union - PO # 23081377.exe, 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Deye Union - PO # 23081377.exe

Source: Deye Union - PO # 23081377.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Deye Union - PO # 23081377.exe PID: 7572, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Deye Union - PO # 23081377.exe PID: 7572, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 7632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7632, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, A--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, A--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@2/2

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_003337B5 GetLastError,FormatMessageW,

0_2_003337B5

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_003210BF AdjustTokenPrivileges,CloseHandle,		0_2_003210BF
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_003216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003216C3

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_003351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003351CD

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_0034A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0034A67C

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_0033648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0033648E

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_002C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002C42A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

File created: C:\Users\user\AppData\Local\Temp\autD352.tmp

Jump to behavior

Source: Deye Union - PO # 23081377.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3917754601.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3919039057.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000267D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000026A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000266F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000265F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Deye Union - PO # 23081377.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe "C:\Users\user\Desktop\Deye Union - PO # 23081377.exe"
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Deye Union - PO # 23081377.exe"
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Deye Union - PO # 23081377.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Deye Union - PO # 23081377.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Deye Union - PO # 23081377.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Deye Union - PO # 23081377.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Deye Union - PO # 23081377.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Deye Union - PO # 23081377.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Deye Union - PO # 23081377.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Deye Union - PO # 23081377.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Deye Union - PO # 23081377.exe, 00000000.00000003.1452103671.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Deye Union - PO # 23081377.exe, 00000000.00000003.1454934385.00000000038A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Deye Union - PO # 23081377.exe, 00000000.00000003.1452103671.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Deye Union - PO # 23081377.exe, 00000000.00000003.1454934385.00000000038A0000.00000004.00001000.00020000.00000000.sdmp

Source: Deye Union - PO # 23081377.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Deye Union - PO # 23081377.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Deye Union - PO # 23081377.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Deye Union - PO # 23081377.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Deye Union - PO # 23081377.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_002C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002C42DE

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E0A76 push ecx; ret		0_2_002E0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05E32E60 push esp; iretd		2_2_05E32E79

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	File created: \deye union - po # 23081377.exe
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	File created: \deye union - po # 23081377.exe			Jump to behavior

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_002DF98E
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00351C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00351C41

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97064

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

API/Special instruction interceptor: Address: 32131E4

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_002CD010 rdtsc

0_2_002CD010

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599342	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599232	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594312	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1706			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8146			Jump to behavior

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

API coverage: 4.0 %

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_0032DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0032DBBE
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002FC2A2 FindFirstFileExW,	0_2_002FC2A2
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_003368EE FindFirstFileW,FindClose,	0_2_003368EE
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_0033698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0033698F
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_0032D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0032D076
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_0032D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0032D3A9
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00339642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00339642
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_0033979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0033979D
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00339B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00339B2B
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00335C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00335C97

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_002C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002C42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599342	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599232	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594312	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3917258676.0000000000899000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_002CD010 Start: 002CD039 End: 002CD029

0_2_002CD010

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_002CD010 rdtsc

0_2_002CD010

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_05E37B70 LdrInitializeThunk,

2_2_05E37B70

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_0033EAA2 BlockInput,

0_2_0033EAA2

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_002F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_002F2622

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_002C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002C42DE

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E4CE8 mov eax, dword ptr fs:[00000030h]	0_2_002E4CE8
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_03213450 mov eax, dword ptr fs:[00000030h]	0_2_03213450
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_032134B0 mov eax, dword ptr fs:[00000030h]	0_2_032134B0
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_03211E70 mov eax, dword ptr fs:[00000030h]	0_2_03211E70

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_00320B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00320B62

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002F2622
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002E083F
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E09D5 SetUnhandledExceptionFilter,	0_2_002E09D5
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_002E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002E0C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 359008

Jump to behavior

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

0_2_00321201

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_00302BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00302BA5

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_0032B226 SendInput,keybd_event,

0_2_0032B226

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_003422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_003422DA

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Deye Union - PO # 23081377.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

0_2_00320B62

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_00321663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00321663

Source: Deye Union - PO # 23081377.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Deye Union - PO # 23081377.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_002E0698 cpuid

0_2_002E0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_00338195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00338195

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_0031D27A GetUserNameW,

0_2_0031D27A

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_002FB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_002FB952

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe

Code function: 0_2_002C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002C42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3917754601.00000000025EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3917754601.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Deye Union - PO # 23081377.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7632, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Deye Union - PO # 23081377.exe	Binary or memory string: WIN_81
Source: Deye Union - PO # 23081377.exe	Binary or memory string: WIN_XP
Source: Deye Union - PO # 23081377.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Deye Union - PO # 23081377.exe	Binary or memory string: WIN_XPe
Source: Deye Union - PO # 23081377.exe	Binary or memory string: WIN_VISTA
Source: Deye Union - PO # 23081377.exe	Binary or memory string: WIN_7
Source: Deye Union - PO # 23081377.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Deye Union - PO # 23081377.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7632, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Deye Union - PO # 23081377.exe.3220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3917754601.00000000025EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3917754601.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Deye Union - PO # 23081377.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7632, type: MEMORYSTR

Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00341204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00341204
Source: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe	Code function: 0_2_00341806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00341806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Virtualization/Sandbox Evasion	Cached Domain Credentials	111 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Deye Union - PO # 23081377.exe	42%	ReversingLabs	Win32.Trojan.ShellcodeCrypter
Deye Union - PO # 23081377.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.3917754601.000000000257C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000252C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000258A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000024E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.0000000002597000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025E0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.3917754601.000000000257C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000252C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000258A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000024E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000024DD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.0000000002597000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025E0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.3917754601.000000000257C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000258A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000024E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.0000000002597000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025E0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	RegSvcs.exe, 00000002.00000002.3917754601.000000000257C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000252C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000258A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.0000000002597000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025E0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3917754601.0000000002421000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	Deye Union - PO # 23081377.exe, 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.3917754601.000000000257C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.000000000258A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.0000000002597000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.0000000002501000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000025E0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	Deye Union - PO # 23081377.exe, 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3917754601.00000000024E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480122
Start date and time:	2024-07-24 15:34:02 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Deye Union - PO # 23081377.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 52 Number of non-executed functions: 290
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Deye Union - PO # 23081377.exe

Simulations

Behavior and APIs

Time	Type	Description
09:35:12	API Interceptor	11020154x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Quotation.xls	Get hash	malicious	Remcos	Browse	tny.wtf/jk8Z5I
	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	www.010101-11122-2222.cloud/rn94/?ndsLnTq=grMJGHTOpxQfD2iixWctBZvhCYtmqSbLUJDCoaQDnQJ3Rh8vFQmgv7kvDLvYcoaVSk1M&pPO=DFQxUrcpRxVH
	DRAFT AWB and DRAFT Commercial invoice.xls	Get hash	malicious	Remcos	Browse	tny.wtf/cyd
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/4jaIXkvS/download
	QUOTATION_JULQTRA071244.PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/PM6yPStj/download
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/0DmcWsUI/download
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/4jaIXkvS/download
	QUOTATION_JULQTRA071244.PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/PM6yPStj/download
	Purchase Order - P04737.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	tny.wtf/Dl
	#U00d6deme kopyas#U0131.xls	Get hash	malicious	Remcos	Browse	tny.wtf/
132.226.247.73	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase Order - P04737.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Revised PI_2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	ORDER--GO289533005XXXX024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	57m#U00b3 LPG SEMI TRAILER 7 NOS.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	WT01151024637.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.96.3
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	rRFQ_025261-97382.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.247.73
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.lombardins.com/lomcms/?action=lostpassword&error=invalidkey	Get hash	malicious	Unknown	Browse	104.22.4.81
	https://amour-adventure.com/wdMpjN?x=ZGF2ZXByb3NlZWRAZ29uZHRjLmNvbQ==&y=z241147_947	Get hash	malicious	Unknown	Browse	104.21.9.7
	9ic0UJ4Eah.exe	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://recoveryinmind.com.au/styles/meus.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://0f34q.n8xgn.com/0f34Q/&design=DAGL1KVwhx0&accessRole=viewer&linkSource=document	Get hash	malicious	Unknown	Browse	104.21.95.143
	https://jul-fat.s3.us-east-2.amazonaws.com/Comprovativo_Julho_ilxtf_11-07-2024_17.zip?=CBJWEMFPSBTBJTCWJMMHXOTTZAUEUJDNBHBGDALULXNCKKLTVEMGSERPIRBESAUHZGABRXVIASXKAQTZPAJPZXVXRNWNKFBJCEFTKICKJDGKIROSZDPSRFJBLDLDZHIVRMZXLKWFZLEUQVOKKGPVRITXUDIVWWBBUMIXTRGWFJUGAQLPQLERTODHT	Get hash	malicious	Unknown	Browse	1.1.1.1
	Sync_Approval_Document.html	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
UTMEMUS	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.247.73
	yIRn1ZmsQF.elf	Get hash	malicious	Unknown	Browse	128.169.78.63
	kHeNppYRgN.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Purchase Order - P04737.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Revised PI_2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	ORDER--GO289533005XXXX024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	rPO0977-6745.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rcrypt.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	afRggioa9s.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	afRggioa9s.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	188.114.97.3
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\Deye Union - PO # 23081377.exe
File Type:	data
Category:	dropped
Size (bytes):	81630
Entropy (8bit):	7.838204055948679
Encrypted:	false
SSDEEP:	1536:hK5TTkDoPGph4MlLtsi4wMNQR4k31wP68gPL3W/mkIl9Nw:hOsnFui4TNQR4k31/8gPICLNw
MD5:	D04CD6E583DD1DBDF58378129FE3A750
SHA1:	D7A6854993387536A6CD469B2109B14C726E8C00
SHA-256:	BEB26A1E11C164B4759D6CDD80651AD6CB1EDC144A3954A11C5869CBB483304A
SHA-512:	5F2957301409C05EC7146887909A4CB43973EFF486C9B2F69C2368B343E315BC4441B842A5A9BD0EDF10FF77ADEBFE16ABC2956900B74C8EC0E9A149B0C9708E
Malicious:	false
Reputation:	low
Preview:	EA06......:.EZcS.T.5.o6.Z........2.V.`.....}[ ..I..i.z.^'....{,.O ......U;..%.....O.rJ$..:.....M9....B,....Z.Z.L...M5.`..3.QjP...G.R.@...I...]..0.....0.f5....#4...M.`...cI.\z..&.2...2..:..1...gstY.N......%....Q+Tp....3..kS....Tj.....Y.RW:..".j8.f4....`.........C.T@...........g....cQ...m$..jt .L....f..9..........I...S.V.Q.=j......eF.j.........J.....c3..w ...V.3i.:..I.`.!....j...[.....B..M@....aV..' ....0....@..@.y..R3s.T.w...r.U.5.u./).L...]\...^.S)...K.Md...f....T.,P. ..S....`s..F.b9Z.j$.ZuN.5......>.H..h1....c.LjtJ...2..)...d..k.)..A\|..u:.r5q.V.2)..!..*...... .).j.......2zX..q.."r..N.^.......p.V@....&)...eF.Xn..5:.]...I%v.1..jw;.2J.._f7..G.M.`i..Ny...S.O..V......j.F.Sj.M:[y.L..I...`.^`...j.[..&5.l...0........L)7...3.T...j..H.0....eL.Yd..:...61Z..[[..kS...O...).y$T.a...4`..J...mF.2.N.`-.F....6.....2.H.<..F.+.T..p.@......K.f.1..@!...(.......3.L.@1...0...d.....U......U.w.eBI...m.JW\|.. ......Ry`....i...F/Q..@.....i..8....C..\..c;.Z..EFE...

C:\Users\user\AppData\Local\Temp\autD382.tmp

Download File

Process:	C:\Users\user\Desktop\Deye Union - PO # 23081377.exe
File Type:	data
Category:	dropped
Size (bytes):	9700
Entropy (8bit):	7.632968659156218
Encrypted:	false
SSDEEP:	192:ZzA/dPFBDsEYUovRdE3xqRESJ47Hhc2ukt3YKjf/wFVy:ZzgNBDsEYTvRUxPHhcWAXy
MD5:	EE06BCF8673F660B4697CAF0242E2107
SHA1:	6494D61CB7336E660A3FBFA82F9BC2B65A710971
SHA-256:	A032B4CAFFFF6CF3C24EDE5BF890141989BECD1D2203BEB4A807D683841345BD
SHA-512:	E9865391779A2D7CAF973C89722620BCA1428C1AC9ADABD4983E6948C795D8327270525C1F9938B5B1F46E0E5213CDC62DB43FB73425E35EABC747C135C338C5
Malicious:	false
Reputation:	low
Preview:	EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........\|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3\|vi..G.7...8_..qf..i\|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

C:\Users\user\AppData\Local\Temp\demonetising

Download File

Process:	C:\Users\user\Desktop\Deye Union - PO # 23081377.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.572133445800123
Encrypted:	false
SSDEEP:	768:Jx2uAScFCo3T3iC5v53Ant0Uy+nP+nXJka/Xsv2HzNmL5sCWi:euAScFCo3T3i4v53Ant0Uy+nP+nXJka+
MD5:	EE8C4EA6962297FD9E11AA10FF720CAA
SHA1:	D29BA99097A49138A7283D26A6734085698B0A03
SHA-256:	7E3312E575A345A7E5011D62159C480C9E1A612A99B4D9825637D2165E85E5D8
SHA-512:	81199DDA762E622BDD9925648C39183C68E565D0606B1651D80D8E9E77E1A2DC339CEB334BD64F7C34708CE03044A2E2B0C878202D2CFFAC4BAE0A54249A7C09
Malicious:	false
Reputation:	low
Preview:	3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

C:\Users\user\AppData\Local\Temp\teer

Download File

Process:	C:\Users\user\Desktop\Deye Union - PO # 23081377.exe
File Type:	data
Category:	dropped
Size (bytes):	134144
Entropy (8bit):	6.844216861751157
Encrypted:	false
SSDEEP:	3072:UL1HlTnfnTq0NsCrmbAg+5wiFHagnhFq/6jrae1Eyz:g1HRfnTqWstxSXhFq/6j1Eyz
MD5:	24D6D4D2C3B31307BA27DCF1957CEA4B
SHA1:	3260C6F84F12437418139A898447AD4088879424
SHA-256:	E87E50EA659957032BFCC8453F1CDE91DDAE6D0DC17E9DF711D17BE3744246C8
SHA-512:	7CB6F712AABA2CDBD074B5B37BF63ED85C683D67E72967BC938C6549EFA8A69BBC7C576F9B00E43BEA39F06874D10435C31B61AE8EC2C9633EA1FC4B4BA2137D
Malicious:	false
Reputation:	low
Preview:	.h.ZHV1SJSYZ..FZ.V1SNSYZr2FZKV1SNSYZ22FZKV1SNSYZ22FZKV1SNSYZ.2FZEI.]N.P...G..we;' y@]!(;.0/=75F.$?k$D=n:7zv}.z&9U6`^TP.2FZKV1S..YZ~3EZ.{.5NSYZ22FZ.V3RER.Z2.GZKB1SNSYZ,&DZKv1SNs[Z22.ZKv1SNQYZ62FZKV1SJSYZ22FZK63SNQYZ22FZIVq.NSIZ2"FZKV!SNCYZ22FZ[V1SNSYZ22FZ.E3S.SYZ2.DZ.F1SNSYZ22FZKV1SNSYZ2rDZGV1SNSYZ22FZKV1SNSYZ22FZKV1SNSYZ22FZKV1SNSYZ22FZKV1SNsYZ:2FZKV1SNSYZ:.FZ.V1SNSYZ22FZe"T+:SYZ..GZKv1SN.XZ20FZKV1SNSYZ22FZkV13`!*(Q2FZ.F1SNs[Z2 FZK.0SNSYZ22FZKV1S.SY..@#6$51SBSYZ2rDZKT1SNY[Z22FZKV1SNSYZr2F.KV1SNSYZ22FZKV1SNG[Z22FZ.V1SLS\Z..GZs.1SMSYZ.2F\.w0S.SYZ22FZKV1SNSYZ22FZKV1SNSYZ22FZKV1SNSYZ22FZ.+.\..3A..ZKV1SNR[Y64NRKV1SNSYZL2FZ.V1S.SYZ.2FZnV1S#SYZ.2FZ5V1S0SYZV2FZ9V1S/SYZu2FZ$V1S SYZL2FZUT.sNSSp.2DrjV1YNy.).2FP.W1SJ zZ28.XKV5 jSYP.1FZO%.SNY.^22B)mV1Y.VYZ6..ZH.'UNSB5.2FPKU.FHSYA..FXcl1SDSs\|21.OMV1HdqYX.;FZO\|g SSY\.qFZA"8SNQ.P22BpUT..NSSp.LVZKR.Sdq'K22BqK\|.-\SY^.2lx5E1SJxYp.LRZKR.SdM[.&2F^atOFNS]q2.d$]V1WeSsxL%FZO}1yPQ.M22BpM\|SS<.EZB1).KV7{.SYP.RFZMV.iN-yZ26D5.V1Yhy.Z0.B[K\1QM.oZ26D^6a1SJy.Z0I.Z

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.805490899873772
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Deye Union - PO # 23081377.exe
File size:	1'020'416 bytes
MD5:	b9b695185a83e88b77ffe37d56948d57
SHA1:	35b095b5b6448126c227436d6202878a0d93e7ab
SHA256:	c124677b62dde195f2df9174342199aa456dc61be86c6e3b1fba48a25ce8d9a5
SHA512:	8a1768f1794412cae6ea250275ea9e7761175daab63949d57932fd33104d904f85aca762bcfb74b76a18930cae9e0ec92c2890e7a84d49aa662efa09fac41d7c
SSDEEP:	24576:SqDEvCTbMWu7rQYlBQcBiT6rprG8aRo96fkHT:STvC/MTQYxsWR7aRO6fQ
TLSH:	8825AE0273C1C062FF9B92334B5AF6515BBC69260123E62F13981DB9BE705B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A02544 [Tue Jul 23 21:48:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F34008C8293h
jmp 00007F34008C7B9Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F34008C7D7Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F34008C7D4Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F34008CA93Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F34008CA988h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F34008CA971h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x2264c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf7000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x2264c	0x22800	e8a84bb4b6c35907b3b773c77e6c60ef	False	0.8076879528985508	data	7.5618865751716005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf7000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x19912	data			1.000391512767136
RT_GROUP_ICON	0xf60cc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xf6144	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf6158	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf616c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf6180	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf625c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 15:35:03.498672009 CEST	49704	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:03.504771948 CEST	80	49704	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:03.504869938 CEST	49704	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:03.505642891 CEST	49704	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:03.510680914 CEST	80	49704	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:11.356726885 CEST	80	49704	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:11.365027905 CEST	49704	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:11.372369051 CEST	80	49704	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:11.647924900 CEST	80	49704	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:11.692198992 CEST	49704	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:11.725774050 CEST	49705	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:11.725800991 CEST	443	49705	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:11.725862026 CEST	49705	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:11.734769106 CEST	49705	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:11.734786034 CEST	443	49705	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:12.331238985 CEST	443	49705	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:12.331340075 CEST	49705	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:12.341334105 CEST	49705	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:12.341355085 CEST	443	49705	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:12.341989994 CEST	443	49705	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:12.395358086 CEST	49705	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:12.439491987 CEST	49705	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:12.480520964 CEST	443	49705	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:12.596249104 CEST	443	49705	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:12.596347094 CEST	443	49705	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:12.596405029 CEST	49705	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:12.603689909 CEST	49705	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:12.608350992 CEST	49704	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:12.616616011 CEST	80	49704	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:13.353487015 CEST	80	49704	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:13.356877089 CEST	49706	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:13.356923103 CEST	443	49706	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:13.357002020 CEST	49706	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:13.357386112 CEST	49706	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:13.357400894 CEST	443	49706	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:13.395402908 CEST	49704	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:14.376343012 CEST	443	49706	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:14.379307985 CEST	49706	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:14.379339933 CEST	443	49706	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:14.523627996 CEST	443	49706	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:14.523753881 CEST	443	49706	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:14.523822069 CEST	49706	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:14.524471998 CEST	49706	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:14.527626038 CEST	49704	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:14.528996944 CEST	49707	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:14.537190914 CEST	80	49704	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:14.537298918 CEST	49704	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:14.537372112 CEST	80	49707	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:14.537441015 CEST	49707	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:14.537573099 CEST	49707	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:14.543509960 CEST	80	49707	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:15.278913021 CEST	80	49707	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:15.280044079 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:15.280071974 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:15.280149937 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:15.280384064 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:15.280396938 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:15.332812071 CEST	49707	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:15.791241884 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:15.793200016 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:15.793235064 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:15.949533939 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:15.949769020 CEST	443	49708	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:15.949857950 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:15.950171947 CEST	49708	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:15.954592943 CEST	49709	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:15.969310045 CEST	80	49709	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:15.969424009 CEST	49709	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:15.969610929 CEST	49709	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:15.976331949 CEST	80	49709	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:16.696932077 CEST	80	49709	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:16.698620081 CEST	49710	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:16.698683977 CEST	443	49710	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:16.698780060 CEST	49710	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:16.699095011 CEST	49710	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:16.699105978 CEST	443	49710	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:16.739069939 CEST	49709	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:17.262530088 CEST	443	49710	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:17.264801979 CEST	49710	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:17.264832020 CEST	443	49710	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:17.431442022 CEST	443	49710	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:17.431555033 CEST	443	49710	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:17.431633949 CEST	49710	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:17.432226896 CEST	49710	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:17.436140060 CEST	49709	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:17.437504053 CEST	49711	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:17.442199945 CEST	80	49709	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:17.442286015 CEST	49709	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:17.442468882 CEST	80	49711	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:17.442646027 CEST	49711	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:17.442646027 CEST	49711	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:17.447566986 CEST	80	49711	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:18.186496019 CEST	80	49711	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:18.229594946 CEST	49712	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:18.229648113 CEST	443	49712	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:18.229700089 CEST	49712	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:18.240238905 CEST	49711	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:18.263540983 CEST	49712	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:18.263566971 CEST	443	49712	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:18.807979107 CEST	443	49712	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:18.809834957 CEST	49712	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:18.809859037 CEST	443	49712	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:18.947254896 CEST	443	49712	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:18.947536945 CEST	443	49712	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:18.947597027 CEST	49712	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:18.947910070 CEST	49712	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:18.952081919 CEST	49711	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:18.953313112 CEST	49715	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:18.958856106 CEST	80	49715	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:18.958939075 CEST	49715	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:18.959033012 CEST	49715	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:18.963969946 CEST	80	49715	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:18.972758055 CEST	80	49711	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:18.972872972 CEST	49711	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:20.707446098 CEST	80	49715	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:20.734975100 CEST	49719	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:20.735012054 CEST	443	49719	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:20.735116959 CEST	49719	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:20.735650063 CEST	49719	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:20.735666037 CEST	443	49719	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:20.754689932 CEST	49715	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:21.310575008 CEST	443	49719	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:21.323587894 CEST	49719	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:21.323635101 CEST	443	49719	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:21.475949049 CEST	443	49719	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:21.476063013 CEST	443	49719	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:21.476309061 CEST	49719	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:21.476722002 CEST	49719	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:21.479830027 CEST	49715	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:21.481069088 CEST	49720	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:21.486202002 CEST	80	49720	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:21.486301899 CEST	49720	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:21.486428022 CEST	49720	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:21.487641096 CEST	80	49715	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:21.487723112 CEST	49715	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:21.491286039 CEST	80	49720	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:22.205079079 CEST	80	49720	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:22.206537962 CEST	49721	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:22.206587076 CEST	443	49721	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:22.206743002 CEST	49721	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:22.207000971 CEST	49721	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:22.207012892 CEST	443	49721	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:22.254698038 CEST	49720	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:22.686469078 CEST	443	49721	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:22.696701050 CEST	49721	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:22.696719885 CEST	443	49721	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:22.822041035 CEST	443	49721	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:22.822138071 CEST	443	49721	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:22.822521925 CEST	49721	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:22.823189974 CEST	49721	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:22.837348938 CEST	49720	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:22.839783907 CEST	49722	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:22.846857071 CEST	80	49722	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:22.846971035 CEST	49722	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:22.847395897 CEST	49722	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:22.848812103 CEST	80	49720	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:22.848911047 CEST	49720	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:22.852611065 CEST	80	49722	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:23.589704990 CEST	80	49722	132.226.247.73	192.168.2.8
Jul 24, 2024 15:35:23.591731071 CEST	52697	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:23.591794968 CEST	443	52697	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:23.591988087 CEST	52697	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:23.592242956 CEST	52697	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:23.592262983 CEST	443	52697	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:23.645406961 CEST	49722	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:35:24.107856989 CEST	443	52697	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:24.109677076 CEST	52697	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:24.109697104 CEST	443	52697	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:24.271193981 CEST	443	52697	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:24.271291971 CEST	443	52697	188.114.97.3	192.168.2.8
Jul 24, 2024 15:35:24.271621943 CEST	52697	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:35:24.272042990 CEST	52697	443	192.168.2.8	188.114.97.3
Jul 24, 2024 15:36:20.278419018 CEST	80	49707	132.226.247.73	192.168.2.8
Jul 24, 2024 15:36:20.278482914 CEST	49707	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:36:28.571276903 CEST	80	49722	132.226.247.73	192.168.2.8
Jul 24, 2024 15:36:28.571367025 CEST	49722	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:37:03.598660946 CEST	49722	80	192.168.2.8	132.226.247.73
Jul 24, 2024 15:37:03.603724957 CEST	80	49722	132.226.247.73	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 15:35:03.483560085 CEST	60863	53	192.168.2.8	1.1.1.1
Jul 24, 2024 15:35:03.493662119 CEST	53	60863	1.1.1.1	192.168.2.8
Jul 24, 2024 15:35:11.716422081 CEST	55340	53	192.168.2.8	1.1.1.1
Jul 24, 2024 15:35:11.724999905 CEST	53	55340	1.1.1.1	192.168.2.8
Jul 24, 2024 15:35:23.355793953 CEST	53	61770	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 15:35:03.483560085 CEST	192.168.2.8	1.1.1.1	0x2508	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:35:11.716422081 CEST	192.168.2.8	1.1.1.1	0xeb15	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 15:35:03.493662119 CEST	1.1.1.1	192.168.2.8	0x2508	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 15:35:03.493662119 CEST	1.1.1.1	192.168.2.8	0x2508	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:35:03.493662119 CEST	1.1.1.1	192.168.2.8	0x2508	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:35:03.493662119 CEST	1.1.1.1	192.168.2.8	0x2508	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:35:03.493662119 CEST	1.1.1.1	192.168.2.8	0x2508	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:35:03.493662119 CEST	1.1.1.1	192.168.2.8	0x2508	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:35:11.724999905 CEST	1.1.1.1	192.168.2.8	0xeb15	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 24, 2024 15:35:11.724999905 CEST	1.1.1.1	192.168.2.8	0xeb15	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	132.226.247.73	80	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:35:03.505642891 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:35:11.356726885 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 82bb2ea4abd9f79257a384f8312f2ae4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 24, 2024 15:35:11.365027905 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 24, 2024 15:35:11.647924900 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4b194438d1c1df0333ce2f2033369d80 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 24, 2024 15:35:12.608350992 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 24, 2024 15:35:13.353487015 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7b7d07210ff17ed96ee66bc4debea6e7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	132.226.247.73	80	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:35:14.537573099 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 24, 2024 15:35:15.278913021 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 92f0610fad438b4af555fa1878394fa2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49709	132.226.247.73	80	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:35:15.969610929 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:35:16.696932077 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:16 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 72a0b243a1a2aaa6ed879ec2d403d6a4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49711	132.226.247.73	80	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:35:17.442646027 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:35:18.186496019 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 38a30ccfd058787f12ac8502c41b9122 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49715	132.226.247.73	80	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:35:18.959033012 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:35:20.707446098 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1cde4b04c589b31937bd44ab99603d03 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49720	132.226.247.73	80	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:35:21.486428022 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:35:22.205079079 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 515e81f35883b3a8562ebb73ab97c71e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49722	132.226.247.73	80	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 15:35:22.847395897 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 15:35:23.589704990 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6d789932693c3636c3086d10bde88428 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	188.114.97.3	443	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:35:12 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 13:35:12 UTC	715	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2863 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1cneo7OOlfp4mMrpI02W5gMfHI%2BCPdQEEzCjQ4zdOt3noT1AAEkrQZdg%2BX%2FyC%2FT%2BtzF%2FIVoeNSw0fFixesxmb2lry%2BpAsxtAN5xBOWxS5PAqdea8lteZNhR%2BYfdlOZJS14VwU82r"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a844ac70cb278e8-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:35:12 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:35:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49706	188.114.97.3	443	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:35:14 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:35:14 UTC	711	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2865 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nkW7MWONA3iZa8DKU0rzoQCV5GT8aRVlx00W%2Bg%2BHIK8QQwXOdSap39Z546EzokmK6ckc6LFC8TSUPyAEj%2F33H2Qd%2BtQX%2Bey4tAunnWFK1XpPZXRYxU%2BrQbXBCsspO3oSnEnhOPVW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a844ad33aa98cc6-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:35:14 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:35:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49708	188.114.97.3	443	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:35:15 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:35:15 UTC	703	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:15 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2866 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nqr1R1JNs9i4g1Yg4GdOuOHWlxvXrsMoD7YDzQr45xfjFMYFog9wePRomsgu9F4EJSrMpTwDjn0S3glFAqrQFDQLUf87eARNy8vMWA7qMT70%2FZW52V05wSMGUXYr%2FbYCFqY8HZnq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a844adc49b51891-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:35:15 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:35:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49710	188.114.97.3	443	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:35:17 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 13:35:17 UTC	713	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:17 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2868 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x301QvLV8pMng9xhMZIIUsykwSYBl9CW84xVSnzHFFAN6jJ%2FAyB4bYj%2F9DplAIAiMlILm%2BwoF6PUYz9IQi%2Furi8mOnVg%2BGZbjfsy2AxK6D%2FPXbhEWBI49IMOhTvj84agX00%2BSYi2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a844ae58d77c42a-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:35:17 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:35:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49712	188.114.97.3	443	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:35:18 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:35:18 UTC	705	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2869 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5nmfsW2xh9HrO4LBMubpB6xlYrmTtNdG8kkvZhmBbhqIv9ZrBlE4iFmTILcvcVbSN%2FYnvCmYF01Wyr84GqKECj8Pt%2BrNolyLIjr4zSU%2BS5lJwmECmuEzwI3SfLt5EXEBPdTxQLTT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a844aef0d7518ae-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:35:18 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:35:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49719	188.114.97.3	443	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:35:21 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:35:21 UTC	713	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2872 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=544Z3uh%2FhUQ0im%2BRxja9fJ0Ct4lvAdGWgX%2BEUqHGC84IORcpPwPa0BUOQlw2dbUs%2FE%2F6ETPhMhFX%2FgBpIHYdhj6Xiwt4IrzEsMOpQZJTXbldDqZABgUuIYek%2BfrrMRoWbhXeo5gF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a844afedca542b9-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:35:21 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:35:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49721	188.114.97.3	443	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:35:22 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-24 13:35:22 UTC	701	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2873 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lmb3bkMswmhfH5upANsXDwdRgo%2BhpadAWaIHlkG5had0rgkLCjN94gwtuZVommEuduD9hIhWB7RNd9qm6exzDh1iMPW1TA2OCY82lBJiNXyKRregKusCJD1ruPN4AFMyfwYkjY3d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a844b0739727d1a-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:35:22 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:35:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	52697	188.114.97.3	443	7632	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 13:35:24 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-24 13:35:24 UTC	705	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 13:35:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2875 Last-Modified: Wed, 24 Jul 2024 12:47:29 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sPPr5XoUcFtiH4%2FJAZOvXv2dQdOP38fI8KNqgxIIYqG5CHeJaZD2p%2BPvnXkLhVUWvrATTmzDc8Xh1%2FvkV7XtbtH0J9k7qRKpArhIGga3ERcvOueHn5OEASAFnryeJfZYU7ymsxMp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a844b104ee98cc6-EWR alt-svc: h3=":443"; ma=86400
2024-07-24 13:35:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-24 13:35:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:35:00
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\Deye Union - PO # 23081377.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Deye Union - PO # 23081377.exe"
Imagebase:	0x2c0000
File size:	1'020'416 bytes
MD5 hash:	B9B695185A83E88B77FFE37D56948D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1457749397.0000000003220000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:35:01
Start date:	24/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Deye Union - PO # 23081377.exe"
Imagebase:	0xe0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.3916737418.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3917754601.00000000025EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3917754601.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	75

Executed Functions

Function 002C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 002C430D

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

GetCurrentProcess.KERNEL32(?,0035CB64,00000000,?,?), ref: 002C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 002C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 002C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002C4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 002C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 002C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002C44A0

Strings

kernel32.dll, xrefs: 002C444F
|O, xrefs: 003036F8
GetNativeSystemInfo, xrefs: 002C4460

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: af77ba308fd014a038d163177b2daefe8cebcf844ae92efa8f9628e1b9e68264
Instruction ID: 9f206b357bbaa9956b343cb6a6a755a4268aea4504c08a7626b325a582560581
Opcode Fuzzy Hash: af77ba308fd014a038d163177b2daefe8cebcf844ae92efa8f9628e1b9e68264
Instruction Fuzzy Hash: ADA1E46EA2A3C2DFC727DB797CD06A67FBC6B26300F14559ED441B3A61D2620508CB21

Function 002C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002C50AA,?,?,00000000,00000000), ref: 002C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002C50AA,?,?,00000000,00000000), ref: 002C42C9
LoadResource.KERNEL32(?,00000000,?,?,002C50AA,?,?,00000000,00000000,?,?,?,?,?,?,002C4F20), ref: 003035BE
SizeofResource.KERNEL32(?,00000000,?,?,002C50AA,?,?,00000000,00000000,?,?,?,?,?,?,002C4F20), ref: 003035D3
LockResource.KERNEL32(002C50AA,?,?,002C50AA,?,?,00000000,00000000,?,?,?,?,?,?,002C4F20,?), ref: 003035E6

Strings

SCRIPT, xrefs: 002C42BF

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4e420b7cb182ab7127dc4553597512e2ec38bfc20c94aae02c2cb3589ebd85fa
Instruction ID: 44c6b0136ff10dc4408e56813cfa4d1b202c0d95e430892c0583f3cedb2734c0
Opcode Fuzzy Hash: 4e420b7cb182ab7127dc4553597512e2ec38bfc20c94aae02c2cb3589ebd85fa
Instruction Fuzzy Hash: 1211AC70210301BFEB229B65DC49F277BBDEBC5B56F20466EF802862A0DB71D810D621

Function 00302BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 002C2B6B

Part of subcall function 002C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00391418,?,002C2E7F,?,?,?,00000000), ref: 002C3A78

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00382224), ref: 00302C10
ShellExecuteW.SHELL32(00000000,?,?,00382224), ref: 00302C17

Strings

runas, xrefs: 00302C0B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 40842f009e17b95f3346fa08fe603697276529c8c32ac47a918fa64e4e167a47
Instruction ID: 736c1c2ac45e5d9ba8b3597aeeeddd17f0ffc086177e41b3e57406ce311c3df2
Opcode Fuzzy Hash: 40842f009e17b95f3346fa08fe603697276529c8c32ac47a918fa64e4e167a47
Instruction Fuzzy Hash: 0411E9312283469EC716FF60D855FBEB7A89F95304F445B6DF082530A2CF218A6ECB52

Function 0032DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00305222), ref: 0032DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0032DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0032DBEE
FindClose.KERNEL32(00000000), ref: 0032DBFA

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 846ac17a5538098438a20de861507d88a050de61c8b7f491e16e82c0e2981c50
Instruction ID: be1efb7e855b30ab9cef521b2a6489d692cbed1eb83319cbf675fdedb74c97bd
Opcode Fuzzy Hash: 846ac17a5538098438a20de861507d88a050de61c8b7f491e16e82c0e2981c50
Instruction Fuzzy Hash: 52F0A030820B305BC2226B78BC0D8AA376C9E0133AF104B02F836D20F0EBB05954C696

Function 002CBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#9, xrefs: 003107CE

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#9
API String ID: 3964851224-1243369003
Opcode ID: e6f4a82df6fe8e8040bfe8d6b89fb1588024353086f26da423938e886632da67
Instruction ID: 2fbe56bbcf0dcd7037244248b297d3451cc9d310c4d2337bc1b49967715ff143
Opcode Fuzzy Hash: e6f4a82df6fe8e8040bfe8d6b89fb1588024353086f26da423938e886632da67
Instruction Fuzzy Hash: BDA27B706183419FD719DF14C480B6AB7E1BF89304F248A6DE89A8B352D7B1EC95CF92

Function 002CD730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002CD807
timeGetTime.WINMM ref: 002CDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002CDB28
TranslateMessage.USER32(?), ref: 002CDB7B
DispatchMessageW.USER32(?), ref: 002CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002CDB9F
Sleep.KERNEL32(0000000A), ref: 002CDBB1

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 36892b76730960a9c7e7525a3ac292b6b6c7670d0ac8eed3cf124fd24a8a2c64
Instruction ID: 46d2281502b67adf4fbdf45685df4efb876634d6853f6d07f938a93a67c55245
Opcode Fuzzy Hash: 36892b76730960a9c7e7525a3ac292b6b6c7670d0ac8eed3cf124fd24a8a2c64
Instruction Fuzzy Hash: 9C42E330628742DFD72ACF24C885FAAB7E4BF49304F15462EE455872A1D771E8A4CF92

Function 002C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002C2D07
RegisterClassExW.USER32(00000030), ref: 002C2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002C2D42
InitCommonControlsEx.COMCTL32(?), ref: 002C2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002C2D6F
LoadIconW.USER32(000000A9), ref: 002C2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002C2D94

Strings

AutoIt v3 GUI, xrefs: 002C2D23
TaskbarCreated, xrefs: 002C2D37
+, xrefs: 002C2CF0
0, xrefs: 002C2CE9

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d95657c13a04988f770e3adf0edaa2655ec97452a63227dad2f2eed3cbf3ba7a
Instruction ID: 188e65e76f963e64daf0b9a60532665633c4f3a58bc166ae3698954616fe9eea
Opcode Fuzzy Hash: d95657c13a04988f770e3adf0edaa2655ec97452a63227dad2f2eed3cbf3ba7a
Instruction Fuzzy Hash: 5D21C3B5921319AFDB02DFA4EC89BDDBBB8FB08709F10511AF911B62A0D7B24544CF91

Function 002F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.., xrefs: 002F903A, 002F8FD0, 002F8FF2

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID: ..
API String ID: 0-1970295553
Opcode ID: f499e33b3775c3aeaeab60062ac575bb1ebbc880270e50c86265753f86847a48
Instruction ID: d3ceb9ac972234dacdfee4b62b44ce0c13b6185160dbe5eaaa68fa46db9940af
Opcode Fuzzy Hash: f499e33b3775c3aeaeab60062ac575bb1ebbc880270e50c86265753f86847a48
Instruction Fuzzy Hash: BEC1147592424EAFCB11DFA8D840BBDFBB4AF09350F044169FA15A7392CB718991CF20

Function 0030065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0030039A: CreateFileW.KERNELBASE(00000000,00000000,?,00300704,?,?,00000000,?,00300704,00000000,0000000C), ref: 003003B7

GetLastError.KERNEL32 ref: 0030076F
__dosmaperr.LIBCMT ref: 00300776
GetFileType.KERNELBASE(00000000), ref: 00300782
GetLastError.KERNEL32 ref: 0030078C
__dosmaperr.LIBCMT ref: 00300795
CloseHandle.KERNEL32(00000000), ref: 003007B5
CloseHandle.KERNEL32(?), ref: 003008FF
GetLastError.KERNEL32 ref: 00300931
__dosmaperr.LIBCMT ref: 00300938

Strings

H, xrefs: 003008BD

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 232cd431034cfa25c2f8a5acbbd331b10b6bcc4cff97a8ce9d1bf1367037875c
Instruction ID: 5dd9335871bd4f03ccf480c1e8e4da4d104e101f7ecb6e724407ebb391952071
Opcode Fuzzy Hash: 232cd431034cfa25c2f8a5acbbd331b10b6bcc4cff97a8ce9d1bf1367037875c
Instruction Fuzzy Hash: 5EA13632A102488FDF1EAF68DC61BAE7BA4EB06320F14415AF8159F2E1D7359D12CB91

Function 002C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00391418,?,002C2E7F,?,?,?,00000000), ref: 002C3A78

Part of subcall function 002C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002C3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0030318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003031CE
RegCloseKey.ADVAPI32(?), ref: 00303210
_wcslen.LIBCMT ref: 00303277
_wcslen.LIBCMT ref: 00303286

Strings

Software\AutoIt v3\AutoIt, xrefs: 002C3560
\Include\, xrefs: 002C3527
\, xrefs: 0030328C
Include, xrefs: 00303184, 003031C5

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: b092905eebca5d965591c6eb6d6c79555942a4577df87b4c6dd68a70aabdf315
Instruction ID: 29c155ea965fa1ebe8845b8f24ebf939345644115bb0b9cb74f63474c5a93883
Opcode Fuzzy Hash: b092905eebca5d965591c6eb6d6c79555942a4577df87b4c6dd68a70aabdf315
Instruction Fuzzy Hash: 16718D75515701AEC316EF25DC92DABBBECFF89340F404A2EF445831A0EB319A48CB91

Function 002C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 002C2B9D
LoadIconW.USER32(00000063), ref: 002C2BB3
LoadIconW.USER32(000000A4), ref: 002C2BC5
LoadIconW.USER32(000000A2), ref: 002C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002C2BEF
RegisterClassExW.USER32(?), ref: 002C2C40

Part of subcall function 002C2CD4: GetSysColorBrush.USER32(0000000F), ref: 002C2D07
Part of subcall function 002C2CD4: RegisterClassExW.USER32(00000030), ref: 002C2D31
Part of subcall function 002C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002C2D42
Part of subcall function 002C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 002C2D5F
Part of subcall function 002C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002C2D6F
Part of subcall function 002C2CD4: LoadIconW.USER32(000000A9), ref: 002C2D85
Part of subcall function 002C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002C2D94

Strings

#, xrefs: 002C2C16
0, xrefs: 002C2C0F
AutoIt v3, xrefs: 002C2C2F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 41d8cd55fb6a69e25f22f62a1e30de48260fd4fa979f525a3888dfe16f33ab5b
Instruction ID: ab9a86d84ef345ce0d02c6c96ea633e413fb516151ea8c6dc034f90dd4693834
Opcode Fuzzy Hash: 41d8cd55fb6a69e25f22f62a1e30de48260fd4fa979f525a3888dfe16f33ab5b
Instruction Fuzzy Hash: B1212979E10319AFDB229FA6EC95BAD7FB8FB48B54F04411BE504B66A0D7B20540CF90

Function 002CB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002CBB4E

Strings

p#9, xrefs: 0031024F
p#9, xrefs: 002CBA72
x#9, xrefs: 00310207
p#9, xrefs: 002CBB6B
p#9, xrefs: 00310263
p%9, xrefs: 002CB8DC
p%9, xrefs: 002CBB32
x#9, xrefs: 00310168

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#9$p#9$p#9$p#9$p%9$p%9$x#9$x#9
API String ID: 1385522511-2266461043
Opcode ID: 0184f4072a0230978a38b3f7de55e8fdaf06a51e838afb7ed3b3e9afaeff510c
Instruction ID: 310178c9bfe389c92dfe72d549024adb9445b8fc9a2b488c3cadbb9ee333d90f
Opcode Fuzzy Hash: 0184f4072a0230978a38b3f7de55e8fdaf06a51e838afb7ed3b3e9afaeff510c
Instruction Fuzzy Hash: 4532DE38A10209EFCF1ACF54C885FBEB7B9EF48304F15815AE915AB251C7B5AD91CB90

Function 002C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,002C316A,?,?), ref: 002C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,002C316A,?,?), ref: 002C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002C3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,002C316A,?,?), ref: 002C3232
CreatePopupMenu.USER32 ref: 002C3246
PostQuitMessage.USER32(00000000), ref: 002C3267

Strings

TaskbarCreated, xrefs: 002C322D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: bfb84fefa39aa5f27d342955f0b8121ae3c550b00a5d8bbd9ba6cff75df5ca0b
Instruction ID: 4c1cf78cc2e45f7071ebe91af5f4e3e1cdd4f4cc08b2af77df44386cfbff20f4
Opcode Fuzzy Hash: bfb84fefa39aa5f27d342955f0b8121ae3c550b00a5d8bbd9ba6cff75df5ca0b
Instruction Fuzzy Hash: 50412935270202AEDF179B389D5EFB93A2DE705344F08871EF915955A1C7E18E209BA2

Function 002CDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%9, xrefs: 0031302D
D%9, xrefs: 002CE4B1
D%9D%9, xrefs: 002CE27E
Variable must be of type 'Object'., xrefs: 003132B7
D%9, xrefs: 00312FDA
D%9, xrefs: 002CE1E0

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID: D%9$D%9$D%9$D%9$D%9D%9$Variable must be of type 'Object'.
API String ID: 0-1327069127
Opcode ID: 3a6ed5d75c695fb83e52c571f9b7a1e007593b8d61b07eb4e73f3ec8a3b6061f
Instruction ID: ab144aab4bb231554336409cb23eb718b7f2294079ea2e2ead980df8f9dfcce4
Opcode Fuzzy Hash: 3a6ed5d75c695fb83e52c571f9b7a1e007593b8d61b07eb4e73f3ec8a3b6061f
Instruction Fuzzy Hash: 83C28A71A10605DFCF24CF58C881FADB7B5BF09310F268669E906AB391D371ADA1CB91

Function 032125A0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03212671
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03212897

Memory Dump Source

Source File: 00000000.00000002.1457724343.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 64acb273fa51d6acfa1348ca85d0122b8299c91e426ba2337c18e22426d5b994
Instruction ID: 684f6f7d920d93c639bd3efc76b41d6a603ff2f52ab17eb6ee290d29977cc1a9
Opcode Fuzzy Hash: 64acb273fa51d6acfa1348ca85d0122b8299c91e426ba2337c18e22426d5b994
Instruction Fuzzy Hash: FBA12875E10309EBDB14CFA4C994BEEB7B5BF58304F208599E501BB280C7B59A91CF64

Function 002C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,002C1CAD,?), ref: 002C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,002C1CAD,?), ref: 002C2CCF

Strings

edit, xrefs: 002C2CAC
AutoIt v3, xrefs: 002C2C89, 002C2C8E, 002C2C8F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: db54a3dcfbec963a146ff28e6036c4b1429044b09f3db45c3e2da4358a652db2
Instruction ID: 4a8873b54037a85b19212096173194a53719a7f8216abfbe3154f8d4e9cd76c5
Opcode Fuzzy Hash: db54a3dcfbec963a146ff28e6036c4b1429044b09f3db45c3e2da4358a652db2
Instruction Fuzzy Hash: A9F0DA795503917EEB331727AC88EB72EBDD7CAF55F00105AF904A25B0C6B21854DAB0

Function 032123B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 032122A0: Sleep.KERNELBASE(000001F4), ref: 032122B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03212494

Strings

22FZKV1SNSYZ, xrefs: 032124F7, 032124FA

Memory Dump Source

Source File: 00000000.00000002.1457724343.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateFileSleep
String ID: 22FZKV1SNSYZ
API String ID: 2694422964-4136149523
Opcode ID: f4fef53899b930051962dfc96e0cc4c575368cb2a49ca30fa8647b0bb38b3644
Instruction ID: 061216482cc6b2106167080e4a91212530e4bec88ac24189ea84394ea6191f7f
Opcode Fuzzy Hash: f4fef53899b930051962dfc96e0cc4c575368cb2a49ca30fa8647b0bb38b3644
Instruction Fuzzy Hash: B3517031D14349EBEB10DBA4C955BEFBBB8AF18300F008599E605BB2C0D7B91B45CBA5

Function 00332947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00332C05
DeleteFileW.KERNEL32(?), ref: 00332C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00332C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00332CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00332CC0

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 6dc284eaae72a78aaeff89664f46d57f24ae640c4f9c7db427ae15a6a7bb4e26
Instruction ID: 6666dc907d084c083cab53178e1732cd9812fe644df6e31b22ebf7866ef35d10
Opcode Fuzzy Hash: 6dc284eaae72a78aaeff89664f46d57f24ae640c4f9c7db427ae15a6a7bb4e26
Instruction Fuzzy Hash: 1AB16F71D10229ABDF12DFA4CC85EDFB77DEF08310F1041A6F609E6151EA31AA448F61

Function 002F5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO,, xrefs: 002F5BA8, 002F5C6C

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID: JO,
API String ID: 0-3346394669
Opcode ID: 85dfa77088d9153cd3fa46170c32eb73c3f4ea6bb4c33d5b826af02e26801d8f
Instruction ID: 50ee122af0da37f006aa4076e51b411c4669bb14656f5546c412c0adf01ff78c
Opcode Fuzzy Hash: 85dfa77088d9153cd3fa46170c32eb73c3f4ea6bb4c33d5b826af02e26801d8f
Instruction Fuzzy Hash: 3B51F371930A2E9FCB119FA5C945FFEFBB8AF05394F14002AFB05A7291D77189218B61

Function 002C10F3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002C1BF4
Part of subcall function 002C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 002C1BFC
Part of subcall function 002C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002C1C07
Part of subcall function 002C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002C1C12
Part of subcall function 002C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 002C1C1A
Part of subcall function 002C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 002C1C22

Part of subcall function 002C1B4A: RegisterWindowMessageW.USER32(00000004,?,002C12C4), ref: 002C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002C136A
OleInitialize.OLE32 ref: 002C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 003024AB

Strings

x, xrefs: 002C118A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: x
API String ID: 1986988660-2890206012
Opcode ID: b5c1c427b4ae868edfb1eacf03d696e7ba6e493f4649ec0610bb1f8d29ec3c2c
Instruction ID: 3025a97e30b6114b5aa17655431907f2669f461bc451e96757ed8a182608bd30
Opcode Fuzzy Hash: b5c1c427b4ae868edfb1eacf03d696e7ba6e493f4649ec0610bb1f8d29ec3c2c
Instruction Fuzzy Hash: 4E71D0B98253038FC787DF7AA945A553AE8FB8A344B56422FD41AE7371E7324405CF44

Function 002C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002C3B0F,SwapMouseButtons,00000004,?), ref: 002C3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002C3B0F,SwapMouseButtons,00000004,?), ref: 002C3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,002C3B0F,SwapMouseButtons,00000004,?), ref: 002C3B83

Strings

Control Panel\Mouse, xrefs: 002C3B3E

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 5d34a9792b221795de45333fc0cc68e5e9edfde22c8f5915259bd135042064d7
Instruction ID: dd204ccd800bcf1390cacecac59744a6dafc88158dfcdfed93be121f6f0e9809
Opcode Fuzzy Hash: 5d34a9792b221795de45333fc0cc68e5e9edfde22c8f5915259bd135042064d7
Instruction Fuzzy Hash: B81118B5520209FEDB21CFA5DC44EAEB7BCEF04759B108959A805D7120D2719E50DB60

Function 032112A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03211ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03211AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03211B13

Memory Dump Source

Source File: 00000000.00000002.1457724343.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: edec503cb0649dc290eddd848d79f0cc67421ed35f6d17e6918c9973d102dcc4
Instruction ID: ed4e1080a08a4aaa39cce31064f8200eb2d4c1d950a97332e892f8776e5d0c49
Opcode Fuzzy Hash: edec503cb0649dc290eddd848d79f0cc67421ed35f6d17e6918c9973d102dcc4
Instruction Fuzzy Hash: DD621134A24258DBEB24CFA4C950BDEB375EF68300F1091A9D20DEB390E7759E91CB59

Function 002C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003033A2

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 002C3A04

Strings

Line: , xrefs: 003033EB

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 91dbaef06835c6307a4401db07ece8ff9385854a5a60738dacb7b7227c7b14bc
Instruction ID: 132f30ff62334a574ca25d5bfd8ec1d64350395667da4bfd3673aea126ab0c71
Opcode Fuzzy Hash: 91dbaef06835c6307a4401db07ece8ff9385854a5a60738dacb7b7227c7b14bc
Instruction Fuzzy Hash: FF31D671528341AAD722EB20DC85FEBB7ECAF40714F004B5EF59993191DB709A68CBC2

Function 002C2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00302C8C

Part of subcall function 002C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002C3A97,?,?,002C2E7F,?,?,?,00000000), ref: 002C3AC2

Part of subcall function 002C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002C2DC4

Strings

`e8, xrefs: 00302C85
X, xrefs: 00302C5A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e8
API String ID: 779396738-2572068642
Opcode ID: 4c9114cbd6b57b3fa0fb987683d18e984b0d27e8959a968c35647d937ddf48f9
Instruction ID: 809361d266e968eeda017ec045f83e891c5bf8298c5d997ca35f1dced9f40ff0
Opcode Fuzzy Hash: 4c9114cbd6b57b3fa0fb987683d18e984b0d27e8959a968c35647d937ddf48f9
Instruction Fuzzy Hash: 9A219671A202589FDB02EF94C849BDE7BFC9F49314F00805DE405BB281DBB4595D8F61

Function 002DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 002E0668

Part of subcall function 002E32A4: RaiseException.KERNEL32(?,?,?,002E068A,?,00391444,?,?,?,?,?,?,002E068A,002C1129,00388738,002C1129), ref: 002E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 002E0685

Strings

Unknown exception, xrefs: 002E0692

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: dfee53e512a49704d122cea1d43dccc09f12a97c1399fd89d94632da8037dbf6
Instruction ID: 4df5d510d7ee1d558e795069ecc23b1e6c30b217a5f88e1cc479daeb76d0c85e
Opcode Fuzzy Hash: dfee53e512a49704d122cea1d43dccc09f12a97c1399fd89d94632da8037dbf6
Instruction Fuzzy Hash: C4F0A4249A028967CF00BA66D886D9E776D5E40310BE04571F91496591EFB1DA768A80

Function 00333017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0033302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00333044

Strings

aut, xrefs: 00333038

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 927f56367379d4e28ddc7af9eff47b491d4c1ae44ebe87d8148164512e4af9d2
Instruction ID: b770832f51ac77b6ab33667afe314b8fb0c828b1ea8147519eef1ed8c9b979c7
Opcode Fuzzy Hash: 927f56367379d4e28ddc7af9eff47b491d4c1ae44ebe87d8148164512e4af9d2
Instruction Fuzzy Hash: 02D05EB25003286BDE20A7A4AC4EFCB3A6CDB04755F0006A1B655E20A1EBB49984CBD0

Function 00347F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 003482F5
TerminateProcess.KERNEL32(00000000), ref: 003482FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 003484DD

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 34b901c445f1ab7a08e416daec6305755e211d38fced0f1ad040e1ae0b135bd2
Instruction ID: 0a54e488a4d6bf237c7bedf2d607727c2808543b6c1b8288d2dfcc07f24c326e
Opcode Fuzzy Hash: 34b901c445f1ab7a08e416daec6305755e211d38fced0f1ad040e1ae0b135bd2
Instruction Fuzzy Hash: 47125971A083419FC725DF28C484B2ABBE5BF89318F15895DE8898B352DB31ED45CF92

Function 002C54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 002C556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 002C557D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a2ddfe465ceac1e632ce5bc83d929e9cf28d8717e664c870c25cda7ce197564f
Instruction ID: 2cd09e486132b96b478fdc7f57a217159611b831e6175daca884c5cce02149ee
Opcode Fuzzy Hash: a2ddfe465ceac1e632ce5bc83d929e9cf28d8717e664c870c25cda7ce197564f
Instruction Fuzzy Hash: 92315071A10A1AFFDB14CF28C880F99B7B6FB44354F148629E91997240D7B1FEA4CB90

Function 002F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,002F85CC,?,00388CC8,0000000C), ref: 002F8704
GetLastError.KERNEL32(?,002F85CC,?,00388CC8,0000000C), ref: 002F870E
__dosmaperr.LIBCMT ref: 002F8739

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: ce9b5d8831a9a0193c15307b43c6b300e80974e6947dfeb1215837076eb4453b
Instruction ID: 434d82547bd7aadef7b4773a22b3be70928f135c468727cebab2492ec4883b26
Opcode Fuzzy Hash: ce9b5d8831a9a0193c15307b43c6b300e80974e6947dfeb1215837076eb4453b
Instruction Fuzzy Hash: EE016B33A34A381AD6656638684977EE78D4B827FDF390179FB04CB0D2DEA1CCD18690

Function 00332FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00332CD4,?,?,?,00000004,00000001), ref: 00332FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00332CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00333006
CloseHandle.KERNEL32(00000000,?,00332CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0033300D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 4b5e369da9644b8d831bc7c378fb05e25f5420b42e3f5aa08a6593df755dbe0d
Instruction ID: cf93bba33d35153a1b7b9d07f9849fe53947b76ad8645a0ac012a681ab458fbd
Opcode Fuzzy Hash: 4b5e369da9644b8d831bc7c378fb05e25f5420b42e3f5aa08a6593df755dbe0d
Instruction Fuzzy Hash: DAE0CD366907147BD2321765BC0DFCB3E1CD7C6F76F114210F719790E146A0160143E8

Function 002D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002D17F6

Strings

CALL, xrefs: 002D17C6

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 8d46fa21f469694dad57a3c2d1e1f5eb260e28d82a593a55a9c96d2e722be348
Instruction ID: 87ae32a055d2204a5ba6bc930cdcc44ad45607670e53d4ac558371afc3997fa7
Opcode Fuzzy Hash: 8d46fa21f469694dad57a3c2d1e1f5eb260e28d82a593a55a9c96d2e722be348
Instruction Fuzzy Hash: F122AA70618201AFC714DF14C481A6ABBF6BF89314F24891EF4968B7A1D771ECA5CF82

Function 00336EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00336F6B

Part of subcall function 002C4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00336F5A, 00336F63

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: adc68fc33c61191c52269ff038bbd36a7a346c42027b624072d04ae22dc41c59
Instruction ID: 618c951b6e063db6082c18ae49d9fad56fb5f2614e6a576febee0359783762dc
Opcode Fuzzy Hash: adc68fc33c61191c52269ff038bbd36a7a346c42027b624072d04ae22dc41c59
Instruction Fuzzy Hash: 64B1A1711182019FCB15EF24C892E6FB7E5AF94304F048A5DF48697262DB30ED59CF92

Function 00332557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00332587

Strings

EA06, xrefs: 003325B9

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 15645e2c58142834c19b75de81b500b4828730710b359947a0f2765673ffd40b
Instruction ID: b958403fb80197296bb2f7a85d7e5f9f0f8b3b3e8b523be55cce23b8fce837e7
Opcode Fuzzy Hash: 15645e2c58142834c19b75de81b500b4828730710b359947a0f2765673ffd40b
Instruction Fuzzy Hash: 8701B5729442587EEF19C7A9C856EEEBBF89B05301F00459AF552D2181E5B4E7188B60

Function 002C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 002C3908

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 21c9c0540859444f6a80327350c93f7344c61ba7386fa067a28c4b6a98e388a0
Instruction ID: 403a6b35a61fdf866f5d2ff79ab9beef85340c6639692a9941c2fb263c76177a
Opcode Fuzzy Hash: 21c9c0540859444f6a80327350c93f7344c61ba7386fa067a28c4b6a98e388a0
Instruction Fuzzy Hash: 2131D574514302CFD322DF24D895B97BBF8FB49308F000A2EF59993250E7B1AA54CB52

Function 002C5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,002C949C,?,00008000), ref: 002C5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,002C949C,?,00008000), ref: 00304052

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 78d51d333414a21b475253891a4649aca285795b59957586db5a97b3d95c934c
Instruction ID: 37cd7c45cc4a475f362ae1272c807352086cdcbd2622cc43a5f69d16de2f702b
Opcode Fuzzy Hash: 78d51d333414a21b475253891a4649aca285795b59957586db5a97b3d95c934c
Instruction Fuzzy Hash: 8D019630145725B6E3310A25CC0EF97BF98EF027B4F118304BA5C6E1E0C7B45594CB90

Function 0321129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03211ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03211AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03211B13

Memory Dump Source

Source File: 00000000.00000002.1457724343.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: ee99c690e23ec64530f0e171c4b4a2806e63b47c4d132df7fc33af82143b8eab
Instruction ID: 8e8586308e0045652d72fcae2c9204659353065297920d0ba7c73733b72b8f5b
Opcode Fuzzy Hash: ee99c690e23ec64530f0e171c4b4a2806e63b47c4d132df7fc33af82143b8eab
Instruction Fuzzy Hash: C012DE24E24658C6EB24DF60D8507DEB272EF68300F1090E9910DEB7A4E77A5F91CF5A

Function 002C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002C4EDD,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4E9C
Part of subcall function 002C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002C4EAE
Part of subcall function 002C4E90: FreeLibrary.KERNEL32(00000000,?,?,002C4EDD,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4EFD

Part of subcall function 002C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00303CDE,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4E62
Part of subcall function 002C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002C4E74
Part of subcall function 002C4E59: FreeLibrary.KERNEL32(00000000,?,?,00303CDE,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4E87

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 4c0b74c379f8bb98061c7e9743d5c078696633a66ddad37fe6af6739ae0166a3
Instruction ID: 6da248065b77076ccd475ddcab08136e4b7aefb84258bba5c80111b87a95d9c2
Opcode Fuzzy Hash: 4c0b74c379f8bb98061c7e9743d5c078696633a66ddad37fe6af6739ae0166a3
Instruction Fuzzy Hash: 94113A31630305AADF11FF60DC22FAE77A59F40714F10452DF446AA1D1EEB4EA649F50

Function 002F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 002F8440

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f082c080cb1bbe487089c0a4ad5cf30cd61171060d229898e84337d040e9a8f3
Instruction ID: f638ebc71d98940e32d59648946fa308c4d6b7bfab34ae664157036b43b8d004
Opcode Fuzzy Hash: f082c080cb1bbe487089c0a4ad5cf30cd61171060d229898e84337d040e9a8f3
Instruction Fuzzy Hash: 1E11187590410AAFCB05DF58E9419AFBBF9EF48314F144069F908AB312DB31DA21CBA5

Function 002C9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,002C543F,?,00010000,00000000,00000000,00000000,00000000), ref: 002C9A9C

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 31244b2a33b7ff106637bd1c0482c1171b50eab68006e425983838bb837061b3
Instruction ID: 550963c2c2745677e2d8bea963fa1b04f072cbc3fd8b6c086e17180cfb4d7233
Opcode Fuzzy Hash: 31244b2a33b7ff106637bd1c0482c1171b50eab68006e425983838bb837061b3
Instruction Fuzzy Hash: B4118C31210701AFD720CF05C884F62B7F8EF44354F10C52EE89B8A650C771E995CB60

Function 002F5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002F4C7D: RtlAllocateHeap.NTDLL(00000008,002C1129,00000000,?,002F2E29,00000001,00000364,?,?,?,002EF2DE,002F3863,00391444,?,002DFDF5,?), ref: 002F4CBE

_free.LIBCMT ref: 002F506C

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: a7c36d68e24d032ab166161b1afe9e8ea520f9c74f9ab23fbb47a0274a963ad2
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: E4012B722147095BE3218E55984196AFBE8FB893B0F25052DE39483280EA706805CA74

Function 002EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 65a9ce652eade034a797eef1781c7218c134d972ec3c0c2a59ed0d003824143f
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 4CF04432570A58D6CE313E2B8C05B6AB38C8F523B0F510725FA20931C2DBB0D8258EA5

Function 002F4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,002C1129,00000000,?,002F2E29,00000001,00000364,?,?,?,002EF2DE,002F3863,00391444,?,002DFDF5,?), ref: 002F4CBE

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f72212dd07991e07d496cf4c6f5c64eee6b83545d11d1ee9ab29ba826973bd1f
Instruction ID: 5107bcc464b342d9772433569664e3768e21519ba9c7a333105749a9fd6ba269
Opcode Fuzzy Hash: f72212dd07991e07d496cf4c6f5c64eee6b83545d11d1ee9ab29ba826973bd1f
Instruction Fuzzy Hash: A2F0243123226966DB213F22AC04B7BB788AF417E0B045133BB15A72A1CAF0D82086A0

Function 002F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00391444,?,002DFDF5,?,?,002CA976,00000010,00391440,002C13FC,?,002C13C6,?,002C1129), ref: 002F3852

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 866b695e0f0f6424382ad3c43197387bbbbb8c47cf83f14967ea3ed841f529ec
Instruction ID: b5f486830ce439d34f78021c79d9c83e4c9c0df15126319f452f17714b1a89a7
Opcode Fuzzy Hash: 866b695e0f0f6424382ad3c43197387bbbbb8c47cf83f14967ea3ed841f529ec
Instruction Fuzzy Hash: 52E0E53217026EA6DA216E779E00BBAB649AB427F0F050032BE0492690DB59DE2185E0

Function 002C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4F6D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 09a80ca129539f38faac7be06e2e241a7b015de92e7fc4e315b878679afaf89c
Instruction ID: 252d6685f9f8523c6ead8a7a09869a57e056cd34217e2d50ce7eb6ce507a3a33
Opcode Fuzzy Hash: 09a80ca129539f38faac7be06e2e241a7b015de92e7fc4e315b878679afaf89c
Instruction Fuzzy Hash: 2AF03071125752CFDB34AF64D4A0E13B7F4BF143193108A7EE1DA82921C7719854DF10

Function 002C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002C2DC4

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: cff95fe5db1e81197aa364a87b1e304bd7419230db0522740cedec4236225cb2
Instruction ID: 36123501bc392d9359dc6f6ffec8eefe2fb293e0b96a0ab805556e11f7fde294
Opcode Fuzzy Hash: cff95fe5db1e81197aa364a87b1e304bd7419230db0522740cedec4236225cb2
Instruction Fuzzy Hash: 95E0C272A002245BCB21E2989C0AFEA77EDDFC8794F0401B5FD09E7258DA60AD808A90

Function 00332693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 003326B5

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: bf6cdcec670c4528ef0bcc79bc5fbbadb3cc6e2d4b4a223a2e848d7ff4a4b05a
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: A0E048B06097005FDF395A28A8517F777D49F49300F01045EF59B82252E57268458A4D

Function 002C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002C3908

Part of subcall function 002CD730: GetInputState.USER32 ref: 002CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 002C2B6B

Part of subcall function 002C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 002C314E

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 9aafe9ee0ab59e17d391434885fad51a07284adbd1c10cd77cdf77247f0d2281
Instruction ID: b1dc8b3f1f275aaa4307fc2dc1f489a1eaf6d5663a0cd3a7d1ba82e373a680a4
Opcode Fuzzy Hash: 9aafe9ee0ab59e17d391434885fad51a07284adbd1c10cd77cdf77247f0d2281
Instruction Fuzzy Hash: 39E0262232030506CA05FB319816F7DB35D8BD9315F405B3EF04283162CE2549AA4A51

Function 0030039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00300704,?,?,00000000,?,00300704,00000000,0000000C), ref: 003003B7

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac0bc3caf695acd84d340b61cd625c181cad9a17740bacb05e0662e42b74666c
Instruction ID: 48db9d00d0f713c80bd73be9d6ad03a09d62f909bfe036e907cd44ed49e94035
Opcode Fuzzy Hash: ac0bc3caf695acd84d340b61cd625c181cad9a17740bacb05e0662e42b74666c
Instruction Fuzzy Hash: 6ED06C3205020DBFDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E921AB90

Function 002C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 002C1CBC

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 6f3b50870d27be29778142de2bce1188ba0d4bf0644e7164f3451e0ed2d457a0
Instruction ID: 8e06a4e0c7f23f562ae3b1a3073b74eed86399177028ac68bdeb0c81301ad824
Opcode Fuzzy Hash: 6f3b50870d27be29778142de2bce1188ba0d4bf0644e7164f3451e0ed2d457a0
Instruction Fuzzy Hash: EFC0923A280305AFF2178BD1BC8AF11B76CA349B05F448402F60DA95F3D3B32C20EA50

Function 0033744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 002C5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,002C949C,?,00008000), ref: 002C5773

GetLastError.KERNEL32(00000002,00000000), ref: 003376DE

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: f4862b0fd62384ffac2d1804019d82b05ed9b8c9d2cfc5527bca927382645000
Instruction ID: b515d54f63dfab2b33603cfd08affa6fa1c0eee698702dbc64682e5dcbb0ef93
Opcode Fuzzy Hash: f4862b0fd62384ffac2d1804019d82b05ed9b8c9d2cfc5527bca927382645000
Instruction Fuzzy Hash: 43819D702187019FC726EF28C4E2B69B7E1AF89314F05465DF8865B2A2DB30ED55CF92

Function 002DFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 002DFD1F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 64d77c87fd8d67ce32cfed09b289b2c6328ff830b9004f7a51b2d966c70c7282
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B8311674A2010ADBC758CF59D680969F7A2FF49304B2482A6E80ACF751D731EDE1CBC4

Function 032122A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 032122B1

Memory Dump Source

Source File: 00000000.00000002.1457724343.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 855054061b31457e3456cb424029be8ec202077f269b052f981f96b14a5fb16f
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 9EE0E67594020EDFDB00EFB8DA4969E7FF4EF04301F1005A1FD01D2280D6309D608A72

Non-executed Functions

Function 00359576 Relevance: 75.9, APIs: 39, Strings: 4, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0035961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0035965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0035969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003596C9
SendMessageW.USER32 ref: 003596F2
GetKeyState.USER32(00000011), ref: 0035978B
GetKeyState.USER32(00000009), ref: 00359798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003597AE
GetKeyState.USER32(00000010), ref: 003597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003597E9
SendMessageW.USER32 ref: 00359810
SendMessageW.USER32(?,00001030,?,00357E95), ref: 00359918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0035992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00359941
SetCapture.USER32(?), ref: 0035994A
ClientToScreen.USER32(?,?), ref: 003599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003599D6
ReleaseCapture.USER32 ref: 003599E1
GetCursorPos.USER32(?), ref: 00359A19
ScreenToClient.USER32(?,?), ref: 00359A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00359A80
SendMessageW.USER32 ref: 00359AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00359AEB
SendMessageW.USER32 ref: 00359B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00359B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00359B4A
GetCursorPos.USER32(?), ref: 00359B68
ScreenToClient.USER32(?,?), ref: 00359B75
GetParent.USER32(?), ref: 00359B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00359BFA
SendMessageW.USER32 ref: 00359C2B
ClientToScreen.USER32(?,?), ref: 00359C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00359CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00359CDE
SendMessageW.USER32 ref: 00359D01
ClientToScreen.USER32(?,?), ref: 00359D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00359D82

Part of subcall function 002D9944: GetWindowLongW.USER32(?,000000EB), ref: 002D9952

GetWindowLongW.USER32(?,000000F0), ref: 00359E05

Strings

F, xrefs: 00359D07
@GUI_DRAGID, xrefs: 0035997D
p#9, xrefs: 00359990
Ph, xrefs: 00359728, 00359894, 003598B7, 003598EF, 00359A3C, 00359BB7, 00359C5E, 00359C8E, 00359D2C, 00359D58, 00359DA1, 00359DF2, 00359E16, 00359E40

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$Ph$p#9
API String ID: 3429851547-679321919
Opcode ID: 62ce349687da62c5c0756f4d5eea96435b62a98639bbf8baddb2cb7fa3d156c3
Instruction ID: 989ee1cedd57ea921ce784fffcb1cd58d359dafbc73387d0b8e3705ee3cd8ed3
Opcode Fuzzy Hash: 62ce349687da62c5c0756f4d5eea96435b62a98639bbf8baddb2cb7fa3d156c3
Instruction Fuzzy Hash: 67429C30204341EFDB22CF24CD44FAABBE9EF49325F150A1AF999972B1D7319858DB81

Function 00354873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00354908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00354927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0035494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0035495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0035497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00354A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00354A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00354A7E
IsMenu.USER32(?), ref: 00354A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00354AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00354B20
GetWindowLongW.USER32(?,000000F0), ref: 00354B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00354BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00354C82
wsprintfW.USER32 ref: 00354CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00354CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00354CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00354D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00354D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00354D5A

Strings

%d/%02d/%02d, xrefs: 00354CA8
Ph, xrefs: 0035489F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$Ph
API String ID: 4054740463-533021651
Opcode ID: 737305f5e880d428a5b1575bf8dc6f881632985204edda81698aa678b496ebf7
Instruction ID: a86c386ae28b6f03d85bd23514a87534533c6acf3edacf3ac86fe17d8fd6b31a
Opcode Fuzzy Hash: 737305f5e880d428a5b1575bf8dc6f881632985204edda81698aa678b496ebf7
Instruction Fuzzy Hash: D612E031500354AFEB2A8F28CD49FAEBBF8EF45319F144119F916EA2B1D7749A84CB50

Function 002DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 002DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0031F474
IsIconic.USER32(00000000), ref: 0031F47D
ShowWindow.USER32(00000000,00000009), ref: 0031F48A
SetForegroundWindow.USER32(00000000), ref: 0031F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0031F4AA
GetCurrentThreadId.KERNEL32 ref: 0031F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0031F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0031F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0031F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0031F4DE
SetForegroundWindow.USER32(00000000), ref: 0031F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0031F4F6
keybd_event.USER32(00000012,00000000), ref: 0031F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0031F50B
keybd_event.USER32(00000012,00000000), ref: 0031F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0031F519
keybd_event.USER32(00000012,00000000), ref: 0031F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0031F528
keybd_event.USER32(00000012,00000000), ref: 0031F52D
SetForegroundWindow.USER32(00000000), ref: 0031F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0031F557

Strings

Shell_TrayWnd, xrefs: 0031F46F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7865470cd7bbe855d0187508060a051c04a10ef4479eefbd1fd79c68dd78040e
Instruction ID: 917601138f125df36f556679308cf0f5b98103a4d181704c259bc4865adb8f0c
Opcode Fuzzy Hash: 7865470cd7bbe855d0187508060a051c04a10ef4479eefbd1fd79c68dd78040e
Instruction Fuzzy Hash: EB31E671A50318BFEB226BB24C4AFBF7E6CEB48B15F100065F600E61E1D7B05D40EAA0

Function 00321201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 003216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0032170D
Part of subcall function 003216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0032173A
Part of subcall function 003216C3: GetLastError.KERNEL32 ref: 0032174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00321286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003212A8
CloseHandle.KERNEL32(?), ref: 003212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003212D1
GetProcessWindowStation.USER32 ref: 003212EA
SetProcessWindowStation.USER32(00000000), ref: 003212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00321310

Part of subcall function 003210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003211FC), ref: 003210D4
Part of subcall function 003210BF: CloseHandle.KERNEL32(?,?,003211FC), ref: 003210E9

Strings

default, xrefs: 0032130B
winsta0, xrefs: 003212CC
Z8, xrefs: 00321392
, xrefs: 0032125A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z8
API String ID: 22674027-3687362306
Opcode ID: 3ef45c455c129b9da00c6b5860c26f7bad3a3976d7496ab2457772dca6279bc3
Instruction ID: 858956dad6881fbd20ba286a9c0ec3da6b911249b9d98f330a2a085c4fed3d24
Opcode Fuzzy Hash: 3ef45c455c129b9da00c6b5860c26f7bad3a3976d7496ab2457772dca6279bc3
Instruction Fuzzy Hash: 2C81BF71910318AFDF22AFA5ED49FEE7BBDEF04704F184129F915A61A0C7758A44CB60

Function 00320B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00321114
Part of subcall function 003210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 00321120
Part of subcall function 003210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 0032112F
Part of subcall function 003210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 00321136
Part of subcall function 003210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0032114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00320BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00320C00
GetLengthSid.ADVAPI32(?), ref: 00320C17
GetAce.ADVAPI32(?,00000000,?), ref: 00320C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00320C6D
GetLengthSid.ADVAPI32(?), ref: 00320C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00320C8C
HeapAlloc.KERNEL32(00000000), ref: 00320C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00320CB4
CopySid.ADVAPI32(00000000), ref: 00320CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00320CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00320D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00320D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00320D45
HeapFree.KERNEL32(00000000), ref: 00320D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00320D55
HeapFree.KERNEL32(00000000), ref: 00320D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00320D65
HeapFree.KERNEL32(00000000), ref: 00320D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00320D78
HeapFree.KERNEL32(00000000), ref: 00320D7F

Part of subcall function 00321193: GetProcessHeap.KERNEL32(00000008,00320BB1,?,00000000,?,00320BB1,?), ref: 003211A1
Part of subcall function 00321193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00320BB1,?), ref: 003211A8
Part of subcall function 00321193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00320BB1,?), ref: 003211B7

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ff9da98913915d7ff79441097632750276d7704d3d3b36cb770221eb67b67391
Instruction ID: fce9cc895154bcb460c47414db0b7ca0c109c16186332f8a59064f73b066c021
Opcode Fuzzy Hash: ff9da98913915d7ff79441097632750276d7704d3d3b36cb770221eb67b67391
Instruction Fuzzy Hash: BD718C7190132AAFDF169FA4EC44BAEBBBCFF04315F054115E914A72A2D771AA09CF60

Function 0033EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0035CC08), ref: 0033EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0033EB37
GetClipboardData.USER32(0000000D), ref: 0033EB43
CloseClipboard.USER32 ref: 0033EB4F
GlobalLock.KERNEL32(00000000), ref: 0033EB87
CloseClipboard.USER32 ref: 0033EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0033EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0033EBC9
GetClipboardData.USER32(00000001), ref: 0033EBD1
GlobalLock.KERNEL32(00000000), ref: 0033EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0033EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0033EC38
GetClipboardData.USER32(0000000F), ref: 0033EC44
GlobalLock.KERNEL32(00000000), ref: 0033EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0033EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0033EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0033ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0033ECF3
CountClipboardFormats.USER32 ref: 0033ED14
CloseClipboard.USER32 ref: 0033ED59

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 5c81fa51540d283dab2b40678c771c6c3ac0c478a076094e9c07f0e383ebfe8f
Instruction ID: f2d98583458f7a2a347fe5d9f6da7290812777f395606949d87cf5c54ef438a9
Opcode Fuzzy Hash: 5c81fa51540d283dab2b40678c771c6c3ac0c478a076094e9c07f0e383ebfe8f
Instruction Fuzzy Hash: 3861C0352043019FD302EF24D899F7AB7A8AF84708F19555DF4569B2E1CB31D945CBA2

Function 0033698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003369BE
FindClose.KERNEL32(00000000), ref: 00336A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00336A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00336A75

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00336AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00336ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00336B6A
%02d, xrefs: 00336C00, 00336C0A, 00336C5A, 00336CAA, 00336CFA, 00336D4A
%03d, xrefs: 00336DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00336B32
%4d, xrefs: 00336BB1

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 105ba58e84d405c03430944f0e8b228fde7330bdf6e491d9311d1b3562edb9e0
Instruction ID: 84b08eb14a32b19b1d410ab5d9091b0d5c99af33c72be0226a964adf3b670c4a
Opcode Fuzzy Hash: 105ba58e84d405c03430944f0e8b228fde7330bdf6e491d9311d1b3562edb9e0
Instruction Fuzzy Hash: 6FD17272518300AFC711EBA4C986EAFB7ECAF88704F044A1EF585D7191EB74DA54CB62

Function 00339642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00339663
GetFileAttributesW.KERNEL32(?), ref: 003396A1
SetFileAttributesW.KERNEL32(?,?), ref: 003396BB
FindNextFileW.KERNEL32(00000000,?), ref: 003396D3
FindClose.KERNEL32(00000000), ref: 003396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 003396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0033974A
SetCurrentDirectoryW.KERNEL32(00386B7C), ref: 00339768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00339772
FindClose.KERNEL32(00000000), ref: 0033977F
FindClose.KERNEL32(00000000), ref: 0033978F

Strings

*.*, xrefs: 003396F5

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 3a55356eb206d2644ccba572318cb28858358cd9ea4e5316bc2c4ad1c1557f50
Instruction ID: 2edd1caadb54d32e26d83db0029462e3dfc4d62a8aa99205981c3a20dda82e42
Opcode Fuzzy Hash: 3a55356eb206d2644ccba572318cb28858358cd9ea4e5316bc2c4ad1c1557f50
Instruction Fuzzy Hash: 1031B03255131AAEDF12AFB5DC89BDE77AC9F09326F104196F905E21A0DB74DD448E10

Function 0033979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 003397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00339819
FindClose.KERNEL32(00000000), ref: 00339824
FindFirstFileW.KERNEL32(*.*,?), ref: 00339840
SetCurrentDirectoryW.KERNEL32(?), ref: 00339890
SetCurrentDirectoryW.KERNEL32(00386B7C), ref: 003398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 003398B8
FindClose.KERNEL32(00000000), ref: 003398C5
FindClose.KERNEL32(00000000), ref: 003398D5

Part of subcall function 0032DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0032DB00

Strings

*.*, xrefs: 0033983B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b1c997e5d6744edfb98e0e261d3065a48453646beac58d65cff262e3a07a96c9
Instruction ID: 5af0887f5d4b5b9f093dfbd8afdb85c0f23afcbc92db2505d9b7df47ae5b35ce
Opcode Fuzzy Hash: b1c997e5d6744edfb98e0e261d3065a48453646beac58d65cff262e3a07a96c9
Instruction Fuzzy Hash: 3231F43255031AAEDF12EFB5EC89BDE77AC9F46329F104156E810A61A0DBB0DD44CF20

Function 00338195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00338257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00338267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00338273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00338310
SetCurrentDirectoryW.KERNEL32(?), ref: 00338324
SetCurrentDirectoryW.KERNEL32(?), ref: 00338356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0033838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00338395

Strings

*.*, xrefs: 0033839B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 98da9f740e1499cbdaa30f6738f2de97aa086f342ec5c0ff33ed9653920b37c1
Instruction ID: 30421df39bbac56066e468fcc2a7142a2d5feb579569e153346d332cba9b777c
Opcode Fuzzy Hash: 98da9f740e1499cbdaa30f6738f2de97aa086f342ec5c0ff33ed9653920b37c1
Instruction Fuzzy Hash: 826168765143059FCB11EF60C881AAEB3E8FF89324F04892EF98987251DB31E955CF92

Function 0032D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002C3A97,?,?,002C2E7F,?,?,?,00000000), ref: 002C3AC2

Part of subcall function 0032E199: GetFileAttributesW.KERNEL32(?,0032CF95), ref: 0032E19A

FindFirstFileW.KERNEL32(?,?), ref: 0032D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0032D1DD
MoveFileW.KERNEL32(?,?), ref: 0032D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0032D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0032D237

Part of subcall function 0032D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0032D21C,?,?), ref: 0032D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0032D253
FindClose.KERNEL32(00000000), ref: 0032D264

Strings

\*.*, xrefs: 0032D0CD, 0032D0D6, 0032D0EB

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 82463fa5a1ce576a36ca06037edd0d5912f3a1241e9e3bb98f45e064e732c942
Instruction ID: f6a40def14a121b05db6b1ffdb45547233c63fb80e0430cb7bacf09116b1b90c
Opcode Fuzzy Hash: 82463fa5a1ce576a36ca06037edd0d5912f3a1241e9e3bb98f45e064e732c942
Instruction Fuzzy Hash: 8261403180125D9ECF06EBE0D952EEDB779AF15304F244669E40277191EB30AF59CF61

Function 0033ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0033ED91
EmptyClipboard.USER32 ref: 0033ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0033EDAC
CloseClipboard.USER32 ref: 0033EEA3

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0d5545b5fd7bba5ebfe1859b3193a4fb8f66f18a43b5a2ef4a048b5e49f6d3e3
Instruction ID: a053e6e9a4f699dd9a88f8c91875337f45dff69137280096ac2d4873dc6a6044
Opcode Fuzzy Hash: 0d5545b5fd7bba5ebfe1859b3193a4fb8f66f18a43b5a2ef4a048b5e49f6d3e3
Instruction Fuzzy Hash: B741CE35214211AFE722DF15D888F2ABBE9EF44319F15C09DE4199BAB2C735ED42CB90

Function 0032E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0032170D
Part of subcall function 003216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0032173A
Part of subcall function 003216C3: GetLastError.KERNEL32 ref: 0032174A

ExitWindowsEx.USER32(?,00000000), ref: 0032E932

Strings

SeShutdownPrivilege, xrefs: 0032E902
, xrefs: 0032E95C
, xrefs: 0032E920
@, xrefs: 0032E925

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: a07987a6ae6effa4610f66347c41def9947590d9b82ebd0ac5bc4f36e5d2c432
Instruction ID: 53abe0d3b2196fe61ef63d09699358fabce928d06f292be656521fd76f8e0e4e
Opcode Fuzzy Hash: a07987a6ae6effa4610f66347c41def9947590d9b82ebd0ac5bc4f36e5d2c432
Instruction Fuzzy Hash: 97012632620330AFEB5622B4BC8BBBF725CA714745F160823FC12E20E1D7A85C808290

Function 00341204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00341276
WSAGetLastError.WSOCK32 ref: 00341283
bind.WSOCK32(00000000,?,00000010), ref: 003412BA
WSAGetLastError.WSOCK32 ref: 003412C5
closesocket.WSOCK32(00000000), ref: 003412F4
listen.WSOCK32(00000000,00000005), ref: 00341303
WSAGetLastError.WSOCK32 ref: 0034130D
closesocket.WSOCK32(00000000), ref: 0034133C

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 2d0c6527586d28bba937205519a09fad4e63697dc2dcebaee50ac11b32fb7905
Instruction ID: 085ed6f2446112f215b421e7317b6560669745821d0b0de3baf7e6826be3b32a
Opcode Fuzzy Hash: 2d0c6527586d28bba937205519a09fad4e63697dc2dcebaee50ac11b32fb7905
Instruction Fuzzy Hash: FB418E35A006009FD711DF64C488B2ABBE5AF46318F198588E8568F3A6C771FC81CBA1

Function 002FB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002FB9D4
_free.LIBCMT ref: 002FB9F8
_free.LIBCMT ref: 002FBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00363700), ref: 002FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0039121C,000000FF,00000000,0000003F,00000000,?,?), ref: 002FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00391270,000000FF,?,0000003F,00000000,?), ref: 002FBC36
_free.LIBCMT ref: 002FBD4B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 21c14a916252e42c3e65dc50e3787d7af2de62d2295168f4fd56ff0e26d9666e
Instruction ID: 67fd35bdd01b5a347e76d5424761e6e7688f80f29a841ad1df9a519f51387452
Opcode Fuzzy Hash: 21c14a916252e42c3e65dc50e3787d7af2de62d2295168f4fd56ff0e26d9666e
Instruction Fuzzy Hash: 40C1397192420E9FDB12AF78DC41ABAFBB8EF41390F1441BAEA94D7251E7708E11CB50

Function 0032D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002C3A97,?,?,002C2E7F,?,?,?,00000000), ref: 002C3AC2

Part of subcall function 0032E199: GetFileAttributesW.KERNEL32(?,0032CF95), ref: 0032E19A

FindFirstFileW.KERNEL32(?,?), ref: 0032D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0032D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0032D481
FindClose.KERNEL32(00000000), ref: 0032D498
FindClose.KERNEL32(00000000), ref: 0032D4A1

Strings

\*.*, xrefs: 0032D3F2

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 11660a0ef77e7ac2b29fa8ec4ed195270967ca77afd030adb0c1ce62cd5142a9
Instruction ID: a535beccfa8fb0cdc79abfb0d6b4f6d0f43611bd108c75c206965d6ec794ab93
Opcode Fuzzy Hash: 11660a0ef77e7ac2b29fa8ec4ed195270967ca77afd030adb0c1ce62cd5142a9
Instruction Fuzzy Hash: 79316D310283959FC606EF64D896DAFB7A8AE95304F444E1DF4D1931A1EB30AA198B63

Function 002FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002FE645

Strings

1#IND, xrefs: 002FF83D
1#QNAN, xrefs: 002FF84B
1#SNAN, xrefs: 002FF844
1#INF, xrefs: 002FF852

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f25efa86450dd7a69f9d76e3be97caa3a16ead199388ae7814c6080e84663b48
Instruction ID: f755368e42c69d6b5cb431937acec246cd2f1902752552343c2dbfc63faef54d
Opcode Fuzzy Hash: f25efa86450dd7a69f9d76e3be97caa3a16ead199388ae7814c6080e84663b48
Instruction Fuzzy Hash: B5C25871E242298BDF65CE289D407EAF3B9EB44384F1541FADA0DE7250E774AE918F40

Function 0033648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003364DC
CoInitialize.OLE32(00000000), ref: 00336639
CoCreateInstance.OLE32(0035FCF8,00000000,00000001,0035FB68,?), ref: 00336650
CoUninitialize.OLE32 ref: 003368D4

Strings

.lnk, xrefs: 003364BA, 00336524, 003365E0

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 3193aca999ac0a4a60c64c455440d2a13a0619d0eeabb5bd9f6be6892221b38e
Instruction ID: 9a53ec947fa9bb6968157a1ab7d87ac9dc90683377d8154413ed1aaafdfc78e1
Opcode Fuzzy Hash: 3193aca999ac0a4a60c64c455440d2a13a0619d0eeabb5bd9f6be6892221b38e
Instruction Fuzzy Hash: 2AD13971518301AFD305EF24C881E6BB7E8FF99704F108A6DF5958B2A1EB70E945CB92

Function 003422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 003422E8

Part of subcall function 0033E4EC: GetWindowRect.USER32(?,?), ref: 0033E504

GetDesktopWindow.USER32 ref: 00342312
GetWindowRect.USER32(00000000), ref: 00342319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00342355
GetCursorPos.USER32(?), ref: 00342381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003423DF

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 15e5080d7ff39407a192a5a27ce842ef5a45934f9e9fb35154fb6e0129dd06c6
Instruction ID: 814eb31fc6a94ae7be49b3f0266affc9a64b1d95fcf2b2408fcbfc8c225a2eae
Opcode Fuzzy Hash: 15e5080d7ff39407a192a5a27ce842ef5a45934f9e9fb35154fb6e0129dd06c6
Instruction Fuzzy Hash: 6E31DE72504315AFC722DF55D849B9BBBEDFF88318F400919F985AB191DB34EA08CB92

Function 00339B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00339B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00339C8B

Part of subcall function 00333874: GetInputState.USER32 ref: 003338CB
Part of subcall function 00333874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00333966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00339BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00339C75

Strings

*.*, xrefs: 00339B5D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: d718e6920b0bf0b472b6fb99a735629e62b3b7f395bd0b3a81a1489e2e578411
Instruction ID: a650d10e0d1ecda09718c06967418924cf2985f85e6e0a460d790b12ba75fb91
Opcode Fuzzy Hash: d718e6920b0bf0b472b6fb99a735629e62b3b7f395bd0b3a81a1489e2e578411
Instruction Fuzzy Hash: 9641827191420ADFCF16DF64C889BEEBBB8EF05315F14419AE805A31A1EB709E94CF60

Function 002D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 002D9A4E
GetSysColor.USER32(0000000F), ref: 002D9B23
SetBkColor.GDI32(?,00000000), ref: 002D9B36

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9971e1ecca850fc16aa8c021055291903144001a6700fcf188099999ffe08808
Instruction ID: e272d69393a4e633165551e27d5ce651643285f9c49617a3a06ffd485d94f58f
Opcode Fuzzy Hash: 9971e1ecca850fc16aa8c021055291903144001a6700fcf188099999ffe08808
Instruction Fuzzy Hash: 86A13C71238501AEE72BAE3C8C58EFB26ADDB46344F19020BF402DA7D1DA659DE1D271

Function 00341806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0034304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0034307A
Part of subcall function 0034304E: _wcslen.LIBCMT ref: 0034309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0034185D
WSAGetLastError.WSOCK32 ref: 00341884
bind.WSOCK32(00000000,?,00000010), ref: 003418DB
WSAGetLastError.WSOCK32 ref: 003418E6
closesocket.WSOCK32(00000000), ref: 00341915

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: e33724347de8351f3873eedce049964407b2ab5fed56b513237bba5220bccd7b
Instruction ID: e2abd6a7c01dec8cbfd7c3748f443635ad7f28329560945cd4a4dda5095a127b
Opcode Fuzzy Hash: e33724347de8351f3873eedce049964407b2ab5fed56b513237bba5220bccd7b
Instruction Fuzzy Hash: 5351B271A10610AFEB11AF24C886F2A77E5EB44718F58819CF90A9F3D3C771AD41CBA1

Function 002C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 002C843C
VUUU, xrefs: 002C83E8
VUUU, xrefs: 00305DF0
VUUU, xrefs: 002C83FA
ERCP, xrefs: 002C813C

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 8adaf1e30073fb5d8678373ae5b9b155d4a92b5b16711abd6fe8554a27c5f89c
Instruction ID: e971170142f18bf040791b076abe3f7ac42e3b4a398396aff165b982bd369bd5
Opcode Fuzzy Hash: 8adaf1e30073fb5d8678373ae5b9b155d4a92b5b16711abd6fe8554a27c5f89c
Instruction Fuzzy Hash: E6A2C270E1161ACBDF25CF58C851BAEB7B1BF44310F2582AAD815A7285EB709DA1CF90

Function 00328298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003282AA

Strings

|, xrefs: 003282DA
(, xrefs: 003282F0
tb8, xrefs: 003284F4

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: lstrlen
String ID: ($tb8$|
API String ID: 1659193697-3797810875
Opcode ID: 731a38e25dc89dd8cbbdcd5aeb2e15890147cf796e99e4ae92013df365c0ae4d
Instruction ID: 26056b7d730e784d3bb9e81283b029fca1e240d46b7097a74bff849d26732812
Opcode Fuzzy Hash: 731a38e25dc89dd8cbbdcd5aeb2e15890147cf796e99e4ae92013df365c0ae4d
Instruction Fuzzy Hash: DB324478A017159FCB29CF19D081A6AB7F0FF48710B15C46EE59ADB7A1EB70E941CB40

Function 0034A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0034A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0034A6BA

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0034A79C
CloseHandle.KERNEL32(00000000), ref: 0034A7AB

Part of subcall function 002DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00303303,?), ref: 002DCE8A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e9626ae0be8fd5c7821d61415068af2cbecbe2c53c3c8a262f618746ff09af89
Instruction ID: 3a411a5f800a269bfac7917c780039e0f79f6282d2f915c0c98b33a010f934aa
Opcode Fuzzy Hash: e9626ae0be8fd5c7821d61415068af2cbecbe2c53c3c8a262f618746ff09af89
Instruction Fuzzy Hash: 195118715187009FD711EF24C886E6BBBE8EF89754F404A1DF585972A2EB30E914CF92

Function 0032AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0032AAAC
SetKeyboardState.USER32(00000080), ref: 0032AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0032AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0032AB88

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 37cf4b49e5714b501a914face6bfe00c6f4a33999eaf5de77f6ac89bd494f5cf
Instruction ID: bc9971279e9d888a7b8fd10b27e0f47935b5bea75c853faa43a218beaca653aa
Opcode Fuzzy Hash: 37cf4b49e5714b501a914face6bfe00c6f4a33999eaf5de77f6ac89bd494f5cf
Instruction Fuzzy Hash: 06311830A40B28AFFF378A64AC05BFA7BAAAF44310F04421AF181561E0D3758985C7A2

Function 0033CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0033CE89
GetLastError.KERNEL32(?,00000000), ref: 0033CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0033CEFE

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: dab2e94e0af6fbab622f434318fcadaba7831155c4e185754c54b0eb4e212461
Instruction ID: 3e1ad5bec41ca86d240aa8d17d12e141c6a32363238a41325fd2fcc3689253c3
Opcode Fuzzy Hash: dab2e94e0af6fbab622f434318fcadaba7831155c4e185754c54b0eb4e212461
Instruction Fuzzy Hash: FC21CFB15203059FDB22DF65C988BA777FCEB00319F11541EE546E2161E774EE04CB50

Function 002F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 002F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 002F2731

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 069030d3c56d6c8e8c31105edb3193adec6b880a496ae45f3ec28ee1598464f7
Instruction ID: 811b7316c8adfcf2322f986f5b54f7273572123c3457332f9f508662bbece305
Opcode Fuzzy Hash: 069030d3c56d6c8e8c31105edb3193adec6b880a496ae45f3ec28ee1598464f7
Instruction Fuzzy Hash: 1931E27495131CEBCB21DF68DD88798BBB8AF08310F5041EAE90CA6261E7709F958F44

Function 003351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00335238
SetErrorMode.KERNEL32(00000000), ref: 003352A1

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 33018618bf835175c7d3d27ecec063180a007b22ab35dad232ca6b63ccc8f68e
Instruction ID: e3e704d25ab3ebce3c4fec373bca9f95c9e9fd6e6480728af2ca7f4dbd397504
Opcode Fuzzy Hash: 33018618bf835175c7d3d27ecec063180a007b22ab35dad232ca6b63ccc8f68e
Instruction Fuzzy Hash: BB314B75A106189FDB01DF54D884EAEBBB4FF48318F158499E805AB362DB31E856CB90

Function 003216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 002DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 002E0668
Part of subcall function 002DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 002E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0032170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0032173A
GetLastError.KERNEL32 ref: 0032174A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 7ef114d151312c4efb0c34d009822354bc306e74cbc2e1fdc055c2787a1dc0f3
Instruction ID: 81266f2ca2729c192453e263d70baaef070354195430bffbebe878a293996972
Opcode Fuzzy Hash: 7ef114d151312c4efb0c34d009822354bc306e74cbc2e1fdc055c2787a1dc0f3
Instruction Fuzzy Hash: 1411CEB2420308AFD718AF54ED86D6BB7BDFB44B24B20852EE05653291EB70FC41CA24

Function 0032D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0032D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0032D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0032D650

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c4b7b0b672ed01876d21eee8a903d2ce2234afe65cec2720dada67e31cbb099a
Instruction ID: c7e54162d2b74e8a8b94cf784caf0d174c2a48e5eec20270e779d0f9bfd17021
Opcode Fuzzy Hash: c4b7b0b672ed01876d21eee8a903d2ce2234afe65cec2720dada67e31cbb099a
Instruction Fuzzy Hash: 33117C75E01328BFDB118F94AC44FAFBBBCEB45B50F108111F914E7290C2704A018BE1

Function 00321663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0032168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003216A1
FreeSid.ADVAPI32(?), ref: 003216B1

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 513845be8c0f377c742f22081614047fe21bd45ee0f9d293fbd9057d70fb2289
Instruction ID: 3074d194102e90d357fc9c138cae871802aa2767b46635302abdf96f490b9c01
Opcode Fuzzy Hash: 513845be8c0f377c742f22081614047fe21bd45ee0f9d293fbd9057d70fb2289
Instruction Fuzzy Hash: 54F0F471950309FFDB01DFE4DD89AAEBBBCEB08705F504565E901E2191E774EA448A50

Function 002E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002F28E9,?,002E4CBE,002F28E9,003888B8,0000000C,002E4E15,002F28E9,00000002,00000000,?,002F28E9), ref: 002E4D09
TerminateProcess.KERNEL32(00000000,?,002E4CBE,002F28E9,003888B8,0000000C,002E4E15,002F28E9,00000002,00000000,?,002F28E9), ref: 002E4D10
ExitProcess.KERNEL32 ref: 002E4D22

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4110d0f90e23ce14416faf8d151b38d563accf757a19a9445915f2e8675adffc
Instruction ID: ca554c6324b3d20d72ae0d5f6f2ba348e49beeda499aca3de6c36df2120fd4cc
Opcode Fuzzy Hash: 4110d0f90e23ce14416faf8d151b38d563accf757a19a9445915f2e8675adffc
Instruction Fuzzy Hash: 63E09231060688AFCB12AF55DD09A587B6DEB85786F504054F9058A232CB39DA62CA90

Function 002FC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 002FC36C

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 71494ce2f012d4099cbc747850e790ab5104ace6aa4c9ee096ecd98cf0281150
Instruction ID: 840e1b59ae425cc8649d627ff96faac4b9da79a0e8165f3112cd9707ba446d4d
Opcode Fuzzy Hash: 71494ce2f012d4099cbc747850e790ab5104ace6aa4c9ee096ecd98cf0281150
Instruction Fuzzy Hash: 7641497291021DAFCB24AFB9CD48DBBB778EB84394F2042B9FA05C7180E6709D50CB50

Function 0031D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0031D28C

Strings

X64, xrefs: 0031D2A8

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: cd9a4beffbc4b14ee15571cac262679f4d13fc50362ef4affa548e0646c404fa
Instruction ID: 3fef6111e59919f4d551cc12e33024ba4fc8c58d898d8ebdfe061425d2dac85d
Opcode Fuzzy Hash: cd9a4beffbc4b14ee15571cac262679f4d13fc50362ef4affa548e0646c404fa
Instruction Fuzzy Hash: BBD0C9B482521DEFCF95CB90DC88DD9B3BCBB04306F100552F106A2140D77495498F10

Function 002ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 9aea1da6cbdc104f0ea716386c28c77aabb88573365d3d0e4f43e9c82941cee3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: DA023D71E502599FDF14CFA9C8806ADFBF1FF48324F65416AD919EB380D731A9528B80

Function 002CCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00310C40
p#9, xrefs: 002CCF7F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#9
API String ID: 0-248921893
Opcode ID: 03c296449d09062c46689c23d1eba1cfe5461cad1f2f1a9cef8ad87bca25c376
Instruction ID: 42618cba3557cda18e42a78b567566b83b11382b647c8c366b7493922cfcb6c2
Opcode Fuzzy Hash: 03c296449d09062c46689c23d1eba1cfe5461cad1f2f1a9cef8ad87bca25c376
Instruction Fuzzy Hash: 37327174920219DBCF19DF90C881FEDB7B5BF09304F24425EE80A6B291D7B5AE95CB60

Function 003368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00336918
FindClose.KERNEL32(00000000), ref: 00336961

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f7a0cda5fc84741b418aebe3fdb9971a98a194e5f5c2226af636b590725518ec
Instruction ID: 4735f3c54cf2768cde0283f81789ac0faccfa55ec1738610ebd86ae3d0bf956a
Opcode Fuzzy Hash: f7a0cda5fc84741b418aebe3fdb9971a98a194e5f5c2226af636b590725518ec
Instruction Fuzzy Hash: ED118E31614200AFC711DF29D8C5B16BBE5EF85329F15C69DE4698F6A2C730EC45CB91

Function 003337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00344891,?,?,00000035,?), ref: 003337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00344891,?,?,00000035,?), ref: 003337F4

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 241c633b0a37726148fc14bd580e08ba24b6596f3eb801668e8b00eb74d28efc
Instruction ID: 3905f9ae69b6372a2581db69703d8add84d615edd7c56a5544b86a98553a6d78
Opcode Fuzzy Hash: 241c633b0a37726148fc14bd580e08ba24b6596f3eb801668e8b00eb74d28efc
Instruction Fuzzy Hash: 22F0E5B06153292AEB2117668C8DFEB3AAEEFC4765F000265F509D22A1D9609944C7B0

Function 0032B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0032B25D
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 0032B270

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c2f89081bf16a536132620710cd90410f82391ac41d567e791c47f83f16f748d
Instruction ID: 48f56254dad45fb2b92eff69495e802b70d5f46660f8171763eb057a469eb5c0
Opcode Fuzzy Hash: c2f89081bf16a536132620710cd90410f82391ac41d567e791c47f83f16f748d
Instruction Fuzzy Hash: 36F01D7181434DAFDB069FA1D805BAEBFB4FF08309F009409F955A51A2D3798611DF94

Function 003210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003211FC), ref: 003210D4
CloseHandle.KERNEL32(?,?,003211FC), ref: 003210E9

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 0ac88206eb3c9b32f2df340dbdaeed82c83bbff7956af9309faf5dd4aad4beb7
Instruction ID: 307db15c30bf961aec735cf111fe47ef4eae13034a37d8f79be1c0a447a02fbe
Opcode Fuzzy Hash: 0ac88206eb3c9b32f2df340dbdaeed82c83bbff7956af9309faf5dd4aad4beb7
Instruction Fuzzy Hash: ECE04F32024710AEE7662B51FD05E7377ADEB04311F10882EF4A6804B1DB62ACA0DB54

Function 002F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002F6766,?,?,00000008,?,?,002FFEFE,00000000), ref: 002F6998

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 59bb373e15275a0212d1a5cd61d0255fc52d657648a34f6a1ae07ba3ed64fffe
Instruction ID: e5f98010e7cfaebdc8ab40168d1326cba60131a9e1b71f1c2795f971a442373b
Opcode Fuzzy Hash: 59bb373e15275a0212d1a5cd61d0255fc52d657648a34f6a1ae07ba3ed64fffe
Instruction Fuzzy Hash: 8DB16E31620609DFD715CF28C48AB65BBE0FF053A4F25866CE999CF2A2C375D9A5CB40

Function 002DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0031851F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7de17476afaca92e86cf1d54cb16f5466a8ecf41c796da794efac74b901e8d24
Instruction ID: 23a676bf0ea20500cdeb7cf15149b7d3f097361697b34d054f7165fb7643818a
Opcode Fuzzy Hash: 7de17476afaca92e86cf1d54cb16f5466a8ecf41c796da794efac74b901e8d24
Instruction Fuzzy Hash: 74128E75910229DFCB26CF58C890AEEB7B5FF48310F15819AE809EB251DB709E91CF94

Function 0033EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0033EABD

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d7db4e29067f472df6bc79b3aace4d05aa96e520b72bedfbbfdac408772567fd
Instruction ID: 4fd02ac707c02b5f06114e3a88439e1b1f90ce9c9e36b08453564c385f586382
Opcode Fuzzy Hash: d7db4e29067f472df6bc79b3aace4d05aa96e520b72bedfbbfdac408772567fd
Instruction Fuzzy Hash: 73E04F312202059FC711EF69D845E9AF7EDAF98760F00841AFC49C73A1DB70E8418B90

Function 002E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002E03EE), ref: 002E09DA

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8460153475dd84a838b2f253103fc88a545a012537300968eb2f119a978a2aca
Instruction ID: 1cec7bbb723e6a83115bea70925c0f0f1db787cf89eb6890f6151d1a7bcd8f50
Opcode Fuzzy Hash: 8460153475dd84a838b2f253103fc88a545a012537300968eb2f119a978a2aca
Instruction Fuzzy Hash:

Function 002E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 002E798B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 0188e689822dcab70dfe10f388c033b8c43f30b739b180910bef176d61eb12a6
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 075143716FC6C75ADB38CD6B88597BE23899F22340FD80519D886C7283C661DE31E752

Function 00332046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&9, xrefs: 00332053

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID: 0&9
API String ID: 0-1206990766
Opcode ID: a4ee392d3de6c355b5d4a8f9b8c8a93f625b423e309e6171dcf65db1e96d1c27
Instruction ID: 17fe1a20feaf81d6810077d0ebb778aceca68c8f007472d48d00c86be7b966e0
Opcode Fuzzy Hash: a4ee392d3de6c355b5d4a8f9b8c8a93f625b423e309e6171dcf65db1e96d1c27
Instruction Fuzzy Hash: E321A5326216118BDB2CCE79C86267F73E9A754310F15862EE4A7C77D0DE7AA904CB80

Function 002F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4f52700b190720fbaabe537c278799d12e19e24c73fdde5e9b489713aa74c8
Instruction ID: 657b97fd1e65c6e8e85e09b8ca8a9e0acd05c7693856a09bffc3851fa2146b0b
Opcode Fuzzy Hash: 3b4f52700b190720fbaabe537c278799d12e19e24c73fdde5e9b489713aa74c8
Instruction Fuzzy Hash: 23323322D39F054DD7239A34CC22336A64DAFB73C5F15D737E82AB5AA9EB69C4934100

Function 002DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff55efb9d276d806a5fa91dae3a392576274300170485e939ed3a247ed8afdd
Instruction ID: d43d827cf69576b65c0cf99c63abad1b25fd73898321d8cc603094f9e5ffe624
Opcode Fuzzy Hash: bff55efb9d276d806a5fa91dae3a392576274300170485e939ed3a247ed8afdd
Instruction Fuzzy Hash: 64320431AB42168BCF2ECE28C4906FD77A5EF49300F29A56BD9498B7A1D230DDD1DB41

Function 002C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7dd112dbb478fa2df6ab6d056701b8848ded70b911430d2afed5d764af31bdf
Instruction ID: 05791665809e9261dc01966c8b4aa302ec7b3226344be83781c9a4af7126b614
Opcode Fuzzy Hash: b7dd112dbb478fa2df6ab6d056701b8848ded70b911430d2afed5d764af31bdf
Instruction Fuzzy Hash: 1822C070A1060ADFDF14CFA5C991BAEB3B5FF48304F244629E816A7291EB369D61CF50

Function 002C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3bdda1a7a3456e749c5ea984c5adfb3066922d2291b2895676a82df34ca766
Instruction ID: 91907235598cccda6c3c24d9ff3d55dc44eb84a23b44988eb4cf20922b2d12ac
Opcode Fuzzy Hash: fc3bdda1a7a3456e749c5ea984c5adfb3066922d2291b2895676a82df34ca766
Instruction Fuzzy Hash: C602E5B1A10209EBDB05DF54D891BAEB7B5FF44300F118569E80A9B390EB71AE60CF95

Function 002E19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 7135cbe2cedc2a73c7e99a8593daed14bba133b4f83334719db96cccf8306a54
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: B79152722690E34ADB2D4A7B857403DFFE15A923A539A07BED4F2CA1C1FE348574D620

Function 002E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f0fcbc1e6e2d1dbd043553e401169d0c6ea40614d78342c7d7b770f8377f64
Instruction ID: 2643bfa074b6f18cf3945b0bb1131301270c33bd2c260faeb339c347fe632643
Opcode Fuzzy Hash: 50f0fcbc1e6e2d1dbd043553e401169d0c6ea40614d78342c7d7b770f8377f64
Instruction Fuzzy Hash: A6618C702F87CB56DE345D2B48557BE3398DF41708FE0092EE886CB381D5519E728725

Function 002E1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 5b7d6c90af82651722a5166a6ef51481effe07e8c5d87544d5003eb65166005a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 788186726680E349EB2D8A3B857447EFFE15A923A135A07BDD4F2CA1C1EE348574D620

Function 002DD065 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266aaee7b50497f23c654f721997795d51e841222f639f2af9bcb668818c96eb
Instruction ID: 62c18d15244cd4e7bca94811d56b0ab96e2dfe7bcf1acc7d4a1221196eac16dd
Opcode Fuzzy Hash: 266aaee7b50497f23c654f721997795d51e841222f639f2af9bcb668818c96eb
Instruction Fuzzy Hash: 77514F7254EBC2DFC3175B348C6A1857F70EE1724832A49EFC4828E4B3E666041ACF56

Function 002CD010 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a012d645e08292c3acb152791c4fc72978c0067702c55bd48900f86d45000e
Instruction ID: 272e486873a2b201de579073a675be7a445a1178494c5c98a4a5382bee093423
Opcode Fuzzy Hash: a1a012d645e08292c3acb152791c4fc72978c0067702c55bd48900f86d45000e
Instruction Fuzzy Hash: 6F419D70A002059FCB59CF68C581AEDBBF6FF4A310F2185A9E909DB641D731ED92CB50

Function 002C90BC Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de87ba3b17471714e02199e3046e501b0dbc3f9d8813496a496b173d345969a1
Instruction ID: 062e557d144f4fa1a16f70decfe59186c5c267bec8d1a90c31332f1066dd050a
Opcode Fuzzy Hash: de87ba3b17471714e02199e3046e501b0dbc3f9d8813496a496b173d345969a1
Instruction Fuzzy Hash: 0731026A52E2C44AC7035B389CAA6E27F75DE5721874D5ACFD0C18E467C105598BCB23

Function 032135C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457724343.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 375bd5f9d32702ed9fd367b95f1e4e6fc42a09fdfced6dc45bb27e834062fe08
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8941A171D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90

Function 032134B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457724343.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 388d77b932690f4fdd480ed544f7b021db76fba36237e571a1ec8b48f75b83ec
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 4F019678A10109EFCB44DF98C6909AEF7F6FB58310F248599D919A7701D731AE51DB80

Function 03213450 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457724343.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 33093539af9af6382a84c22a6a50584eef11d5ab52c3796246fa62c0787e95e7
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 90018478A10109EFCB44DF98C6909ADF7F6FB58310B248599D915A7701D730AE51DB80

Function 03211E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457724343.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3210000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00342ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00342B30
DeleteObject.GDI32(00000000), ref: 00342B43
DestroyWindow.USER32 ref: 00342B52
GetDesktopWindow.USER32 ref: 00342B6D
GetWindowRect.USER32(00000000), ref: 00342B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00342CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00342CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00342CF8
GetClientRect.USER32(00000000,?), ref: 00342D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00342D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00342D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00342D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00342D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00342D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00342D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00342DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00342DA8
GlobalFree.KERNEL32(00000000), ref: 00342DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00342DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0035FC38,00000000), ref: 00342DDB
GlobalFree.KERNEL32(00000000), ref: 00342DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00342E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00342E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00342E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0034303F

Strings

static, xrefs: 00342D3A, 00342E91
, xrefs: 00342FC5
DISPLAY, xrefs: 00342EA2
AutoIt v3, xrefs: 00342CF2

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: dbc09f43ab5bbe4d646f5ddbfa0e44fb83fbb7c36479173ad2a37454db62d1a6
Instruction ID: 2b07b8e64949511b84eb52a8c396055690f6fb5a09182ed16ef581c48c39d037
Opcode Fuzzy Hash: dbc09f43ab5bbe4d646f5ddbfa0e44fb83fbb7c36479173ad2a37454db62d1a6
Instruction Fuzzy Hash: 91027A75910209AFDB16DFA4CC89EAE7BB9EF48715F048158F915AB2A1CB70ED01CF60

Function 003570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0035712F
GetSysColorBrush.USER32(0000000F), ref: 00357160
GetSysColor.USER32(0000000F), ref: 0035716C
SetBkColor.GDI32(?,000000FF), ref: 00357186
SelectObject.GDI32(?,?), ref: 00357195
InflateRect.USER32(?,000000FF,000000FF), ref: 003571C0
GetSysColor.USER32(00000010), ref: 003571C8
CreateSolidBrush.GDI32(00000000), ref: 003571CF
FrameRect.USER32(?,?,00000000), ref: 003571DE
DeleteObject.GDI32(00000000), ref: 003571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00357230
FillRect.USER32(?,?,?), ref: 00357262
GetWindowLongW.USER32(?,000000F0), ref: 00357284

Part of subcall function 003573E8: GetSysColor.USER32(00000012), ref: 00357421
Part of subcall function 003573E8: SetTextColor.GDI32(?,?), ref: 00357425
Part of subcall function 003573E8: GetSysColorBrush.USER32(0000000F), ref: 0035743B
Part of subcall function 003573E8: GetSysColor.USER32(0000000F), ref: 00357446
Part of subcall function 003573E8: GetSysColor.USER32(00000011), ref: 00357463
Part of subcall function 003573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00357471
Part of subcall function 003573E8: SelectObject.GDI32(?,00000000), ref: 00357482
Part of subcall function 003573E8: SetBkColor.GDI32(?,00000000), ref: 0035748B
Part of subcall function 003573E8: SelectObject.GDI32(?,?), ref: 00357498
Part of subcall function 003573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003574B7
Part of subcall function 003573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003574CE
Part of subcall function 003573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003574DB

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 73364fb42f2fbf8861b9aaa66cbb0ddee014c34741785e301c900dae909a65e9
Instruction ID: f344f174bfc6e18c9a4aa38ca0fe669c5f1707b65e5dcba995aed3d915b9c3ee
Opcode Fuzzy Hash: 73364fb42f2fbf8861b9aaa66cbb0ddee014c34741785e301c900dae909a65e9
Instruction Fuzzy Hash: 1CA19F72018701AFDB029F60DC48E6BBBADFB49326F101A19F9A2961F1D771E944CB91

Function 002D8D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 002D8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00316AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00316AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00316F43

Part of subcall function 002D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D8BE8,?,00000000,?,?,?,?,002D8BBA,00000000,?), ref: 002D8FC5

SendMessageW.USER32(?,00001053), ref: 00316F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00316F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00316FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00316FB7

Strings

0, xrefs: 00316DCF
Ph, xrefs: 002D8DC2, 00316ADC, 00316B10, 00316B5F, 00316B9F, 00316C47, 00316CE8, 00316D8C, 00316E18, 00316EEF, 00316F15, 00316FC8

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$Ph
API String ID: 2760611726-461424624
Opcode ID: 55450f8589715f663446ed4737396d9211b246dfc7967c187b9d8f941007fb42
Instruction ID: e41c09ac03ae6e0e9950ae55138cb710cbcba7fa88bea3cd48c9386c95d11d30
Opcode Fuzzy Hash: 55450f8589715f663446ed4737396d9211b246dfc7967c187b9d8f941007fb42
Instruction Fuzzy Hash: A712AD30214202DFDB2BCF54D855BAAB7E9FB49304F15456AF4859B261CB32ECA2CF91

Function 00342711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0034273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0034286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00342900
GetClientRect.USER32(00000000,?), ref: 0034290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00342955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00342964
GetStockObject.GDI32(00000011), ref: 00342974
SelectObject.GDI32(00000000,00000000), ref: 00342978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00342988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00342991
DeleteDC.GDI32(00000000), ref: 0034299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 003429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00342A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00342A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00342A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00342A77
GetStockObject.GDI32(00000011), ref: 00342A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00342A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00342A97

Strings

static, xrefs: 0034294F, 00342A71
msctls_progress32, xrefs: 00342A13
DISPLAY, xrefs: 0034295A
AutoIt v3, xrefs: 003428F8

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1ad47709e36f661b710f52be556d01948f7494d0abe8fbee1fb8be1417e2ece9
Instruction ID: ebdc313fe6b818f688790452955ed28c4673e56ff17b25b2ecbf63302735b420
Opcode Fuzzy Hash: 1ad47709e36f661b710f52be556d01948f7494d0abe8fbee1fb8be1417e2ece9
Instruction Fuzzy Hash: EAB13B75A10215AFEB15DF68CC8AFAE7BB9EB08715F004219F915EB2A1D770AD40CF90

Function 00334ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00334AED
GetDriveTypeW.KERNEL32(?,0035CB68,?,\\.\,0035CC08), ref: 00334BCA
SetErrorMode.KERNEL32(00000000,0035CB68,?,\\.\,0035CC08), ref: 00334D36

Strings

Network, xrefs: 00334C02
ATA, xrefs: 00334C98
SSA, xrefs: 00334CA6
Fixed, xrefs: 00334C09
RAID, xrefs: 00334CBB
PhysicalDrive, xrefs: 00334B76
FileBackedVirtual, xrefs: 00334CEC
Unknown, xrefs: 00334BED, 00334C83
SSD, xrefs: 00334C4A
SATA, xrefs: 00334CD0
MMC, xrefs: 00334CDE
1394, xrefs: 00334C9F
Fibre, xrefs: 00334CAD
CDROM, xrefs: 00334BFB
Removable, xrefs: 00334C10, 00334C15
SCSI, xrefs: 00334C8A
USB, xrefs: 00334CB4
SAS, xrefs: 00334CC9
\\.\, xrefs: 00334B3F
Virtual, xrefs: 00334CE5
iSCSI, xrefs: 00334CC2
RAMDisk, xrefs: 00334BF4
ATAPI, xrefs: 00334C91

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: b4ee65bf621cdd2f736bda075c42f67a727d60a20ac5f249f2fff65c0e1925a0
Instruction ID: b4b8444fc99b9b0cfe94beeeef3c81e54783c4adc8d5be64ade515db0915c61e
Opcode Fuzzy Hash: b4ee65bf621cdd2f736bda075c42f67a727d60a20ac5f249f2fff65c0e1925a0
Instruction Fuzzy Hash: 5261C230605305ABCB07EF24CAC2EACB7B4EB04744F209699F806ABA56DB35FD45DB41

Function 003573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00357421
SetTextColor.GDI32(?,?), ref: 00357425
GetSysColorBrush.USER32(0000000F), ref: 0035743B
GetSysColor.USER32(0000000F), ref: 00357446
CreateSolidBrush.GDI32(?), ref: 0035744B
GetSysColor.USER32(00000011), ref: 00357463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00357471
SelectObject.GDI32(?,00000000), ref: 00357482
SetBkColor.GDI32(?,00000000), ref: 0035748B
SelectObject.GDI32(?,?), ref: 00357498
InflateRect.USER32(?,000000FF,000000FF), ref: 003574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 003574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0035752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00357554
InflateRect.USER32(?,000000FD,000000FD), ref: 00357572
DrawFocusRect.USER32(?,?), ref: 0035757D
GetSysColor.USER32(00000011), ref: 0035758E
SetTextColor.GDI32(?,00000000), ref: 00357596
DrawTextW.USER32(?,003570F5,000000FF,?,00000000), ref: 003575A8
SelectObject.GDI32(?,?), ref: 003575BF
DeleteObject.GDI32(?), ref: 003575CA
SelectObject.GDI32(?,?), ref: 003575D0
DeleteObject.GDI32(?), ref: 003575D5
SetTextColor.GDI32(?,?), ref: 003575DB
SetBkColor.GDI32(?,?), ref: 003575E5

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 944f9debd8c63d5d6e5452f4b6dfce0dceffad7efc26a813387ab00915b29193
Instruction ID: 66e4a708c132751626d1efc37ca996e6ac5595dde63cd7479a2f9b9852f5185f
Opcode Fuzzy Hash: 944f9debd8c63d5d6e5452f4b6dfce0dceffad7efc26a813387ab00915b29193
Instruction Fuzzy Hash: AC617B72900318AFDF029FA5DC49EAEBFB9EB09322F115515F915AB2B1D7709A40CF90

Function 00350FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00351128
GetDesktopWindow.USER32 ref: 0035113D
GetWindowRect.USER32(00000000), ref: 00351144
GetWindowLongW.USER32(?,000000F0), ref: 00351199
DestroyWindow.USER32(?), ref: 003511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0035120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0035121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00351232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00351245
IsWindowVisible.USER32(00000000), ref: 003512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003512D0
GetWindowRect.USER32(00000000,?), ref: 003512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0035130E
GetMonitorInfoW.USER32(00000000,?), ref: 00351328
CopyRect.USER32(?,?), ref: 0035133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 003513AA

Strings

tooltips_class32, xrefs: 003511E6
0, xrefs: 003510D3
(, xrefs: 0035131B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 221d6c9eb9742abd58752365ace652ec2b51836a6c1fef6e21f6106a7b1ec1e3
Instruction ID: 551864eb959ac581777bde9ade9f4a1a4ad6797d1480e98d3f024692d583c592
Opcode Fuzzy Hash: 221d6c9eb9742abd58752365ace652ec2b51836a6c1fef6e21f6106a7b1ec1e3
Instruction Fuzzy Hash: 35B17971614341AFD701DF64C885F6ABBE8EF88355F008A1CF9999B2A1C771E948CF91

Function 00350241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003502E5
_wcslen.LIBCMT ref: 0035031F
_wcslen.LIBCMT ref: 00350389
_wcslen.LIBCMT ref: 003503F1
_wcslen.LIBCMT ref: 00350475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003504C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00350504

Part of subcall function 002DF9F2: _wcslen.LIBCMT ref: 002DF9FD

Part of subcall function 0032223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00322258
Part of subcall function 0032223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0032228A

Strings

ISSELECTED, xrefs: 003504DD
GETSUBITEMCOUNT, xrefs: 00350384, 0035039F
SELECTINVERT, xrefs: 0035057E
GETSELECTEDCOUNT, xrefs: 00350470, 0035048B
GETITEMCOUNT, xrefs: 00350316, 00350337
VIEWCHANGE, xrefs: 00350675
GETSELECTED, xrefs: 003505E1
FINDITEM, xrefs: 00350627
DESELECT, xrefs: 0035059C
SELECTCLEAR, xrefs: 0035052D
SELECT, xrefs: 00350548
GETTEXT, xrefs: 003503EC, 00350407
SELECTALL, xrefs: 00350515

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 10a72ea8246506f0ab799e67fbe03691f716075acdacae67205d57731f927ed2
Instruction ID: b4d34e9f8b3fa047d921d06269229731c5e9858beba4f1352428a7140cc645cd
Opcode Fuzzy Hash: 10a72ea8246506f0ab799e67fbe03691f716075acdacae67205d57731f927ed2
Instruction Fuzzy Hash: D9E1BD312183008FC71AEF24C551D2AB3E6BF88315F554A5DF896AB7A1DB31ED49CB81

Function 002D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D8968
GetSystemMetrics.USER32(00000007), ref: 002D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D899B
GetSystemMetrics.USER32(00000008), ref: 002D89A3
GetSystemMetrics.USER32(00000004), ref: 002D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 002D8A5A
GetStockObject.GDI32(00000011), ref: 002D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 002D8A81

Part of subcall function 002D912D: GetCursorPos.USER32(?), ref: 002D9141
Part of subcall function 002D912D: ScreenToClient.USER32(00000000,?), ref: 002D915E
Part of subcall function 002D912D: GetAsyncKeyState.USER32(00000001), ref: 002D9183
Part of subcall function 002D912D: GetAsyncKeyState.USER32(00000002), ref: 002D919D

SetTimer.USER32(00000000,00000000,00000028,002D90FC), ref: 002D8AA8

Strings

AutoIt v3 GUI, xrefs: 002D8A20

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: fcab22e9aef9a8610c2bdcf420e5f91e01675ad0aee4130d35cc55fbe03c7127
Instruction ID: 1e18b0d01a8df51ac2519275eccdd5fcf292d10ef4d826765b2cc4e7ad6f43d5
Opcode Fuzzy Hash: fcab22e9aef9a8610c2bdcf420e5f91e01675ad0aee4130d35cc55fbe03c7127
Instruction Fuzzy Hash: A0B16D75A1030A9FDB16DFA8CC85BEE3BB9FB48315F11411AFA15A72A0DB70A950CF50

Function 00320D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00321114
Part of subcall function 003210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 00321120
Part of subcall function 003210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 0032112F
Part of subcall function 003210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 00321136
Part of subcall function 003210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0032114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00320DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00320E29
GetLengthSid.ADVAPI32(?), ref: 00320E40
GetAce.ADVAPI32(?,00000000,?), ref: 00320E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00320E96
GetLengthSid.ADVAPI32(?), ref: 00320EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00320EB5
HeapAlloc.KERNEL32(00000000), ref: 00320EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00320EDD
CopySid.ADVAPI32(00000000), ref: 00320EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00320F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00320F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00320F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00320F6E
HeapFree.KERNEL32(00000000), ref: 00320F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00320F7E
HeapFree.KERNEL32(00000000), ref: 00320F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00320F8E
HeapFree.KERNEL32(00000000), ref: 00320F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00320FA1
HeapFree.KERNEL32(00000000), ref: 00320FA8

Part of subcall function 00321193: GetProcessHeap.KERNEL32(00000008,00320BB1,?,00000000,?,00320BB1,?), ref: 003211A1
Part of subcall function 00321193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00320BB1,?), ref: 003211A8
Part of subcall function 00321193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00320BB1,?), ref: 003211B7

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 587043d46ba03a6c22683604e7adb126987a043ea61a9b78bbe93a2373f05e49
Instruction ID: cdcecfb4bb0025fbadc0ac177f92c200ec8208ab5d5c24f263b4db25b6548d89
Opcode Fuzzy Hash: 587043d46ba03a6c22683604e7adb126987a043ea61a9b78bbe93a2373f05e49
Instruction Fuzzy Hash: 0B715A7290031ABFDF269FA4ED44BAEBBBCFF04315F054115E919A71A2D7319A09CB60

Function 0034C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0034C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0035CC08,00000000,?,00000000,?,?), ref: 0034C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0034C5A4
_wcslen.LIBCMT ref: 0034C5F4
_wcslen.LIBCMT ref: 0034C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0034C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0034C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0034C84D
RegCloseKey.ADVAPI32(?), ref: 0034C881
RegCloseKey.ADVAPI32(00000000), ref: 0034C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0034C960

Strings

REG_SZ, xrefs: 0034C644
REG_MULTI_SZ, xrefs: 0034C6F5
REG_QWORD, xrefs: 0034C8C3
REG_BINARY, xrefs: 0034C913
REG_EXPAND_SZ, xrefs: 0034C5CD
REG_DWORD, xrefs: 0034C804

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: b5b8fcb60077ab3ae9942189125548a35ab1fba068914b2e7f6dd964c1597292
Instruction ID: 049eaa010c3a7aeeb91d0acb26104591a6e5b6e12d58f5b48ec56e82b61ec0c0
Opcode Fuzzy Hash: b5b8fcb60077ab3ae9942189125548a35ab1fba068914b2e7f6dd964c1597292
Instruction Fuzzy Hash: 921233356242009FDB55DF24C881E2AB7E5AF88714F15899CF88A9B3A2DB31FD41CF81

Function 0035091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003509C6
_wcslen.LIBCMT ref: 00350A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00350A54
_wcslen.LIBCMT ref: 00350A8A
_wcslen.LIBCMT ref: 00350B06
_wcslen.LIBCMT ref: 00350B81

Part of subcall function 002DF9F2: _wcslen.LIBCMT ref: 002DF9FD

Part of subcall function 00322BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00322BFA

Strings

GETSELECTED, xrefs: 00350C4E
EXISTS, xrefs: 00350B7C, 00350B97
ISCHECKED, xrefs: 00350CE1
COLLAPSE, xrefs: 00350B01, 00350B1C
UNCHECK, xrefs: 00350D3E
CHECK, xrefs: 00350A85, 00350AA0
EXPAND, xrefs: 00350BF8
GETITEMCOUNT, xrefs: 00350C1E
GETTOTALCOUNT, xrefs: 003509F2, 00350A17
SELECT, xrefs: 00350D11
GETTEXT, xrefs: 00350C97

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: b88ada0256e484c8066a900d4fd57a99068b18d9486b0482d075bd14501f9b9a
Instruction ID: 7748c838044ff6ab29b44ff0d186508f331e0430063a4787cf78210630793a77
Opcode Fuzzy Hash: b88ada0256e484c8066a900d4fd57a99068b18d9486b0482d075bd14501f9b9a
Instruction Fuzzy Hash: 72E1BE352183019FC71AEF24C490D2AB7E2BF88315B55499DFC969B362D732ED49CB81

Function 0034C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0034B6AE,?,?), ref: 0034C9B5
_wcslen.LIBCMT ref: 0034C9F1
_wcslen.LIBCMT ref: 0034CA68
_wcslen.LIBCMT ref: 0034CA9E
_wcslen.LIBCMT ref: 0034CAF9
_wcslen.LIBCMT ref: 0034CB2F
_wcslen.LIBCMT ref: 0034CB7F

Strings

HKLM, xrefs: 0034CA98, 0034CA9D
HKEY_USERS, xrefs: 0034CBDF
HKEY_CURRENT_USER, xrefs: 0034CBBD
HKU, xrefs: 0034CBF0
HKCR, xrefs: 0034CB29, 0034CB2E
HKEY_CLASSES_ROOT, xrefs: 0034CAF3, 0034CAF8
HKCC, xrefs: 0034CBAC
HKCU, xrefs: 0034CBCE
HKEY_LOCAL_MACHINE, xrefs: 0034CA62, 0034CA67
HKEY_CURRENT_CONFIG, xrefs: 0034CB79, 0034CB7E

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: c2be9d0a970638c6bf4514dae95d4a6baa70df1570414c7c31454ba4b0cda96b
Instruction ID: 081a75cc6732082e54084c88de697de0a8541f75be8fd04a72e6fdba69e4d8f2
Opcode Fuzzy Hash: c2be9d0a970638c6bf4514dae95d4a6baa70df1570414c7c31454ba4b0cda96b
Instruction Fuzzy Hash: 8871483263116A8BCB62EE3CCD415BE33D5AF60754F221528FC56AF280EA31ED41C7A0

Function 0035833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0035835A
_wcslen.LIBCMT ref: 0035836E
_wcslen.LIBCMT ref: 00358391
_wcslen.LIBCMT ref: 003583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00355BF2), ref: 0035844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00358487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00358501
FreeLibrary.KERNEL32(?), ref: 0035850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0035851D
DestroyIcon.USER32(?,?,?,?,?,00355BF2), ref: 0035852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00358549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00358555

Strings

.exe, xrefs: 00358388
.dll, xrefs: 003583AB
.icl, xrefs: 00358368

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: adca596923a18ed18119e85dea438f3fbf244382d71b28f5ce971fca025ff6bb
Instruction ID: 119f674810cf20b595b5907c6d82aeb5b1a72e1b284fafb48f3e8a537c20bc2c
Opcode Fuzzy Hash: adca596923a18ed18119e85dea438f3fbf244382d71b28f5ce971fca025ff6bb
Instruction Fuzzy Hash: 6261BE71550305BEEB169F65CC81FBE77ACAB04722F104609FC15E61E1EB74AA94CBA0

Function 002C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 002C7817
Cannot parse #include, xrefs: 00305279
#include-once, xrefs: 002C782F
#cs, xrefs: 002C7873, 002C78C5
Unterminated group of comments, xrefs: 0030528C
Bad directive syntax error, xrefs: 0030519A
#comments-end, xrefs: 002C78D9
#pragma compile, xrefs: 002C77D3
#requireadmin, xrefs: 002C77FF
#ce, xrefs: 002C78ED
", xrefs: 00305153
#comments-start, xrefs: 002C785F, 002C78B1
#notrayicon, xrefs: 002C77E7
', xrefs: 00305169
#include, xrefs: 002C7847

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: ec06880d36be6f8371bde7e8b547fdb08dd02af7c12dcc0b536b1ebeeb3e8ffd
Instruction ID: 8230005affaa222c6424abc2e52f43b6bd44432ecd5bbad8ee9b2a4ea558cbb8
Opcode Fuzzy Hash: ec06880d36be6f8371bde7e8b547fdb08dd02af7c12dcc0b536b1ebeeb3e8ffd
Instruction Fuzzy Hash: AB810771664205BBDB26AF60CD53FAF77A8AF15300F044129FD09AA192EB70DA25CF91

Function 00325A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00325A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00325A40
SetWindowTextW.USER32(?,?), ref: 00325A57
GetDlgItem.USER32(?,000003EA), ref: 00325A6C
SetWindowTextW.USER32(00000000,?), ref: 00325A72
GetDlgItem.USER32(?,000003E9), ref: 00325A82
SetWindowTextW.USER32(00000000,?), ref: 00325A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00325AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00325AC3
GetWindowRect.USER32(?,?), ref: 00325ACC
_wcslen.LIBCMT ref: 00325B33
SetWindowTextW.USER32(?,?), ref: 00325B6F
GetDesktopWindow.USER32 ref: 00325B75
GetWindowRect.USER32(00000000), ref: 00325B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00325BD3
GetClientRect.USER32(?,?), ref: 00325BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00325C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00325C2F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 45bc8d057516260814b08d668702c0c5a3068439d559c8499ba7a4ffcecb552e
Instruction ID: 24b85183555141fad01af666839510a3876c796cb5c44762c4c07d8a7b7fa92d
Opcode Fuzzy Hash: 45bc8d057516260814b08d668702c0c5a3068439d559c8499ba7a4ffcecb552e
Instruction Fuzzy Hash: EA719D31900B19EFDB22DFA8DE85AAEBBF9FF48705F104518E542A25A0D774EA40CB50

Function 003230F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0032318D
_wcslen.LIBCMT ref: 003231F8

Strings

REGEXPCLASS, xrefs: 00323255, 00323266
[8, xrefs: 0032339A
INSTANCE, xrefs: 00323453
CLASS, xrefs: 00323188, 003231A5
TEXT, xrefs: 0032347C
NAME, xrefs: 00323335, 00323346
CLASSNN, xrefs: 003231F3, 00323204

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[8
API String ID: 176396367-3359436768
Opcode ID: e8deea24456918283148b56f473d4d54242bb510ce1376c417d238d8435e285b
Instruction ID: fa2009cb2c47042c9c29d81bacaca9545bf5f57b029cae7ab930d651837aa415
Opcode Fuzzy Hash: e8deea24456918283148b56f473d4d54242bb510ce1376c417d238d8435e285b
Instruction Fuzzy Hash: FCE13732A006269BCB16EF74D441BFDBBB4BF14710F65825AE456B3240DB34AF958BD0

Function 0035911E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00359147

Part of subcall function 00357674: ClientToScreen.USER32(?,?), ref: 0035769A
Part of subcall function 00357674: GetWindowRect.USER32(?,?), ref: 00357710
Part of subcall function 00357674: PtInRect.USER32(?,?,00358B89), ref: 00357720

SendMessageW.USER32(?,000000B0,?,?), ref: 003591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00359225
SendMessageW.USER32(?,000000B0,?,?), ref: 0035923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00359255
SendMessageW.USER32(?,000000B1,?,?), ref: 00359277
DragFinish.SHELL32(?), ref: 0035927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00359371

Strings

p#9, xrefs: 003592BB
@GUI_DRAGID, xrefs: 003592E9
@GUI_DRAGFILE, xrefs: 00359320
@GUI_DROPID, xrefs: 0035929E
Ph, xrefs: 0035917D, 003591EA

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$Ph$p#9
API String ID: 221274066-757485531
Opcode ID: 830752c4b015819843d3de6ec028ba615baa1409fc2d3e404d4aa2d91e5ada0d
Instruction ID: 31426da8c7e103e51189eb2c5d5fa5879631cc9ac476ad692cabe57f887e0287
Opcode Fuzzy Hash: 830752c4b015819843d3de6ec028ba615baa1409fc2d3e404d4aa2d91e5ada0d
Instruction Fuzzy Hash: A0617A71118301AFC702DF61DC85EAFBBE9EF89754F100A1EF595921A0DB309A59CB52

Function 002E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002E00C6

Part of subcall function 002E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0039070C,00000FA0,954CC39B,?,?,?,?,003023B3,000000FF), ref: 002E011C
Part of subcall function 002E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003023B3,000000FF), ref: 002E0127
Part of subcall function 002E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003023B3,000000FF), ref: 002E0138
Part of subcall function 002E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 002E014E
Part of subcall function 002E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002E015C
Part of subcall function 002E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002E016A
Part of subcall function 002E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002E0195
Part of subcall function 002E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002E01A0

___scrt_fastfail.LIBCMT ref: 002E00E7

Part of subcall function 002E00A3: __onexit.LIBCMT ref: 002E00A9

Strings

WakeAllConditionVariable, xrefs: 002E0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 002E0122
kernel32.dll, xrefs: 002E0133
InitializeConditionVariable, xrefs: 002E0148
SleepConditionVariableCS, xrefs: 002E0154

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 1cef76036c0ac5114cc445fbfbbe674f3ec2dc5416645d789d81b686ca7fce5b
Instruction ID: b47e174010248121c76167537d6edbbca890cde1d36727a00675ead82b24e5f5
Opcode Fuzzy Hash: 1cef76036c0ac5114cc445fbfbbe674f3ec2dc5416645d789d81b686ca7fce5b
Instruction Fuzzy Hash: 16212C326A47416FDB175FB5AC45F6A33F8DB05B66F000126FC059A2A1DBB09C418A90

Function 003344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0035CC08), ref: 00334527
_wcslen.LIBCMT ref: 0033453B
_wcslen.LIBCMT ref: 00334599
_wcslen.LIBCMT ref: 003345F4
_wcslen.LIBCMT ref: 0033463F
_wcslen.LIBCMT ref: 003346A7

Part of subcall function 002DF9F2: _wcslen.LIBCMT ref: 002DF9FD

GetDriveTypeW.KERNEL32(?,00386BF0,00000061), ref: 00334743

Strings

removable, xrefs: 003345EA, 003345EF
cdrom, xrefs: 0033458F, 00334594
fixed, xrefs: 00334635, 0033463A
network, xrefs: 0033469D, 003346A2
unknown, xrefs: 00334708
ramdisk, xrefs: 003346F1
all, xrefs: 00334531, 00334536

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: dbde79fb4b89d0f02b70265454def757aa5d74fd825359642341e345f3d78b5a
Instruction ID: 0b7421b7bb1b6a249744db16b98f637b2b7d4f6d39b2b782163b96737fb5aa56
Opcode Fuzzy Hash: dbde79fb4b89d0f02b70265454def757aa5d74fd825359642341e345f3d78b5a
Instruction Fuzzy Hash: C4B1F2316083029FC712DF28C8D1A6EB7E5AFA6764F514A1DF4A6C7291E730EC44CB92

Function 00356CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00356DEB

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00356E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00356E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00356E94
DestroyWindow.USER32(?), ref: 00356EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002C0000,00000000), ref: 00356EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00356EFD
GetDesktopWindow.USER32 ref: 00356F16
GetWindowRect.USER32(00000000), ref: 00356F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00356F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00356F4D

Part of subcall function 002D9944: GetWindowLongW.USER32(?,000000EB), ref: 002D9952

Strings

0, xrefs: 00356D98
tooltips_class32, xrefs: 00356E58, 00356EDD
Ph, xrefs: 00356D0F, 00356DCF, 00356DF1, 00356E04

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$Ph$tooltips_class32
API String ID: 2429346358-1021671283
Opcode ID: a405cd2281e1154292a0c99b099abb303263b2f2f8ed3fc9146226826ebca61a
Instruction ID: d58f29e5c31d68268b1d0069c6aa5900c2f2c07334fa5d37fcc572f5d11c3e45
Opcode Fuzzy Hash: a405cd2281e1154292a0c99b099abb303263b2f2f8ed3fc9146226826ebca61a
Instruction Fuzzy Hash: 42717670504341AFDB22CF18DC59FAABBE9FB99305F84091EF98997271C771A90ACB11

Function 0034AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0034B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0034B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0034B1D4
_wcslen.LIBCMT ref: 0034B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0034B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0034B236
_wcslen.LIBCMT ref: 0034B332

Part of subcall function 003305A7: GetStdHandle.KERNEL32(000000F6), ref: 003305C6

_wcslen.LIBCMT ref: 0034B34B
_wcslen.LIBCMT ref: 0034B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0034B3B6
GetLastError.KERNEL32(00000000), ref: 0034B407
CloseHandle.KERNEL32(?), ref: 0034B439
CloseHandle.KERNEL32(00000000), ref: 0034B44A
CloseHandle.KERNEL32(00000000), ref: 0034B45C
CloseHandle.KERNEL32(00000000), ref: 0034B46E
CloseHandle.KERNEL32(?), ref: 0034B4E3

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 769a8d06d8b793592eb3bba590d633f1f6cac55cbcc5deeb0decd2d6cc291082
Instruction ID: 3bf56221d122a42bf50fdfe859786ac7b0078ecc8dd423bc9acd7820fb56c167
Opcode Fuzzy Hash: 769a8d06d8b793592eb3bba590d633f1f6cac55cbcc5deeb0decd2d6cc291082
Instruction Fuzzy Hash: 4AF188316183409FC726EF25C891B2ABBE5AF85314F15895DF8999F2A2CB31EC44CF52

Function 002C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00391990), ref: 00302F8D
GetMenuItemCount.USER32(00391990), ref: 0030303D
GetCursorPos.USER32(?), ref: 00303081
SetForegroundWindow.USER32(00000000), ref: 0030308A
TrackPopupMenuEx.USER32(00391990,00000000,?,00000000,00000000,00000000), ref: 0030309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003030A9

Strings

0, xrefs: 002C327D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: dca43cb4ffcb00882ad0dff06d581a69e4b73b1e0aae355b16940ee271653498
Instruction ID: 7ef5af11902f4150b02b12ba81a707fba559900687e01b6fb68950ed4cbb3715
Opcode Fuzzy Hash: dca43cb4ffcb00882ad0dff06d581a69e4b73b1e0aae355b16940ee271653498
Instruction Fuzzy Hash: 70712970645316BEEB228F65DC59F9BBF68FF01368F204206F9156A1E0C7B1AD10CB51

Function 002D8BCD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D8BE8,?,00000000,?,?,?,?,002D8BBA,00000000,?), ref: 002D8FC5

DestroyWindow.USER32(?), ref: 002D8C81
KillTimer.USER32(00000000,?,?,?,?,002D8BBA,00000000,?), ref: 002D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00316973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,002D8BBA,00000000,?), ref: 003169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,002D8BBA,00000000,?), ref: 003169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,002D8BBA,00000000), ref: 003169D4
DeleteObject.GDI32(00000000), ref: 003169E6

Strings

Ph, xrefs: 002D8C06

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: Ph
API String ID: 641708696-1955597793
Opcode ID: bf90036fe24936836266fb52ff70b52ccfc6352ced49e71298b47f8376ae169d
Instruction ID: dae1a120334409155aceb61f5cc9617b7f670bcd7f08e7d40d64a77b7757ae06
Opcode Fuzzy Hash: bf90036fe24936836266fb52ff70b52ccfc6352ced49e71298b47f8376ae169d
Instruction Fuzzy Hash: E3619C31122701DFCB2B9F14C949B6A77F5FB44316F14551BE042ABAA0CB72ADA0CF90

Function 0033C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0033C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0033C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0033C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0033C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0033C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0033C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0033C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0033C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0033C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0033C5F0
InternetCloseHandle.WININET(00000000), ref: 0033C5FB

Strings

, xrefs: 0033C575

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4cfa3a66da807e9a7ba7e6e8cbc0ff0fe372663b2d40efbfb66d4b894329958a
Instruction ID: 1daffdce18dc95c8dd4573cb2c23a4e14456b85d63430c6d9af87c9d112bd1f8
Opcode Fuzzy Hash: 4cfa3a66da807e9a7ba7e6e8cbc0ff0fe372663b2d40efbfb66d4b894329958a
Instruction Fuzzy Hash: 08516BB1510308BFEB229F62CD88AAB7BBCFF09745F006419F945A6620DB35E944DB60

Function 002D9838 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002D9944: GetWindowLongW.USER32(?,000000EB), ref: 002D9952

GetSysColor.USER32(0000000F), ref: 002D9862

Strings

Ph, xrefs: 002D987C

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ColorLongWindow
String ID: Ph
API String ID: 259745315-1955597793
Opcode ID: 7fb7ee2873b3c31cda1a7b3633a404283d8cf6d5e02907774f76dbed28533ac2
Instruction ID: d06200e186d0168b717b6cdc2924ef1284e800d20a7f11a46275931901102009
Opcode Fuzzy Hash: 7fb7ee2873b3c31cda1a7b3633a404283d8cf6d5e02907774f76dbed28533ac2
Instruction Fuzzy Hash: D741C4311257409FDB215F389C88BF93769AB07735F184606F9A2872F1D7319D91EB10

Function 0035856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00358592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003585F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0035FC38,?), ref: 00358611
GlobalFree.KERNEL32(00000000), ref: 00358621
GetObjectW.GDI32(?,00000018,?), ref: 00358641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00358671
DeleteObject.GDI32(?), ref: 00358699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003586AF

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 64477f28c77c78f00d8de163481621427ec9adda1a4cfc9af36663062976a87e
Instruction ID: 4bc038440435665d9c0cb5a7f23334f3da59dffef3571749330a0ab17d1d4cb0
Opcode Fuzzy Hash: 64477f28c77c78f00d8de163481621427ec9adda1a4cfc9af36663062976a87e
Instruction Fuzzy Hash: 76410975610308AFDB129FA5CC48EAA7BBCEF89716F154458F906E7260DB309E45CB60

Function 003314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00331502
VariantCopy.OLEAUT32(?,?), ref: 0033150B
VariantClear.OLEAUT32(?), ref: 00331517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00331657
VariantInit.OLEAUT32(?), ref: 00331708
SysFreeString.OLEAUT32(?), ref: 0033178C
VariantClear.OLEAUT32(?), ref: 003317D8
VariantClear.OLEAUT32(?), ref: 003317E7
VariantInit.OLEAUT32(00000000), ref: 00331823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00331625
Default, xrefs: 003316AF

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 5c284c5a5a6c6cf9a4657a452028c5078338d123c74de4169bafd6f59d3a19a2
Instruction ID: 43ec294459ddc23cbb4a3fc21bda2c7f1bb9334d19fb95367632f1f77f19c0aa
Opcode Fuzzy Hash: 5c284c5a5a6c6cf9a4657a452028c5078338d123c74de4169bafd6f59d3a19a2
Instruction Fuzzy Hash: 32D13272A00205EFEB129F65D8C5B7DB7B9BF46700F14845AF806AB690DB30EC51DBA1

Function 0034B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Part of subcall function 0034C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0034B6AE,?,?), ref: 0034C9B5
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034C9F1
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034CA68
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0034B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0034B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0034B80A
RegCloseKey.ADVAPI32(?), ref: 0034B87E
RegCloseKey.ADVAPI32(?), ref: 0034B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0034B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0034B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0034B922
FreeLibrary.KERNEL32(00000000), ref: 0034B983
RegCloseKey.ADVAPI32(00000000), ref: 0034B994

Strings

RegDeleteKeyExW, xrefs: 0034B8FE
advapi32.dll, xrefs: 0034B8ED

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 57d6badb9845b96f53809c41b6ad623327225677f947ac671d41a5b772d24adf
Instruction ID: c274744bfd72e082a72cf603c3447831ccacafb091bfac4dc4785bf321328c59
Opcode Fuzzy Hash: 57d6badb9845b96f53809c41b6ad623327225677f947ac671d41a5b772d24adf
Instruction Fuzzy Hash: B4C16830218241AFD715DF24C895F2ABBE5AF84318F15859CE49A8F6A2CB31E946CF91

Function 00358D0E Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00358D5A
GetFocus.USER32 ref: 00358D6A
GetDlgCtrlID.USER32(00000000), ref: 00358D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00358E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00358ECF
GetMenuItemCount.USER32(?), ref: 00358EEC
GetMenuItemID.USER32(?,00000000), ref: 00358EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00358F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00358F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00358FA1

Strings

0, xrefs: 00358E9F
Ph, xrefs: 00358E63, 00358E85

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$Ph
API String ID: 1026556194-461424624
Opcode ID: b8cd9a01dbfe61862cd60f305739a18c34d2fbc2c12cbf24cbbbdfe5512a36b0
Instruction ID: 17b0712bece90c18f533cdb42904fe46738e287599d4bb609892abfc8a5d8586
Opcode Fuzzy Hash: b8cd9a01dbfe61862cd60f305739a18c34d2fbc2c12cbf24cbbbdfe5512a36b0
Instruction Fuzzy Hash: 40819C715083019FDB12CF24D885EABBBF9FB88355F05091AFD85A72A1DB30D908CBA1

Function 0035541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00355504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00355515
CharNextW.USER32(00000158), ref: 00355544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00355585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0035559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003555AC

Strings

Ph, xrefs: 0035545F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: Ph
API String ID: 1350042424-1955597793
Opcode ID: e4e97613ed7226bd613cad9fa61128b61f1654bd31657b7b6df52a33ec0b4952
Instruction ID: 73e6b7d40376bdaaa255ff053764f877aaa71d8d3ff13cc3f02597ef3f9adac5
Opcode Fuzzy Hash: e4e97613ed7226bd613cad9fa61128b61f1654bd31657b7b6df52a33ec0b4952
Instruction Fuzzy Hash: DC61AE70904609EFDF128F91CC94DFE7BB9EB09326F114145F925AA2B0D774AA88DB60

Function 0034255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003425E8
CreateCompatibleDC.GDI32(?), ref: 003425F4
SelectObject.GDI32(00000000,?), ref: 00342601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0034266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003426D0
SelectObject.GDI32(?,?), ref: 003426D8
DeleteObject.GDI32(?), ref: 003426E1
DeleteDC.GDI32(?), ref: 003426E8
ReleaseDC.USER32(00000000,?), ref: 003426F3

Strings

(, xrefs: 0034268D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5838725757ba3f2fee05c388ff1a8a5bd61d2f57476d869926dcb5142d00c2a9
Instruction ID: ccf87fe6dcc3dcdb3851b201bcf2a83909b2ff2f7aceec2b96d577602ea685d4
Opcode Fuzzy Hash: 5838725757ba3f2fee05c388ff1a8a5bd61d2f57476d869926dcb5142d00c2a9
Instruction Fuzzy Hash: F961E275D00219EFCF05CFA4D884AAEBBF9FF48310F208529E955AB260D774AA51CF54

Function 002FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 002FDAA1

Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD659
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD66B
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD67D
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD68F
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD6A1
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD6B3
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD6C5
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD6D7
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD6E9
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD6FB
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD70D
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD71F
Part of subcall function 002FD63C: _free.LIBCMT ref: 002FD731

_free.LIBCMT ref: 002FDA96

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

_free.LIBCMT ref: 002FDAB8
_free.LIBCMT ref: 002FDACD
_free.LIBCMT ref: 002FDAD8
_free.LIBCMT ref: 002FDAFA
_free.LIBCMT ref: 002FDB0D
_free.LIBCMT ref: 002FDB1B
_free.LIBCMT ref: 002FDB26
_free.LIBCMT ref: 002FDB5E
_free.LIBCMT ref: 002FDB65
_free.LIBCMT ref: 002FDB82
_free.LIBCMT ref: 002FDB9A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 0786772b4bb4acdc37b9a8a8c8a66561d247f06c28e203b6371dce2e33271391
Instruction ID: c2c5ad550a52f97feb1fbd7db8085c734911e7526159772593b0089b80ec86b6
Opcode Fuzzy Hash: 0786772b4bb4acdc37b9a8a8c8a66561d247f06c28e203b6371dce2e33271391
Instruction Fuzzy Hash: D7316E3156430ADFDB21AE34E845B7AF7EAFF01390F205539E249D7191DE71AC648B24

Function 0032365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0032369C
_wcslen.LIBCMT ref: 003236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00323797
GetClassNameW.USER32(?,?,00000400), ref: 0032380C
GetDlgCtrlID.USER32(?), ref: 0032385D
GetWindowRect.USER32(?,?), ref: 00323882
GetParent.USER32(?), ref: 003238A0
ScreenToClient.USER32(00000000), ref: 003238A7
GetClassNameW.USER32(?,?,00000100), ref: 00323921
GetWindowTextW.USER32(?,?,00000400), ref: 0032395D

Strings

%s%u, xrefs: 00323734

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: e44f2c99e99681822c0f79bd915de319655e6a24454d56a0cdb54fb02fceecc7
Instruction ID: 68263faaacc93959bf3e9336976c6ae79958fe045dc37d058c607fc709b80189
Opcode Fuzzy Hash: e44f2c99e99681822c0f79bd915de319655e6a24454d56a0cdb54fb02fceecc7
Instruction Fuzzy Hash: 8391E171200326AFD71ADF24D884FAAF7E8FF44304F008629F999D6190DB34EA59CB91

Function 00324954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00324994
GetWindowTextW.USER32(?,?,00000400), ref: 003249DA
_wcslen.LIBCMT ref: 003249EB
CharUpperBuffW.USER32(?,00000000), ref: 003249F7
_wcsstr.LIBVCRUNTIME ref: 00324A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00324A64
GetWindowTextW.USER32(?,?,00000400), ref: 00324A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00324AE6
GetClassNameW.USER32(?,?,00000400), ref: 00324B20
GetWindowRect.USER32(?,?), ref: 00324B8B

Strings

ThumbnailClass, xrefs: 00324A6F, 00324AF1

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: bf918492fbca1a273a2c2e0054004cb13dda79c7b4e6d938110301c987a36d72
Instruction ID: e08cbed5b0d3d13ff62cc2b4a1af5801c5a7771dc4dbec71caff00dd1e3c3069
Opcode Fuzzy Hash: bf918492fbca1a273a2c2e0054004cb13dda79c7b4e6d938110301c987a36d72
Instruction Fuzzy Hash: 6591F2311083259FDB06DF14E985FAA77E8FF84314F04846AFD859A196EB30EE45CBA1

Function 00353A23 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00353A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00353AA0
GetWindowLongW.USER32(?,000000F0), ref: 00353AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00353AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00353B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00353BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00353BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00353BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00353BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00353C13

Strings

Ph, xrefs: 00353A67, 00353A76, 00353AAC, 00353B01, 00353C2A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID: Ph
API String ID: 312131281-1955597793
Opcode ID: 3bf08deee0499e7d0bb4aaaefc8b84ad8dc61e1bc4108bed112f7fccf7c2ef1c
Instruction ID: e9b4027ebe9a886833343368824529c6aa1982c398c5606a7c7157142d6fc2c0
Opcode Fuzzy Hash: 3bf08deee0499e7d0bb4aaaefc8b84ad8dc61e1bc4108bed112f7fccf7c2ef1c
Instruction Fuzzy Hash: 84616D75900248AFDB12DFA8CC81EEE77F8EB09744F10419AFA15E72A1D770AE45DB50

Function 0034CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0034CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0034CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0034CD48

Part of subcall function 0034CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0034CCAA
Part of subcall function 0034CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0034CCBD
Part of subcall function 0034CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0034CCCF
Part of subcall function 0034CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0034CD05
Part of subcall function 0034CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0034CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0034CCF3

Strings

RegDeleteKeyExW, xrefs: 0034CCC9
advapi32.dll, xrefs: 0034CCB8

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: e9084a928dce9ebc54bc3d8b9202c722baeb9c8cc14bf92d7fc419367d8e39ad
Instruction ID: fffe29bbb0313568d27baf1e4fbec24e16297a317324fb04fec2bc9cb76265b3
Opcode Fuzzy Hash: e9084a928dce9ebc54bc3d8b9202c722baeb9c8cc14bf92d7fc419367d8e39ad
Instruction Fuzzy Hash: 4D31A071912228BFD7228B50DC88EFFBBBCEF02754F001065E906E7150DA30AE45DAA0

Function 0032E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0032E6B4

Part of subcall function 002DE551: timeGetTime.WINMM(?,?,0032E6D4), ref: 002DE555

Sleep.KERNEL32(0000000A), ref: 0032E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0032E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0032E727
SetActiveWindow.USER32 ref: 0032E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0032E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0032E773
Sleep.KERNEL32(000000FA), ref: 0032E77E
IsWindow.USER32 ref: 0032E78A
EndDialog.USER32(00000000), ref: 0032E79B

Strings

BUTTON, xrefs: 0032E719

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: bacd8c668d28b507fce09e57eaffda7456586cf5e706e23ae2a1f39713de8580
Instruction ID: cf6e87940be82b7079ee3069aea654f2923bf57c8b398f9b47780da8549aea87
Opcode Fuzzy Hash: bacd8c668d28b507fce09e57eaffda7456586cf5e706e23ae2a1f39713de8580
Instruction Fuzzy Hash: CA21A170214711BFEB035F64FCCAA273B6DF75534EF142426F842816B2DBB2AC008A24

Function 0032E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0032EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0032EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0032EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0032EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0032EAA7

Strings

status PlayMe mode, xrefs: 0032EA58
play PlayMe wait, xrefs: 0032EA91
play PlayMe, xrefs: 0032EAA2
alias PlayMe, xrefs: 0032EA36
open , xrefs: 0032EA0C
close PlayMe, xrefs: 0032EA6E, 0032EA9B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 916f848cd48cb2db8ec642c4aabf3c07c606183aa37ca30a5f7ef65dc90026ef
Instruction ID: cc9a43c9e8ffdb46bf928696c425b02dfffcfd9866654278c0a9370ae54574bc
Opcode Fuzzy Hash: 916f848cd48cb2db8ec642c4aabf3c07c606183aa37ca30a5f7ef65dc90026ef
Instruction Fuzzy Hash: AF112131A6036979D721B7A1EC5BEFF6A7CEBD1B00F400569F411A20D1EB705A55CAB0

Function 003550D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00355186
ShowWindow.USER32(?,00000000), ref: 003551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 003551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 003551D1

Part of subcall function 00356FBA: DeleteObject.GDI32(00000000), ref: 00356FE6

GetWindowLongW.USER32(?,000000F0), ref: 0035520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0035521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0035524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00355287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00355296

Strings

Ph, xrefs: 00355104

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: Ph
API String ID: 3210457359-1955597793
Opcode ID: 30287c9c7316fc9374e9b4b741330ff5984d999798366c7a7f9ede3774ee7f32
Instruction ID: c1d8830af9e375ec5d9b65296b88496b893b43f610cc1ef22d652e6b17c18cfb
Opcode Fuzzy Hash: 30287c9c7316fc9374e9b4b741330ff5984d999798366c7a7f9ede3774ee7f32
Instruction Fuzzy Hash: C851B230A50A08BEEF229F24CC55F987BB9EB05326F144412FD159A6F0C775BA98DF41

Function 00358B02 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

Part of subcall function 002D912D: GetCursorPos.USER32(?), ref: 002D9141
Part of subcall function 002D912D: ScreenToClient.USER32(00000000,?), ref: 002D915E
Part of subcall function 002D912D: GetAsyncKeyState.USER32(00000001), ref: 002D9183
Part of subcall function 002D912D: GetAsyncKeyState.USER32(00000002), ref: 002D919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00358B6B
ImageList_EndDrag.COMCTL32 ref: 00358B71
ReleaseCapture.USER32 ref: 00358B77
SetWindowTextW.USER32(?,00000000), ref: 00358C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00358C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00358CFF

Strings

p#9, xrefs: 00358C71
@GUI_DRAGFILE, xrefs: 00358C9A
@GUI_DROPID, xrefs: 00358C51
Ph, xrefs: 00358BB4, 00358BEE

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$Ph$p#9
API String ID: 1924731296-3112968779
Opcode ID: 5f231731dc0a7dbb5f4a5475bba7ca189579fd795e10f26afcb34cafcc29d21d
Instruction ID: c1ca9ac1f203d5e89ca239714b94b67eafbdea24fcf54b772dd747e4d45b32ec
Opcode Fuzzy Hash: 5f231731dc0a7dbb5f4a5475bba7ca189579fd795e10f26afcb34cafcc29d21d
Instruction Fuzzy Hash: 6351AD70114304AFD706EF24CC5AFAA77E8FB88715F000A2EF956672E1CB719958CB62

Function 003296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0030F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00329717
LoadStringW.USER32(00000000,?,0030F7F8,00000001), ref: 00329720

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0030F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00329742
LoadStringW.USER32(00000000,?,0030F7F8,00000001), ref: 00329745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00329866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0032984A
Error: , xrefs: 0032981D
^ ERROR, xrefs: 003297FB
Line %d:, xrefs: 003297A0
Line %d (File "%s"):, xrefs: 0032978F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 52fbbf4750b64d59af19ef1f2b742cab8a14cd568250477a96964d55388b6d28
Instruction ID: 63dd962eb63971195ee72f85ca273c1458562d136d3155ee9501420de4ffd8f2
Opcode Fuzzy Hash: 52fbbf4750b64d59af19ef1f2b742cab8a14cd568250477a96964d55388b6d28
Instruction Fuzzy Hash: 52413C72910219AADB05FBE0DD86EEE7378AF14344F10466AF60573092EB356F58CF61

Function 003206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00320804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0032082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00320837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0032083C

Strings

\CLSID, xrefs: 00320724
SOFTWARE\Classes\, xrefs: 0032070E
\IPC$, xrefs: 00320784

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: a5d4047647b10a1c1248f443cf68b2b90d9d89ecfa698a5bb9b852101b225d2b
Instruction ID: 8649c9357ec1cbd9d80e89c26e2360d689ab314cdd351438a03f9823f1e74498
Opcode Fuzzy Hash: a5d4047647b10a1c1248f443cf68b2b90d9d89ecfa698a5bb9b852101b225d2b
Instruction Fuzzy Hash: EB410972C20629ABDF16EBA4DC85DEEB778FF04354F054269E905A31A1EB309E54CF90

Function 00337A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00337AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00337B8F
SHGetDesktopFolder.SHELL32(?), ref: 00337BA3
CoCreateInstance.OLE32(0035FD08,00000000,00000001,00386E6C,?), ref: 00337BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00337C74
CoTaskMemFree.OLE32(?,?), ref: 00337CCC
SHBrowseForFolderW.SHELL32(?), ref: 00337D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00337D7A
CoTaskMemFree.OLE32(00000000), ref: 00337D81
CoTaskMemFree.OLE32(00000000), ref: 00337DD6
CoUninitialize.OLE32 ref: 00337DDC

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 20adb1bab9735bb2338bf3338f6c9ba164b35679336f2f33eafcccba1370d394
Instruction ID: 0f7f9d7177a86128659bae40e379f7f3a596c03ee71ea9f6a939d4f473c38d86
Opcode Fuzzy Hash: 20adb1bab9735bb2338bf3338f6c9ba164b35679336f2f33eafcccba1370d394
Instruction Fuzzy Hash: F4C10975A14209AFCB15DF64C888DAEBBF9FF48304F148599E81A9B261D730EE45CF90

Function 0031FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0031FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0031FB08
VariantInit.OLEAUT32(?), ref: 0031FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0031FB3A
VariantCopy.OLEAUT32(?,?), ref: 0031FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0031FBA1
VariantClear.OLEAUT32(?), ref: 0031FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0031FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0031FBCC
VariantClear.OLEAUT32(?), ref: 0031FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0031FBE9

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 47b5e214e143990bd9df0f54ae7b5177ee547bc36518ad3d85bc8d6f85f87e39
Instruction ID: 80ebe042e4e3e962d9f7c187c56749fc83b55e85b3aa705cf2176557b879da3f
Opcode Fuzzy Hash: 47b5e214e143990bd9df0f54ae7b5177ee547bc36518ad3d85bc8d6f85f87e39
Instruction Fuzzy Hash: EC416075A103199FCB06DF65C854DEEBBB9FF48349F008069E945A7261CB30A986CFA0

Function 0034055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003405BC
inet_addr.WSOCK32(?), ref: 0034061C
gethostbyname.WSOCK32(?), ref: 00340628
IcmpCreateFile.IPHLPAPI ref: 00340636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 003407B9
WSACleanup.WSOCK32 ref: 003407BF

Strings

Ping, xrefs: 00340676

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0b2648cec1e36a99b446038e2ca03336d0da9767b19223453046a4059d246a03
Instruction ID: a5df90d5ad99026fc1ac45936f02a2850d1f03630ed14a132414b6eef397b874
Opcode Fuzzy Hash: 0b2648cec1e36a99b446038e2ca03336d0da9767b19223453046a4059d246a03
Instruction Fuzzy Hash: 3D915A356082019FD326DF15C489F1ABBE4EF44318F1585A9E56A8FAA2C730FD45CF92

Function 00348CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00348CF3

Part of subcall function 00328E54: _wcslen.LIBCMT ref: 00328E77

_wcslen.LIBCMT ref: 00348D4E
_wcslen.LIBCMT ref: 00348D9C
_wcslen.LIBCMT ref: 00348DDC
_wcslen.LIBCMT ref: 00348E6E

Strings

stdcall, xrefs: 00348DD6, 00348DDB
winapi, xrefs: 00348D96, 00348D9B
none, xrefs: 00348E65, 00348E6A
cdecl, xrefs: 00348D48, 00348D4D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a8fc99d786345a014dee20b030277b389bdae64560ff1c347663aaf5de6d3206
Instruction ID: 217f8c2b51b01deaf464690f0d9448b2dc14fdb876506f1089935216accbef94
Opcode Fuzzy Hash: a8fc99d786345a014dee20b030277b389bdae64560ff1c347663aaf5de6d3206
Instruction Fuzzy Hash: F451B231A011169BCB16EF6CC9409BEB7E5BF65324B214229E426EB2C4DB30ED80CBD0

Function 0034372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00343774
CoUninitialize.OLE32 ref: 0034377F
CoCreateInstance.OLE32(?,00000000,00000017,0035FB78,?), ref: 003437D9
IIDFromString.OLE32(?,?), ref: 0034384C
VariantInit.OLEAUT32(?), ref: 003438E4
VariantClear.OLEAUT32(?), ref: 00343936

Strings

Failed to create object, xrefs: 003437E4, 0034389A
NULL Pointer assignment, xrefs: 0034381E
Invalid parameter, xrefs: 00343865

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e910bfe1914288623a3027223b18fa3591832ed21d988b548121f99dc1de10c4
Instruction ID: 913d20b0d474453ca4e2a579a4d31f311860dd347bf78e733b5f3e1cec547914
Opcode Fuzzy Hash: e910bfe1914288623a3027223b18fa3591832ed21d988b548121f99dc1de10c4
Instruction Fuzzy Hash: 53619DB1608311AFD312DF54C889F6ABBE8EF49715F100919F9959B2A1C770FE48CB92

Function 00333388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003333CF

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003333F0

Strings

Error: , xrefs: 003334D1
^ ERROR , xrefs: 0033349E
Incorrect parameters to object property !, xrefs: 003334AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00333504
"%s" (%d) : ==> %s:, xrefs: 00333522
Line %d (File "%s"):, xrefs: 00333443, 0033345C

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: d9d0c13a48050790c7a3dc5f11122f2b908e11349c090717179a0c586a028f69
Instruction ID: f205eadf6163205d5cb0332746a4de6cedeec3999c16c16a388f7821f280bd06
Opcode Fuzzy Hash: d9d0c13a48050790c7a3dc5f11122f2b908e11349c090717179a0c586a028f69
Instruction Fuzzy Hash: DC519471910609AADF16EBA0DD86FEEB778AF04344F10826AF50573052DB356FA8CF61

Function 0032B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0032B5FC
_wcslen.LIBCMT ref: 0032B608
_wcslen.LIBCMT ref: 0032B64D
_wcslen.LIBCMT ref: 0032B68C
_wcslen.LIBCMT ref: 0032B6C7

Strings

EXISTS, xrefs: 0032B686, 0032B68B
REMOVE, xrefs: 0032B602, 0032B607
APPEND, xrefs: 0032B6C1, 0032B6C6
KEYS, xrefs: 0032B647, 0032B64C

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 8c8776dabd4881d3ca048dee69a712098a93809f704e35b7eb24ce0a0bedf272
Instruction ID: e3d62b24b257ce801eee4010c32a1f444379cb35e704821fcdf3ade9280feca7
Opcode Fuzzy Hash: 8c8776dabd4881d3ca048dee69a712098a93809f704e35b7eb24ce0a0bedf272
Instruction Fuzzy Hash: 7741C632A001379BCB216F7DD8915BEF7A5BFA0B54B264229E462DB284E731CD81C790

Function 00335393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00335416
GetLastError.KERNEL32 ref: 00335420
SetErrorMode.KERNEL32(00000000,READY), ref: 003354A7

Strings

NOTREADY, xrefs: 0033544B
READONLY, xrefs: 00335452
READY, xrefs: 00335460, 00335468
INVALID, xrefs: 00335459
UNKNOWN, xrefs: 00335444

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: d16c76d479d6df187b71090a10795005177c63fd4c99dfdd021d3341625dfc7c
Instruction ID: 8b59a7f2904b518d2372ec633fcc8151ecc65eb852bb116868230d1a61d45392
Opcode Fuzzy Hash: d16c76d479d6df187b71090a10795005177c63fd4c99dfdd021d3341625dfc7c
Instruction Fuzzy Hash: 3D31A335A006049FC716DF69C8C5FAABBB8EF45305F158069E805CB2A2DB71DD86CB90

Function 0032B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0032B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B165
GetWindowThreadProcessId.USER32(00000000), ref: 0032B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0032B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0032A1E1,?,00000001), ref: 0032B21D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d759c4c4b0ae964489dd7d8b3e2aa5322d2c83f950343ab1e0c919e736d7d2c2
Instruction ID: 7dc0d7cbd4565598937e1638ec87fe845e32ab59d4a2d0fdb516fc5f0cdd1dad
Opcode Fuzzy Hash: d759c4c4b0ae964489dd7d8b3e2aa5322d2c83f950343ab1e0c919e736d7d2c2
Instruction Fuzzy Hash: B331A9B1520314EFDB139F24EC48BAEBBADBB50716F154406FA02D62A0D7B4AA40CF60

Function 002F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002F2C94

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

_free.LIBCMT ref: 002F2CA0
_free.LIBCMT ref: 002F2CAB
_free.LIBCMT ref: 002F2CB6
_free.LIBCMT ref: 002F2CC1
_free.LIBCMT ref: 002F2CCC
_free.LIBCMT ref: 002F2CD7
_free.LIBCMT ref: 002F2CE2
_free.LIBCMT ref: 002F2CED
_free.LIBCMT ref: 002F2CFB

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9b200dedb727c94627e69cdce92f6305611eb4b83d441aa1274978e459f3faae
Instruction ID: 55a7e2871fd2bf2f27bb1767b240f940ed5c4a63dde410e9fd2de7de8131b9a9
Opcode Fuzzy Hash: 9b200dedb727c94627e69cdce92f6305611eb4b83d441aa1274978e459f3faae
Instruction Fuzzy Hash: A511C67616010DEFCB02EF54D842CEDBBA5FF06390F5154A1FA485B222D671EA649F90

Function 002C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002C1459
OleUninitialize.OLE32(?,00000000), ref: 002C14F8
UnregisterHotKey.USER32(?), ref: 002C16DD
DestroyWindow.USER32(?), ref: 003024B9
FreeLibrary.KERNEL32(?), ref: 0030251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0030254B

Strings

close all, xrefs: 002C1454

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c6676a425c1a06bc4fec1aa49854e337a2f8aaaceba9922254991bee1d23c885
Instruction ID: 80158d4c48c6755d9bbf003806c06bcca357be906e89290d4724fa0a562e6695
Opcode Fuzzy Hash: c6676a425c1a06bc4fec1aa49854e337a2f8aaaceba9922254991bee1d23c885
Instruction Fuzzy Hash: 4BD150317222128FCB1ADF15C8A9F29F7A4BF06700F15429DE44A6B2A2DB319D36CF54

Function 002C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 002C5C7A

Part of subcall function 002C5D0A: GetClientRect.USER32(?,?), ref: 002C5D30
Part of subcall function 002C5D0A: GetWindowRect.USER32(?,?), ref: 002C5D71
Part of subcall function 002C5D0A: ScreenToClient.USER32(?,?), ref: 002C5D99

GetDC.USER32 ref: 003046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00304708
SelectObject.GDI32(00000000,00000000), ref: 00304716
SelectObject.GDI32(00000000,00000000), ref: 0030472B
ReleaseDC.USER32(?,00000000), ref: 00304733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003047C4

Strings

U, xrefs: 00304693

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5b6ef8344106825a207806d3eec5dbc03acb28764468111316ef389e36bd7ae6
Instruction ID: 4758d1e5e2f493a0d004e17fa3a052812be7186e08b44dc77f9010221ff779c7
Opcode Fuzzy Hash: 5b6ef8344106825a207806d3eec5dbc03acb28764468111316ef389e36bd7ae6
Instruction Fuzzy Hash: FC71FF70401209DFCF238F64C994EBA3BB5FF4A314F14426AEE655A2A6D331DA91DF50

Function 0033359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003335E4

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

LoadStringW.USER32(00392390,?,00000FFF,?), ref: 0033360A

Strings

Error: , xrefs: 003336EF
^ ERROR, xrefs: 003336C9
"%s" (%d) : ==> %s:, xrefs: 00333742
"%s" (%d) : ==> %s:%s%s, xrefs: 00333724
Line %d (File "%s"):, xrefs: 0033366B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: c770865e4e469ebd858f35b469cae82c20a43a5e13b34efc409568d561eae401
Instruction ID: 197760899346628ca10a3c69d58947b21aa80267debbae61e3a780124ce59ac8
Opcode Fuzzy Hash: c770865e4e469ebd858f35b469cae82c20a43a5e13b34efc409568d561eae401
Instruction Fuzzy Hash: 7451607191025ABADF16EBA0DC86FEDBB78AF04340F144269F505721A1DB311BA9DFA0

Function 00352DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00352E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00352E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00352E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00352EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00352EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00352EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00352F0B

Strings

Ph, xrefs: 00352E00, 00352E34, 00352E69, 00352EA1, 00352EC5, 00352EFD

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: Ph
API String ID: 2178440468-1955597793
Opcode ID: ed7e3ce7410a1e8f7ef2d139062af68a3a96b2f08147e89f17ec994bae21304f
Instruction ID: 6a558429ad4804a1c7e7e9d8e06ddd9070702da91d0a83984b03794d7f213a3e
Opcode Fuzzy Hash: ed7e3ce7410a1e8f7ef2d139062af68a3a96b2f08147e89f17ec994bae21304f
Instruction Fuzzy Hash: 95311330604241AFDB23CF58EC86F6677E8EB8A712F1A1165F9009F2B1CB71A844DB80

Function 0033C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0033C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0033C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0033C2CA
GetLastError.KERNEL32 ref: 0033C322
SetEvent.KERNEL32(?), ref: 0033C336
InternetCloseHandle.WININET(00000000), ref: 0033C341

Strings

, xrefs: 0033C2BB

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 05c2c539a1984546a1d9ad8f6239ff44dea2e982ed5d169058bed9f78a29ed42
Instruction ID: 67013e8d075428aacc5e998ad10525f5bf1c5dbd685c9a5aee54bca49701bfa8
Opcode Fuzzy Hash: 05c2c539a1984546a1d9ad8f6239ff44dea2e982ed5d169058bed9f78a29ed42
Instruction Fuzzy Hash: 2F31ABB5620308AFDB229F648CC8AAB7BFCEB09754F04951EF446E6210DB38DD048B60

Function 0032989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00303AAF,?,?,Bad directive syntax error,0035CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003298BC
LoadStringW.USER32(00000000,?,00303AAF,?), ref: 003298C3

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00329987

Strings

Error: , xrefs: 00329955
%s (%d) : ==> %s.: %s %s, xrefs: 003298F1
., xrefs: 0032996D
Line %d:, xrefs: 00329912
Line %d (File "%s"):, xrefs: 0032992D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: faef6e88661446b7512876b3462e1e40e0291ebb8507996515e1928bd31710a3
Instruction ID: 5a661827297e9a81d96fa3f764e00756b6d7889bc3edf42fbe7a6be0306d8e97
Opcode Fuzzy Hash: faef6e88661446b7512876b3462e1e40e0291ebb8507996515e1928bd31710a3
Instruction Fuzzy Hash: A2217C3191031AABCF12EF90DC0AFEE7739BF18304F04456AF515660A2EB719AA8CF50

Function 0032209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 003220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0032214D

Strings

SHELLDLL_DefView, xrefs: 003220CC
smallicons, xrefs: 00322115
largeicons, xrefs: 003220E1
list, xrefs: 0032212F
details, xrefs: 003220FB

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: ffea7e7960ed669371f76030e79f238f790589a063d6961f743fee9295b33955
Instruction ID: 7ede5e6b7f00bd69cbb46c34baadfc1204969dd27c762914565161bffd63d1a3
Opcode Fuzzy Hash: ffea7e7960ed669371f76030e79f238f790589a063d6961f743fee9295b33955
Instruction Fuzzy Hash: 3311367A6D8326B9FA033620EC06CE7379CDF14324F200066FB04A41E1FE6178215A18

Function 002FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 002FCEB7
_free.LIBCMT ref: 002FCF22
_free.LIBCMT ref: 002FCF48
_free.LIBCMT ref: 002FCF71
_free.LIBCMT ref: 002FCFA9
_free.LIBCMT ref: 002FCFDA
_free.LIBCMT ref: 002FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 002FD09C
_free.LIBCMT ref: 002FD0B5

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 19bf8249bd885988fbdfb37de7eff11aa71061f112fd3e3884d54bb37b419e04
Instruction ID: 73a2db472aad38368f03994ed7853d1f389b00e758b5be5899114ee2e3a0a355
Opcode Fuzzy Hash: 19bf8249bd885988fbdfb37de7eff11aa71061f112fd3e3884d54bb37b419e04
Instruction Fuzzy Hash: 35614C7192430EAFDB25AFB49981A79FB99DF013D0F24027FFB4597281D6329D208B90

Function 002D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00316890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00316901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0031691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002D8874,00000000,00000000,00000000,000000FF,00000000), ref: 0031692D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7d9b0e6500fd7cd17e6639de4f1ded97772e44a5c96b02c505a76622a870387e
Instruction ID: a798a5d40205c7bf7d93bcb988341583d5051b4b74c931a94eb6b865d5557669
Opcode Fuzzy Hash: 7d9b0e6500fd7cd17e6639de4f1ded97772e44a5c96b02c505a76622a870387e
Instruction Fuzzy Hash: 3751AB70620305AFDB25CF64CC92FAA7BB9EB48314F10451AF912D72A0DB70EDA0DB40

Function 0033C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0033C182
GetLastError.KERNEL32 ref: 0033C195
SetEvent.KERNEL32(?), ref: 0033C1A9

Part of subcall function 0033C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0033C272
Part of subcall function 0033C253: GetLastError.KERNEL32 ref: 0033C322
Part of subcall function 0033C253: SetEvent.KERNEL32(?), ref: 0033C336
Part of subcall function 0033C253: InternetCloseHandle.WININET(00000000), ref: 0033C341

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 9e43cfccd1c75adb3fa91047cb756d02b92ed3860bbc4480ca02becba9161487
Instruction ID: 53b748a4c8cf04bbc809f6fa52a52af0c35f8ff4fd1f9889e461f491834a3126
Opcode Fuzzy Hash: 9e43cfccd1c75adb3fa91047cb756d02b92ed3860bbc4480ca02becba9161487
Instruction Fuzzy Hash: 64318B71620705AFDB229FA59C84A67BBECFF18305F05681DF956E6620D730E810EB60

Function 003225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00323A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00323A57
Part of subcall function 00323A3D: GetCurrentThreadId.KERNEL32 ref: 00323A5E
Part of subcall function 00323A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003225B3), ref: 00323A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 003225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 003225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00322601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00322605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0032260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00322623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00322627

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 180bb3b8a885eb74319c42748fb54e1eede1ad3d7d19aae43638d4d4171130af
Instruction ID: eb57d17dd575ebda7872d945dc76826dca1626869758c1e32708b4de73a44dd8
Opcode Fuzzy Hash: 180bb3b8a885eb74319c42748fb54e1eede1ad3d7d19aae43638d4d4171130af
Instruction Fuzzy Hash: DE01D831390720BBFB1167689C8AF597F9DDB4EB16F101011F354AE1E1C9E115448A6A

Function 00321803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00321449,?,?,00000000), ref: 0032180C
HeapAlloc.KERNEL32(00000000,?,00321449,?,?,00000000), ref: 00321813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00321449,?,?,00000000), ref: 00321828
GetCurrentProcess.KERNEL32(?,00000000,?,00321449,?,?,00000000), ref: 00321830
DuplicateHandle.KERNEL32(00000000,?,00321449,?,?,00000000), ref: 00321833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00321449,?,?,00000000), ref: 00321843
GetCurrentProcess.KERNEL32(00321449,00000000,?,00321449,?,?,00000000), ref: 0032184B
DuplicateHandle.KERNEL32(00000000,?,00321449,?,?,00000000), ref: 0032184E
CreateThread.KERNEL32(00000000,00000000,00321874,00000000,00000000,00000000), ref: 00321868

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 7cc6429528fbdaee190461d375135cbe871bce727b2e36edc7c195fe0b673260
Instruction ID: 8e1098ebd3110647a71eab9125ec94b3b38773666ac552f34d29b597ec4b9932
Opcode Fuzzy Hash: 7cc6429528fbdaee190461d375135cbe871bce727b2e36edc7c195fe0b673260
Instruction Fuzzy Hash: 7401CDB5650708BFE711AFB5DC4DF6B3BACEB89B15F005411FA05DB1A1CA749940CB60

Function 0032C5D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002C7620: _wcslen.LIBCMT ref: 002C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0032C6EE
_wcslen.LIBCMT ref: 0032C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0032C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0032C7CA

Strings

Hf, xrefs: 0032C64B
Hf, xrefs: 0032C652
0, xrefs: 0032C6AF

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0$Hf$Hf
API String ID: 1227352736-2524149066
Opcode ID: 5e83f9bf998f42399ccc5723aa88b7fab8772f52d11aa853c73f9ee63005ea35
Instruction ID: ab2c720206706b462535a902771fabac394b30d2c0721aca8df2867d3863f0d0
Opcode Fuzzy Hash: 5e83f9bf998f42399ccc5723aa88b7fab8772f52d11aa853c73f9ee63005ea35
Instruction Fuzzy Hash: 1351DE716243219FD7169F28E884B6EB7E8AF49314F042A2DF995E31A0DB70DD04CF92

Function 0034A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0032D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0032D501
Part of subcall function 0032D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0032D50F
Part of subcall function 0032D4DC: CloseHandle.KERNEL32(00000000), ref: 0032D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0034A16D
GetLastError.KERNEL32 ref: 0034A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0034A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0034A268
GetLastError.KERNEL32(00000000), ref: 0034A273
CloseHandle.KERNEL32(00000000), ref: 0034A2C4

Strings

SeDebugPrivilege, xrefs: 0034A18F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c164d0558320ad1ff66c2477503c3f84fe219d1b2b9b1a54d2690022b3f12f6a
Instruction ID: ddd271aabf5d4652256e11ee0d295eb9c7cb7f60a5562658546c42338f2d29d9
Opcode Fuzzy Hash: c164d0558320ad1ff66c2477503c3f84fe219d1b2b9b1a54d2690022b3f12f6a
Instruction Fuzzy Hash: 7C618B302586429FD721DF14C494F1ABBE5AF44318F19848CE4668FBA3C7B6ED45CB92

Function 00353886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00353925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0035393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00353954
_wcslen.LIBCMT ref: 00353999
SendMessageW.USER32(?,00001057,00000000,?), ref: 003539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003539F4

Strings

SysListView32, xrefs: 003538F7

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: f2753ac23ae685597a456cf294db23520a77b2a792e353d1477676fbb47e18c5
Instruction ID: d8b2630e1ddf65a7e158fe74e0c2f419ddb93a788e43c97c0f3498cfe56ba5b8
Opcode Fuzzy Hash: f2753ac23ae685597a456cf294db23520a77b2a792e353d1477676fbb47e18c5
Instruction Fuzzy Hash: 5841E671A00309ABEF229F64CC45FEA77A9EF08395F110526F954E7291D771DE88CB90

Function 002E2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 002E2D53
_ValidateLocalCookies.LIBCMT ref: 002E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 002E2E0C
_ValidateLocalCookies.LIBCMT ref: 002E2E61

Strings

&H., xrefs: 002E2DFE, 002E2E07, 002E2E18
csm, xrefs: 002E2DF6

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H.$csm
API String ID: 1170836740-2665543163
Opcode ID: 020b1cfdeef490f9aeb7f10ae98d971cf64f64b41930ec7ff33296bd89bb0e4e
Instruction ID: e97c541d05e24f6d28f59afde37c4d17e84f324c1b98492c8ff76e5850ed37b0
Opcode Fuzzy Hash: 020b1cfdeef490f9aeb7f10ae98d971cf64f64b41930ec7ff33296bd89bb0e4e
Instruction Fuzzy Hash: 6B412630E60249DBCF10DF2ACC45A9EBBB8BF40314F548055E9166B392C771EA29CF90

Function 003581DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0031F3AB,00000000,?,?,00000000,?,0031682C,00000004,00000000,00000000), ref: 0035824C
EnableWindow.USER32(00000000,00000000), ref: 00358272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 003582D1
ShowWindow.USER32(00000000,00000004), ref: 003582E5
EnableWindow.USER32(00000000,00000001), ref: 0035830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0035832F

Strings

Ph, xrefs: 00358206, 00358252, 00358299, 003582D7, 003582EB

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: Ph
API String ID: 642888154-1955597793
Opcode ID: 0450f7801eb9d3ac8683170fa0b84e9bddf43da020fd483508993e99a33adb90
Instruction ID: 91fdb4c547bc7ae2938056ca93aec9568fe1b464dd30f3bea27e8fa3b2080555
Opcode Fuzzy Hash: 0450f7801eb9d3ac8683170fa0b84e9bddf43da020fd483508993e99a33adb90
Instruction Fuzzy Hash: 2A41A434601745AFDB13CF15C895FA47BF4BB09716F195169E908AB272CB32A849CB90

Function 0032C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0032C913

Strings

stop, xrefs: 0032C8E4
warning, xrefs: 0032C8FC
info, xrefs: 0032C8B4
question, xrefs: 0032C8CC
blank, xrefs: 0032C895

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 4472456088ced5e9b7e3cc9563389cd4664ccdd5d7009405a4e92b8e1afa0da8
Instruction ID: a6c205e599deab431ab9447ff8625f8ecf37fc860d596ad77beff4562851ebd9
Opcode Fuzzy Hash: 4472456088ced5e9b7e3cc9563389cd4664ccdd5d7009405a4e92b8e1afa0da8
Instruction Fuzzy Hash: 35113D316A9316BEE7036B55BC83CEE279CDF15724B60103AF904A6282D7B05E4057A8

Function 0032ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0032ED2A
_wcslen.LIBCMT ref: 0032ED3B
_wcslen.LIBCMT ref: 0032ED79
_wcslen.LIBCMT ref: 0032EDAF
_wcslen.LIBCMT ref: 0032EDDF
_wcslen.LIBCMT ref: 0032EDEF
_wcslen.LIBCMT ref: 0032EE2B
_wcslen.LIBCMT ref: 0032EE5A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: eabc08875bc094e0afe287c7e755afb5917cb55917fcc4f45cdb54d2056188e8
Instruction ID: 6f22f88945c1b322344affbae7257e0258d09fc93f8e8f5257f4491965129877
Opcode Fuzzy Hash: eabc08875bc094e0afe287c7e755afb5917cb55917fcc4f45cdb54d2056188e8
Instruction Fuzzy Hash: 7941A565C6025875CB12EBF5988A9CF77A8AF45310F904463EA14F3122FB34D265C7E5

Function 002DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0031682C,00000004,00000000,00000000), ref: 002DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0031682C,00000004,00000000,00000000), ref: 0031F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0031682C,00000004,00000000,00000000), ref: 0031F454

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6ed5401d3a63b985d6b6391c056da365c61570843983252e4b8375390bef1fff
Instruction ID: 5b2de08ba1214ac5bb2dc7e1c1dd880d745b58fc64490a0334bed4fdaee8656c
Opcode Fuzzy Hash: 6ed5401d3a63b985d6b6391c056da365c61570843983252e4b8375390bef1fff
Instruction Fuzzy Hash: 68412D309387C1BEC7BA8F298AA87E67B95AB4A314F14443EE04756770D7729CD0CB15

Function 00352D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00352D1B
GetDC.USER32(00000000), ref: 00352D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00352D2E
ReleaseDC.USER32(00000000,00000000), ref: 00352D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00352D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00352D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00355A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00352DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00352DE1

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8855192013e81a9e13fc1b57987a46ebfb1b1889e1ed2795694a1296baf1c138
Instruction ID: d709a8cb55956bb70ece8009dc6ded60e60dcf46fe0ba61cc6c85fbebb2346c3
Opcode Fuzzy Hash: 8855192013e81a9e13fc1b57987a46ebfb1b1889e1ed2795694a1296baf1c138
Instruction Fuzzy Hash: CC317F72211314BFEB124F50CC8AFEB7BADEF0A716F044055FE089A2A1C6759C50CBA4

Function 00325622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00325637
_memcmp.LIBVCRUNTIME ref: 00325659
_memcmp.LIBVCRUNTIME ref: 00325671
_memcmp.LIBVCRUNTIME ref: 00325684
_memcmp.LIBVCRUNTIME ref: 0032569E
_memcmp.LIBVCRUNTIME ref: 003256B1
_memcmp.LIBVCRUNTIME ref: 003256C9
_memcmp.LIBVCRUNTIME ref: 003256E4

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: cbd444108bc5b5ccf5ff0f4af88f85ba014c258961178e076f0a50c4cdf66210
Instruction ID: b94bd4f8c0182095c8d21ed26ba0bd6a0fd4eeee2197c957ebd0abd226317b94
Opcode Fuzzy Hash: cbd444108bc5b5ccf5ff0f4af88f85ba014c258961178e076f0a50c4cdf66210
Instruction Fuzzy Hash: EE21DB71B91A697BD2179521AE82FFB335CAF20386F840030FD049AA85F731EF3485A5

Function 00344FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00345007
NULL Pointer assignment, xrefs: 0034502E, 00345383

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 85ad71c45c6506532df864455013b11fcd4cbe56b60fe8484e6f40ac9d5a0332
Instruction ID: 7f5398d630e9215640ce5c103419d93eb5cb41559e395154fe4443849ce8c1bc
Opcode Fuzzy Hash: 85ad71c45c6506532df864455013b11fcd4cbe56b60fe8484e6f40ac9d5a0332
Instruction Fuzzy Hash: 12D18C75E0060AAFDF11CFA8C881BAEB7F5BB48344F158469E915AF282D770ED45CB90

Function 00301522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003015CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00301651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003017FB,?,003017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003016E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003016FB

Part of subcall function 002F3820: RtlAllocateHeap.NTDLL(00000000,?,00391444,?,002DFDF5,?,?,002CA976,00000010,00391440,002C13FC,?,002C13C6,?,002C1129), ref: 002F3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00301777
__freea.LIBCMT ref: 003017A2
__freea.LIBCMT ref: 003017AE

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b43de31541a788e4d9c22b7e77411c9510b6d960ab3e41a49bd60327d95c8d51
Instruction ID: 6804b2e38a6b145790103c6f66f5b6729c94b93b59537420af942a151c726021
Opcode Fuzzy Hash: b43de31541a788e4d9c22b7e77411c9510b6d960ab3e41a49bd60327d95c8d51
Instruction Fuzzy Hash: D591E671E1220A9EDB228E74CCA1AEEBBB9AF45750F190569E901EB1C0D735DC40CB60

Function 00344523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00344648
VariantInit.OLEAUT32(?), ref: 00344749
VariantClear.OLEAUT32(?), ref: 00344753
VariantClear.OLEAUT32(?), ref: 003447B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 003445D8, 00344706, 003447BE
Incorrect Object type in FOR..IN loop, xrefs: 0034472C

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: b373a836dd4a800c49bfdd2cf8009edaaaa981adcee057dd5f59f3ab77209856
Instruction ID: f488f1af3dc6d17536f0397be6085c09ce99fb545a022fb183d6afa9255bbf2a
Opcode Fuzzy Hash: b373a836dd4a800c49bfdd2cf8009edaaaa981adcee057dd5f59f3ab77209856
Instruction Fuzzy Hash: 06918071A00215ABDF22CFA5C884FAEBBF8EF46714F118569F515AF280D770A945CFA0

Function 00331187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0033125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00331284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0033135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00331430

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: febabc69de3dadd9ace768e569f3dd59378dbf5f1ee2af50e69569018ccb8842
Instruction ID: fb94c2914a905cbd3a3afa2b53ff167fc03dc7fcc19d31fbd73f9e741d1893c2
Opcode Fuzzy Hash: febabc69de3dadd9ace768e569f3dd59378dbf5f1ee2af50e69569018ccb8842
Instruction Fuzzy Hash: 4791F175A00308AFDB02DFA5C8C4BBEB7B9FF45325F114429E911EB2A1DB74A941CB90

Function 002D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 473e58fa9e183fef185901a282fb52bbc8e084bf0d4264e37a178fa6c2d70ff0
Instruction ID: 5f1c31d0659094e1b79629062fb4762d71a14bf3d48a965501efc0f797084f29
Opcode Fuzzy Hash: 473e58fa9e183fef185901a282fb52bbc8e084bf0d4264e37a178fa6c2d70ff0
Instruction Fuzzy Hash: E7913571910219AFCB15CFA9C884AEEBBB8FF49320F148456E515B7251D374AE92CBA0

Function 00343947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0034396B
CharUpperBuffW.USER32(?,?), ref: 00343A7A
_wcslen.LIBCMT ref: 00343A8A
VariantClear.OLEAUT32(?), ref: 00343C1F

Part of subcall function 00330CDF: VariantInit.OLEAUT32(00000000), ref: 00330D1F
Part of subcall function 00330CDF: VariantCopy.OLEAUT32(?,?), ref: 00330D28
Part of subcall function 00330CDF: VariantClear.OLEAUT32(?), ref: 00330D34

Strings

AUTOIT.ERROR, xrefs: 00343A80, 00343A85
Incorrect Parameter format, xrefs: 003439A6, 00343BA1

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 070c290bd3139236ed54d40be8469bb0dc727fd9ebbc49e1183a2eca62fdf620
Instruction ID: 989a33f19874e3aa5422c96b535d49e62c0ed6139a100d6ab71fe5b6f6557164
Opcode Fuzzy Hash: 070c290bd3139236ed54d40be8469bb0dc727fd9ebbc49e1183a2eca62fdf620
Instruction Fuzzy Hash: 459123756183059FC705EF24C481A6AB7E5FF88314F14896EF88A9B351DB30EE45CB92

Function 00344BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0032000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?,?,0032035E), ref: 0032002B
Part of subcall function 0032000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?), ref: 00320046
Part of subcall function 0032000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?), ref: 00320054
Part of subcall function 0032000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?), ref: 00320064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00344C51
_wcslen.LIBCMT ref: 00344D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00344DCF
CoTaskMemFree.OLE32(?), ref: 00344DDA

Strings

NULL Pointer assignment, xrefs: 00344E23, 00344E52

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: aa2dc8a040180b395032fde64895ff9214a81c54ba47768063dcfc22ce929216
Instruction ID: d90e91be7d512392a6a51561b9651e811d8e8ff7bd69d77307b08cb07f9b3da4
Opcode Fuzzy Hash: aa2dc8a040180b395032fde64895ff9214a81c54ba47768063dcfc22ce929216
Instruction Fuzzy Hash: 3E911671D0021DAFDF15DFA4D891EEEB7B9BF08314F108269E915AB251DB30AA54CF60

Function 003520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00352183
GetMenuItemCount.USER32(00000000), ref: 003521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003521DD
_wcslen.LIBCMT ref: 00352213
GetMenuItemID.USER32(?,?), ref: 0035224D
GetSubMenu.USER32(?,?), ref: 0035225B

Part of subcall function 00323A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00323A57
Part of subcall function 00323A3D: GetCurrentThreadId.KERNEL32 ref: 00323A5E
Part of subcall function 00323A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003225B3), ref: 00323A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003522E3

Part of subcall function 0032E97B: Sleep.KERNEL32 ref: 0032E9F3

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 828ea613804c08e6e188439db5876adcae083cb92dea86cc76fd5a7c3dc1a774
Instruction ID: 21cbb20817465a07632a0e5d1f677891f764beb8d16ecba57abe84f25f025e13
Opcode Fuzzy Hash: 828ea613804c08e6e188439db5876adcae083cb92dea86cc76fd5a7c3dc1a774
Instruction Fuzzy Hash: 7D71AC75A00205AFCB12DFA5C881EAEB7F5EF49311F158859E816EB361DB34EE418F90

Function 0032AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0032AEF9
GetKeyboardState.USER32(?), ref: 0032AF0E
SetKeyboardState.USER32(?), ref: 0032AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0032AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0032AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0032AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0032B020

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cf0be94fb4ba4c5793414e2113fd846227fc3603212ee354796e21dbe8520764
Instruction ID: 2e2254f09df4223f4e0b9b3fb39855c9ac50142d07c1532d58f3c2746ade2c6d
Opcode Fuzzy Hash: cf0be94fb4ba4c5793414e2113fd846227fc3603212ee354796e21dbe8520764
Instruction Fuzzy Hash: 7751D3B0604BE53FFB3742349D45BBABFE95B06304F098489E1E9558D2D398ACC4D751

Function 0032ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0032AD19
GetKeyboardState.USER32(?), ref: 0032AD2E
SetKeyboardState.USER32(?), ref: 0032AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0032ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0032ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0032AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0032AE38

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3fbab320a04d66ef879e837f39e8af6326ae450685cad186f09a835aa8efb78e
Instruction ID: cc9d4a8cb85a91df64e396b7704dff49c40d6fa01bd31532240fc82f5c179de8
Opcode Fuzzy Hash: 3fbab320a04d66ef879e837f39e8af6326ae450685cad186f09a835aa8efb78e
Instruction Fuzzy Hash: CE51E6B1504BE53FFB3383349C55B7ABEA85B45301F098888E1D55A8C2D294EC85E752

Function 002F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00303CD6,?,?,?,?,?,?,?,?,002F5BA3,?,?,00303CD6,?,?), ref: 002F5470
__fassign.LIBCMT ref: 002F54EB
__fassign.LIBCMT ref: 002F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00303CD6,00000005,00000000,00000000), ref: 002F552C
WriteFile.KERNEL32(?,00303CD6,00000000,002F5BA3,00000000,?,?,?,?,?,?,?,?,?,002F5BA3,?), ref: 002F554B
WriteFile.KERNEL32(?,?,00000001,002F5BA3,00000000,?,?,?,?,?,?,?,?,?,002F5BA3,?), ref: 002F5584

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 2a3d035c7c5ec0e491f1bd212a771c4c15aeeefa8e83f1d2d0f3d067336ccd8b
Instruction ID: 522ac49577addd175e6486b5eef2b236ab1d04c12cced0792d9fda01647771fe
Opcode Fuzzy Hash: 2a3d035c7c5ec0e491f1bd212a771c4c15aeeefa8e83f1d2d0f3d067336ccd8b
Instruction Fuzzy Hash: 2751E171A107199FDB11CFA8D885AEEFBF9EF08340F14402AFA56E7291D7309A51CB60

Function 00356B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00356C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00356C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00356C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0033AB79,00000000,00000000), ref: 00356C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00356CC7

Strings

Ph, xrefs: 00356BB0, 00356C55

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: Ph
API String ID: 3688381893-1955597793
Opcode ID: 57d46bd5cc73617faba4715951bbb8f626e76626751cc45308e170d224657ce6
Instruction ID: c38260fd9c8bdf52db937901d7dbe6cd58a6f8ec002d941ed0b4cc610cb359c3
Opcode Fuzzy Hash: 57d46bd5cc73617faba4715951bbb8f626e76626751cc45308e170d224657ce6
Instruction Fuzzy Hash: 7841F935604204AFD727CF68CC56FA9BBA9EB09365F960228FC95A72F0C371ED45CA40

Function 003410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0034304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0034307A
Part of subcall function 0034304E: _wcslen.LIBCMT ref: 0034309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00341112
WSAGetLastError.WSOCK32 ref: 00341121
WSAGetLastError.WSOCK32 ref: 003411C9
closesocket.WSOCK32(00000000), ref: 003411F9

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 31ed9fb58c54cf9a426a66ce0b3c513389d572d8a45d62bbf16e490e072cc3c5
Instruction ID: 4a298b12f6bb45dbd685c74e78b9d71e55dcaec5e4b4c519db65cfd1c69789b5
Opcode Fuzzy Hash: 31ed9fb58c54cf9a426a66ce0b3c513389d572d8a45d62bbf16e490e072cc3c5
Instruction Fuzzy Hash: AA41F431610604AFDB129F24C885BAABBE9EF45368F148159FD099F2A1C770BD81CFA0

Function 0032CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0032DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0032CF22,?), ref: 0032DDFD

Part of subcall function 0032DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0032CF22,?), ref: 0032DE16

lstrcmpiW.KERNEL32(?,?), ref: 0032CF45
MoveFileW.KERNEL32(?,?), ref: 0032CF7F
_wcslen.LIBCMT ref: 0032D005
_wcslen.LIBCMT ref: 0032D01B
SHFileOperationW.SHELL32(?), ref: 0032D061

Strings

\*.*, xrefs: 0032CFF3

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 135d1c559338695c1878f74ec8877a0842a3422c74b0117e5be766ee74b10570
Instruction ID: fca9daeb9cc5b7ef498bd8acdc6a3eeac07935b88164c269022fa8cc80451427
Opcode Fuzzy Hash: 135d1c559338695c1878f74ec8877a0842a3422c74b0117e5be766ee74b10570
Instruction Fuzzy Hash: E44154719552289FDF13EBA4DA81EDEB7B8AF08380F1000E6E545EB152EA34A694CF50

Function 00327726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00327769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0032778F
SysAllocString.OLEAUT32(00000000), ref: 00327792
SysAllocString.OLEAUT32(?), ref: 003277B0
SysFreeString.OLEAUT32(?), ref: 003277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 003277DE
SysAllocString.OLEAUT32(?), ref: 003277EC

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 98c9bf1a2c576dc60a957bcc1058b93bff5c0692082e6d1e8a801abdc7588732
Instruction ID: 7fada3283ce7992f5ad004cbc2470fe2d5485d2a178de62c268e45572ea29e27
Opcode Fuzzy Hash: 98c9bf1a2c576dc60a957bcc1058b93bff5c0692082e6d1e8a801abdc7588732
Instruction Fuzzy Hash: 5B21B076604329AFDB12DFACDC88CBB73ACFB09364B008025FA15DB260D670DC418BA4

Function 003277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00327842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00327868
SysAllocString.OLEAUT32(00000000), ref: 0032786B
SysAllocString.OLEAUT32 ref: 0032788C
SysFreeString.OLEAUT32 ref: 00327895
StringFromGUID2.OLE32(?,?,00000028), ref: 003278AF
SysAllocString.OLEAUT32(?), ref: 003278BD

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 80371950b78b2aa9bb8af3373753fe978cbb7c87a5def797d0ce315b8b9283a1
Instruction ID: 1e3e1e302f4d393a228db8fabebfeb122cbd1305616e7d8711f9c7428cfadb3d
Opcode Fuzzy Hash: 80371950b78b2aa9bb8af3373753fe978cbb7c87a5def797d0ce315b8b9283a1
Instruction Fuzzy Hash: 5821A171608224AFDB129FA9EC8DDAA77ECFB08764B108125F915CB2A1E670DC41CB64

Function 003304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0033052E

Strings

nul, xrefs: 00330567

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d34fe897bc7553ba647d7604a24554f748f0aa8bb3abe5172f1bcb8e87861f2a
Instruction ID: 4bcab9666435ca275b535f807b596e58cf022547880f268affca2c0541346cf8
Opcode Fuzzy Hash: d34fe897bc7553ba647d7604a24554f748f0aa8bb3abe5172f1bcb8e87861f2a
Instruction Fuzzy Hash: 5A219C75504305AFEF269F29DC94A9A7BB8BF46724F204A19F8A1E72E0D7709940CF60

Function 003305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00330601

Strings

nul, xrefs: 00330639

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2a5bf4099e1add84fc4d23552ea2f0db7549f6507f14245bc6f3708dd54f2283
Instruction ID: d1385c17728a529ab93284c0d1008f07f3cac1e54f5465071873d867108d032e
Opcode Fuzzy Hash: 2a5bf4099e1add84fc4d23552ea2f0db7549f6507f14245bc6f3708dd54f2283
Instruction Fuzzy Hash: 8621B2755003059FDB269F69CC95A9A77E8FF85B34F200A19F8A1E72E4D77098A0CB50

Function 003540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002C604C
Part of subcall function 002C600E: GetStockObject.GDI32(00000011), ref: 002C6060
Part of subcall function 002C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 002C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00354112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0035411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0035412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00354139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00354145

Strings

Msctls_Progress32, xrefs: 003540E3

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 04cc4bcb4d9df381ad38d1e56fdd23889f6a215ee13f5b32b02edf473bbecbb7
Instruction ID: 94770057cc9a43ac45feea49517dec219d31ac8dc82d7c1258334abafc7b2900
Opcode Fuzzy Hash: 04cc4bcb4d9df381ad38d1e56fdd23889f6a215ee13f5b32b02edf473bbecbb7
Instruction Fuzzy Hash: FD11B6B11502197EEF119F64CC85EE77F5DEF08798F114111FA18A6160C672DC61DBA4

Function 002FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002FD7A3: _free.LIBCMT ref: 002FD7CC

_free.LIBCMT ref: 002FD82D

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

_free.LIBCMT ref: 002FD838
_free.LIBCMT ref: 002FD843
_free.LIBCMT ref: 002FD897
_free.LIBCMT ref: 002FD8A2
_free.LIBCMT ref: 002FD8AD
_free.LIBCMT ref: 002FD8B8

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 390f328d141d738d1eb9eb151106cc3887f8dc712381c467247a5b243bd71a9a
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 881151715A0B0CEAD521BFB0CC47FEBFBDD6F01780F400835B399AA0A2DA65B5254E50

Function 0032DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0032DA74
LoadStringW.USER32(00000000), ref: 0032DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0032DA91
LoadStringW.USER32(00000000), ref: 0032DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0032DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0032DAB9

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a392d5fe11515104e47e98a3adb004b2022f64da292eb8cc19eb01607d9d5452
Instruction ID: 9ec6084ea3224e394367256859f2ae33e8b17cbe1dd8d34bb12781031402e733
Opcode Fuzzy Hash: a392d5fe11515104e47e98a3adb004b2022f64da292eb8cc19eb01607d9d5452
Instruction Fuzzy Hash: A50186F69103187FE712EBA49D89EEB336CE70830AF405492F746E2051EA749E848F74

Function 0033096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00E5F118,00E5F118), ref: 0033097B
EnterCriticalSection.KERNEL32(00E5F0F8,00000000), ref: 0033098D
TerminateThread.KERNEL32(72446D65,000001F6), ref: 0033099B
WaitForSingleObject.KERNEL32(72446D65,000003E8), ref: 003309A9
CloseHandle.KERNEL32(72446D65), ref: 003309B8
InterlockedExchange.KERNEL32(00E5F118,000001F6), ref: 003309C8
LeaveCriticalSection.KERNEL32(00E5F0F8), ref: 003309CF

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: bcef4cb2bb317f99c4870d450773ff11416377de7707c84b7e26578029650ac9
Instruction ID: 26c6e7756f168d7b97826898245dbb4b339abbfa98f2515105ee0610dbadcc2f
Opcode Fuzzy Hash: bcef4cb2bb317f99c4870d450773ff11416377de7707c84b7e26578029650ac9
Instruction Fuzzy Hash: 1CF01932452B02AFDB465BA4EE88BDABA39FF01706F402425F202908B0CB7494A5CF90

Function 002F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F00D6
__allrem.LIBCMT ref: 002F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F010B
__allrem.LIBCMT ref: 002F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F0140

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 6adfc773f2c5cf30fbcc5d6786abb0b257e2c6ecf08516990c7dee03744ea4ca
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 33812B7262070A9BEB209F69CC81B7BF3E89F413A0F14453DF615D66C2EB70D9208B50

Function 002F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002E82D9,002E82D9,?,?,?,002F644F,00000001,00000001,8BE85006), ref: 002F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002F644F,00000001,00000001,8BE85006,?,?,?), ref: 002F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002F63D8
__freea.LIBCMT ref: 002F63E5

Part of subcall function 002F3820: RtlAllocateHeap.NTDLL(00000000,?,00391444,?,002DFDF5,?,?,002CA976,00000010,00391440,002C13FC,?,002C13C6,?,002C1129), ref: 002F3852

__freea.LIBCMT ref: 002F63EE
__freea.LIBCMT ref: 002F6413

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 5cf8dfc6e3066b5d4237bd1d69919670838d1a9d350e2e04eb45f5d53607b4c8
Instruction ID: 216ad0482ceb25dcba00bb92105d5fca5638cf31cafd5441b88e1bb5e64f1fcc
Opcode Fuzzy Hash: 5cf8dfc6e3066b5d4237bd1d69919670838d1a9d350e2e04eb45f5d53607b4c8
Instruction Fuzzy Hash: DF51F57262021BABDB258FA4CC89EBFB7A9EB44B90F144279FE05D6140DB34DC64C760

Function 0031F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0031F7B9
SysAllocString.OLEAUT32(00000001), ref: 0031F860
VariantCopy.OLEAUT32(0031FA64,00000000), ref: 0031F889
VariantClear.OLEAUT32(0031FA64), ref: 0031F8AD
VariantCopy.OLEAUT32(0031FA64,00000000), ref: 0031F8B1
VariantClear.OLEAUT32(?), ref: 0031F8BB

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 87e0d770750f0dba63821e8f3181a95c906891df4c0872c11fa1bf76bac26d8b
Instruction ID: 1f4ed706bfd96626baa0f891c622a0c72da67c033eea9f10eb73df1258146d3f
Opcode Fuzzy Hash: 87e0d770750f0dba63821e8f3181a95c906891df4c0872c11fa1bf76bac26d8b
Instruction Fuzzy Hash: A851F931510310BFCF1ABB65D895BA9B3A8EF4D310F24956BE806DF291DB708C80CB96

Function 0033910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 002C7620: _wcslen.LIBCMT ref: 002C7625

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 003394E5
_wcslen.LIBCMT ref: 00339506
_wcslen.LIBCMT ref: 0033952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00339585

Strings

X, xrefs: 00339412

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 1dd0b97a69c4fc32ab9b30783937d0023afadcb9e79f4b00ad450cdc247658f3
Instruction ID: fafeff12f5630c428ad6e6a475d4d6df63229964dcbb9177cbda823c2279d4ee
Opcode Fuzzy Hash: 1dd0b97a69c4fc32ab9b30783937d0023afadcb9e79f4b00ad450cdc247658f3
Instruction Fuzzy Hash: D4E18D31618340CFD715EF24C881F6AB7E4AF85314F058A6EE8899B2A2DB70DD55CF92

Function 002D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

BeginPaint.USER32(?,?,?), ref: 002D9241
GetWindowRect.USER32(?,?), ref: 002D92A5
ScreenToClient.USER32(?,?), ref: 002D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002D92D3
EndPaint.USER32(?,?,?,?,?), ref: 002D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003171EA

Part of subcall function 002D9339: BeginPath.GDI32(00000000), ref: 002D9357

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 7c5eca0f5ee8d6464352bddd17b20532a1343cc57116ad9d73d5abd39361cf3d
Instruction ID: a5dedb3cf2d6594715cee9059bf859a09dc52707095b40b643dfe90c3b707d8d
Opcode Fuzzy Hash: 7c5eca0f5ee8d6464352bddd17b20532a1343cc57116ad9d73d5abd39361cf3d
Instruction Fuzzy Hash: 2641DE31128301AFD712DF24CC84FBA7BB8EB49325F14066AF9A4972B1C7719C95DB61

Function 003307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0033080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00330847
EnterCriticalSection.KERNEL32(?), ref: 00330863
LeaveCriticalSection.KERNEL32(?), ref: 003308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00330921

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: eb0a567a533fa48869fd99fa0a3efaa2857678f7730be62e209bc2fba732e225
Instruction ID: 1fbbedc050a1766af639b43c751c73532fe5ce7828549689ef13efb732462fad
Opcode Fuzzy Hash: eb0a567a533fa48869fd99fa0a3efaa2857678f7730be62e209bc2fba732e225
Instruction Fuzzy Hash: AE416871910205EFDF1AAF54DCC5A6AB7B8FF04304F1440A5ED059E2A6DB30DE61DBA4

Function 00324C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00324C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00324CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00324CEA
_wcslen.LIBCMT ref: 00324D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00324D10
_wcsstr.LIBVCRUNTIME ref: 00324D1A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 30c070dd51705359b1b2ad9586f05b4403899e59ea29ff1bb3b20ff0981f0f63
Instruction ID: 1b3029907c5ead526fffa9142c3ebd88137d57ff1fe5d5559103ea6fa1321192
Opcode Fuzzy Hash: 30c070dd51705359b1b2ad9586f05b4403899e59ea29ff1bb3b20ff0981f0f63
Instruction Fuzzy Hash: 59210B31204360BFEB175B39FC49E7BBBACDF45750F15803AF805DA1A2EA61DD1096A0

Function 0033581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 002C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002C3A97,?,?,002C2E7F,?,?,?,00000000), ref: 002C3AC2

_wcslen.LIBCMT ref: 0033587B
CoInitialize.OLE32(00000000), ref: 00335995
CoCreateInstance.OLE32(0035FCF8,00000000,00000001,0035FB68,?), ref: 003359AE
CoUninitialize.OLE32 ref: 003359CC

Strings

.lnk, xrefs: 00335876, 003358C1, 00335985

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 8bdb0464cff6b3e15faf753c4d9122102490beae4db62b9de89945019b02411e
Instruction ID: de249923e458e2dff51d13574da4f3b157a8529362ab151f316585d9fad44cb0
Opcode Fuzzy Hash: 8bdb0464cff6b3e15faf753c4d9122102490beae4db62b9de89945019b02411e
Instruction Fuzzy Hash: B0D160716087019FC715DF24C880A2ABBE5EF89720F158A5DF88A9B361DB31ED45CF92

Function 0032175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00320FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00320FCA
Part of subcall function 00320FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00320FD6
Part of subcall function 00320FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00320FE5
Part of subcall function 00320FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00320FEC
Part of subcall function 00320FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00321002

GetLengthSid.ADVAPI32(?,00000000,00321335), ref: 003217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003217BA
HeapAlloc.KERNEL32(00000000), ref: 003217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 003217DA
GetProcessHeap.KERNEL32(00000000,00000000,00321335), ref: 003217EE
HeapFree.KERNEL32(00000000), ref: 003217F5

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 30049cc49c4264cee642f4caff9042d7a4e6f05106aa25fe782815ff5ae629d1
Instruction ID: 508248756f200d6eed648c0c56c7aa8594079cf780bf90f899ced9ab7ce337d8
Opcode Fuzzy Hash: 30049cc49c4264cee642f4caff9042d7a4e6f05106aa25fe782815ff5ae629d1
Instruction Fuzzy Hash: 6511BE31510715FFDB229FA8ED49BAF7BADEB9535AF104018F44197221C736AA44CBA0

Function 003214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00321506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00321515
CloseHandle.KERNEL32(00000004), ref: 00321520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0032154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00321563

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 2718d4b6ae448c3efbacf04e513543668ca5b1e3f3f95ec5357c1dbd24cc653f
Instruction ID: ef53670869a5a56e853a9cb14f2dd84c41916746e590c4b55c96d057dc55c0aa
Opcode Fuzzy Hash: 2718d4b6ae448c3efbacf04e513543668ca5b1e3f3f95ec5357c1dbd24cc653f
Instruction Fuzzy Hash: 9D11477250020DAFDB128F98EE49BDA7BADEB48709F154054FA05A2060C375CE60DBA0

Function 002E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002E3379,002E2FE5), ref: 002E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002E33B7
SetLastError.KERNEL32(00000000,?,002E3379,002E2FE5), ref: 002E3409

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5569dafdddd5ad6992b8531375cd0ab57f81ecdc3ff29c493ab840deed21886d
Instruction ID: ae1ed5ce3f352a28c25974ad9acb98c16f86adbf8f6784be07102b6b8f9d04e9
Opcode Fuzzy Hash: 5569dafdddd5ad6992b8531375cd0ab57f81ecdc3ff29c493ab840deed21886d
Instruction Fuzzy Hash: B201F9322B8352AED7176B777C8D9661B9CD7053BBBB00269F410831F0EF614D215A94

Function 002F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002F5686,00303CD6,?,00000000,?,002F5B6A,?,?,?,?,?,002EE6D1,?,00388A48), ref: 002F2D78
_free.LIBCMT ref: 002F2DAB
_free.LIBCMT ref: 002F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,002EE6D1,?,00388A48,00000010,002C4F4A,?,?,00000000,00303CD6), ref: 002F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,002EE6D1,?,00388A48,00000010,002C4F4A,?,?,00000000,00303CD6), ref: 002F2DEC
_abort.LIBCMT ref: 002F2DF2

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a451159fabd75d7e74aefc11dc05ea757122224e123d940f0ab1224bfd16bbd0
Instruction ID: 17285df6720c35ed7ca8245a7c999d2201f320205adb9f4348729ba232e6a314
Opcode Fuzzy Hash: a451159fabd75d7e74aefc11dc05ea757122224e123d940f0ab1224bfd16bbd0
Instruction Fuzzy Hash: 5AF0F935575B0DEBC2132B34BC1AE3AA559AFC37E5F241035FB24921A2DE748C294920

Function 00358A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D9693
Part of subcall function 002D9639: SelectObject.GDI32(?,00000000), ref: 002D96A2
Part of subcall function 002D9639: BeginPath.GDI32(?), ref: 002D96B9
Part of subcall function 002D9639: SelectObject.GDI32(?,00000000), ref: 002D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00358A4E
LineTo.GDI32(?,00000003,00000000), ref: 00358A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00358A70
LineTo.GDI32(?,00000000,00000003), ref: 00358A80
EndPath.GDI32(?), ref: 00358A90
StrokePath.GDI32(?), ref: 00358AA0

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 1185f14367c870b9661f225c3c217f9fc47644fcc944dac84d09a3e09ca8569a
Instruction ID: df496bc9846974903360533f0983e36fe0901a1bae44e9093c21ee62d93d565f
Opcode Fuzzy Hash: 1185f14367c870b9661f225c3c217f9fc47644fcc944dac84d09a3e09ca8569a
Instruction Fuzzy Hash: 6811C976010249FFDB129F94DC88EAA7F6DEB08395F048012BA199A1B1C7729D55DFA0

Function 003251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00325218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00325229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00325230
ReleaseDC.USER32(00000000,00000000), ref: 00325238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0032524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00325261

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9fe68e90da04c09ed5722253a9e2a29e1680443e3046e18d2469b2dbce7b3f76
Instruction ID: 9b06d49d17a81432354f6b5cdba07b77fc13608482088fe1d3864e49e1a3081d
Opcode Fuzzy Hash: 9fe68e90da04c09ed5722253a9e2a29e1680443e3046e18d2469b2dbce7b3f76
Instruction Fuzzy Hash: EC018B75A01718BFEB119BA69C49A4EBFB8EB48752F044065FA04AB291DA709900CBA0

Function 0032EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0032EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0032EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0032EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0032EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0032EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0032EB75

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: fbc3bb4fed9d40c74f57b05a6db5c5081ca612ca6f52c17e54dea11d609dbb4c
Instruction ID: 848f2fdd6588be775df7d70cf2b162aefe1c7a4c5731a5fbf45cf35eb1b6d2c5
Opcode Fuzzy Hash: fbc3bb4fed9d40c74f57b05a6db5c5081ca612ca6f52c17e54dea11d609dbb4c
Instruction Fuzzy Hash: B6F01772250758BFE6225B629C0EEAB7A7CEBCAB1AF001158F601D11A196A05B0186B5

Function 00317439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00317452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00317469
GetWindowDC.USER32(?), ref: 00317475
GetPixel.GDI32(00000000,?,?), ref: 00317484
ReleaseDC.USER32(?,00000000), ref: 00317496
GetSysColor.USER32(00000005), ref: 003174B0

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 4de64bad2e0f3b6ab071cdfdc1a9c649e8e00585e60ef15a17dbfef0ce62a912
Instruction ID: e6bdff89e9cb8c0aa3083bb30c6101908e75ba3563bc5275b8507e68dcec889d
Opcode Fuzzy Hash: 4de64bad2e0f3b6ab071cdfdc1a9c649e8e00585e60ef15a17dbfef0ce62a912
Instruction Fuzzy Hash: 91017831410305EFEB125FA5DC48BEA7BB9FB08316F191060F916A21B0CB311E91EB10

Function 00321874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0032187F
UnloadUserProfile.USERENV(?,?), ref: 0032188B
CloseHandle.KERNEL32(?), ref: 00321894
CloseHandle.KERNEL32(?), ref: 0032189C
GetProcessHeap.KERNEL32(00000000,?), ref: 003218A5
HeapFree.KERNEL32(00000000), ref: 003218AC

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 4fc1af904026413ad11b867ee0dd1c58d0e82839032e51fb4ff153111ed43859
Instruction ID: 373c6161124facf2b6455bd94d3706fd3d234f7d21bde92c91b3cb7a01bd9d2b
Opcode Fuzzy Hash: 4fc1af904026413ad11b867ee0dd1c58d0e82839032e51fb4ff153111ed43859
Instruction Fuzzy Hash: 2BE0C236014705BFDA025BA1ED0C90ABB6DFB49B26B109220F22681470CB32A4A0DB90

Function 00347B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 002E0242: EnterCriticalSection.KERNEL32(0039070C,00391884,?,?,002D198B,00392518,?,?,?,002C12F9,00000000), ref: 002E024D
Part of subcall function 002E0242: LeaveCriticalSection.KERNEL32(0039070C,?,002D198B,00392518,?,?,?,002C12F9,00000000), ref: 002E028A

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Part of subcall function 002E00A3: __onexit.LIBCMT ref: 002E00A9

__Init_thread_footer.LIBCMT ref: 00347BFB

Part of subcall function 002E01F8: EnterCriticalSection.KERNEL32(0039070C,?,?,002D8747,00392514), ref: 002E0202
Part of subcall function 002E01F8: LeaveCriticalSection.KERNEL32(0039070C,?,002D8747,00392514), ref: 002E0235

Strings

G, xrefs: 00347C7F
+T1, xrefs: 00347E2E
Variable must be of type 'Object'., xrefs: 00347C3A
5, xrefs: 00347C78

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T1$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2785345629
Opcode ID: 1e2fe5330a8ce14bb11a1435761e9b021a70ede6d7404cd684a02590b7013291
Instruction ID: 6328b53e0bbd8274161ac92d706e74877cc4dc10087d37c74afc09a5b7ccee84
Opcode Fuzzy Hash: 1e2fe5330a8ce14bb11a1435761e9b021a70ede6d7404cd684a02590b7013291
Instruction Fuzzy Hash: 0F919974A14209AFCB16EF94D891DADB7F5FF49304F108059F806AF2A2DB71AE85CB50

Function 0034AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0034AEA3

Part of subcall function 002C7620: _wcslen.LIBCMT ref: 002C7625

GetProcessId.KERNEL32(00000000), ref: 0034AF38
CloseHandle.KERNEL32(00000000), ref: 0034AF67

Strings

@, xrefs: 0034AE72
<, xrefs: 0034AE6B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 2bb7917f789c1ff618b2150974dcbca339f0862f4847f070dd4b0f2460dcd1fd
Instruction ID: 8520ce8ecbf0e99c8e93a42a77c30ed3cf984542703f27e91bc0faa5159f0cda
Opcode Fuzzy Hash: 2bb7917f789c1ff618b2150974dcbca339f0862f4847f070dd4b0f2460dcd1fd
Instruction Fuzzy Hash: 0B716670A10619DFCB15DF54C884A9EBBF4AF08304F05859DE816AB362CB74ED95CF91

Function 00356278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00E6DF50,?), ref: 003562E2
ScreenToClient.USER32(?,?), ref: 00356315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00356382

Strings

Ph, xrefs: 003562B1, 003563AC

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: Ph
API String ID: 3880355969-1955597793
Opcode ID: 8fd634801e405753333940d3682cbd9037522839ea34cf9fe81c57f9c0075d5f
Instruction ID: 8dd66e2218c98b3d73afefb31fb6ca0b836719d10ff68eccc04077b2ec155389
Opcode Fuzzy Hash: 8fd634801e405753333940d3682cbd9037522839ea34cf9fe81c57f9c0075d5f
Instruction Fuzzy Hash: 57515B74A00209AFCF12CF54D881EAE7BB5EB45361F518259F8159B2B0D730ED85CB90

Function 0032719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00327206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0032723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0032724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003272CF

Strings

DllGetClassObject, xrefs: 00327242

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: da6848896c6e0b32f1129f87b55ee661e9e4e1e49e41a424c37534245eb6369f
Instruction ID: 7477e7171da0ebc8e970c7f1cea26928ba3c8a6450a10949961f426cf4b73dc3
Opcode Fuzzy Hash: da6848896c6e0b32f1129f87b55ee661e9e4e1e49e41a424c37534245eb6369f
Instruction Fuzzy Hash: F0418DB1A04314EFDB16CF54D884A9A7BA9FF44314F1584ADFD059F20AD7B1DA44CBA0

Function 0032C27D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0032C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0032C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00391990,Hf), ref: 0032C395

Strings

0, xrefs: 0032C2DF
Hf, xrefs: 0032C28D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0$Hf
API String ID: 135850232-2882497664
Opcode ID: 8858bc48f2be4bb141f868e822ce2057b59a7aa9b87052adf8faa0c5ba087edc
Instruction ID: 323d219438625095b59bd52cfb1ba3de11146d3149b2b7f863f45b449d36a7ca
Opcode Fuzzy Hash: 8858bc48f2be4bb141f868e822ce2057b59a7aa9b87052adf8faa0c5ba087edc
Instruction Fuzzy Hash: 5141F0352143519FD722DF25EC84B5EBBE8AF85320F009A1DFAA5972D1D734E904CB52

Function 003552C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00355352
GetWindowLongW.USER32(?,000000F0), ref: 00355375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00355382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003553A8

Strings

Ph, xrefs: 003552F1

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: Ph
API String ID: 3340791633-1955597793
Opcode ID: abe7a9c77c9dd0a3d11e0f7942456be54f8faea3675efbb36afb21ce705801fe
Instruction ID: b2c2808f099b2af3bee0c55a57cae6d555a05ca3cddaa332ed306428e3621cab
Opcode Fuzzy Hash: abe7a9c77c9dd0a3d11e0f7942456be54f8faea3675efbb36afb21ce705801fe
Instruction Fuzzy Hash: A031E438A55A08EFEB339F14CC25FE87769AB04392F594112FE19961F0C7B0BD889B41

Function 00357674 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0035769A
GetWindowRect.USER32(?,?), ref: 00357710
PtInRect.USER32(?,?,00358B89), ref: 00357720
MessageBeep.USER32(00000000), ref: 0035778C

Strings

Ph, xrefs: 003576D6, 00357733

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID: Ph
API String ID: 1352109105-1955597793
Opcode ID: 0bc3ed645b754cc5799c6de494246cdafdd87a2a6e28ff0ee48565a8aa1a229d
Instruction ID: 7f49b0ccc734d7e230f6ea929370c5f4e12fec5e993eaa7bf56bf738fb0d89f3
Opcode Fuzzy Hash: 0bc3ed645b754cc5799c6de494246cdafdd87a2a6e28ff0ee48565a8aa1a229d
Instruction Fuzzy Hash: 22419A34A09215DFCB13CF58E894EA9B7F8FB49346F1A40A9E8149B271C331A949CF90

Function 00354653 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00354705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00354713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0035471A

Strings

Ph, xrefs: 003546D0, 003546EF
msctls_updown32, xrefs: 00354684

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: Ph$msctls_updown32
API String ID: 4014797782-3643902916
Opcode ID: bf40523423cb3edfb03c963d8b2d8fd5f3f471e05db89d70aa9ac10f1db5a818
Instruction ID: c0764f80821f0d49464ac47a001da890818a9ec8de9bc19454232872c4f1155d
Opcode Fuzzy Hash: bf40523423cb3edfb03c963d8b2d8fd5f3f471e05db89d70aa9ac10f1db5a818
Instruction Fuzzy Hash: 9E21A1B5600209AFDB16DF64DCC1DB737ADEF4A399B050049FA109B261CB31EC55CBA0

Function 00352F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00352F8D
LoadLibraryW.KERNEL32(?), ref: 00352F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00352FA9
DestroyWindow.USER32(?), ref: 00352FB1

Strings

SysAnimate32, xrefs: 00352F68

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6ec86993223db157c24bf6c2d4d99a933e0acd62419cd3c7caa9d8dd73031436
Instruction ID: 8529b38452cc945ec53cfd3c27e617ee11db4607218938a26301c4549df62caa
Opcode Fuzzy Hash: 6ec86993223db157c24bf6c2d4d99a933e0acd62419cd3c7caa9d8dd73031436
Instruction Fuzzy Hash: EB21CA72204205AFEB124F64EC80EBB77BDEB5A32AF120218FD10E60A0C331DC559B60

Function 00358FC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

GetCursorPos.USER32(?), ref: 00359001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00317711,?,?,?,?,?), ref: 00359016
GetCursorPos.USER32(?), ref: 0035905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00317711,?,?,?), ref: 00359094

Strings

Ph, xrefs: 0035902E, 00359064

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: Ph
API String ID: 2864067406-1955597793
Opcode ID: 5322eead7dc0823eab6ee7075ec0880a1ea381dbc488db595bd739eb0b7acf59
Instruction ID: c3f0bf79e625d66a2154e07f451c7e3b0576998ffee5939dd6802ebd99d15aae
Opcode Fuzzy Hash: 5322eead7dc0823eab6ee7075ec0880a1ea381dbc488db595bd739eb0b7acf59
Instruction Fuzzy Hash: 34219C35600118EFCB278F94C858FEB7BB9EB4A352F044896F905572B1C3319D90EB60

Function 002E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002E4D1E,002F28E9,?,002E4CBE,002F28E9,003888B8,0000000C,002E4E15,002F28E9,00000002), ref: 002E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,002E4D1E,002F28E9,?,002E4CBE,002F28E9,003888B8,0000000C,002E4E15,002F28E9,00000002,00000000), ref: 002E4DC3

Strings

mscoree.dll, xrefs: 002E4D86
CorExitProcess, xrefs: 002E4D98

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0e78143fd4bf0cf4f7e35b4cef580d648fe59bf8f4dca9a046ea4253f2a1a41b
Instruction ID: 3c9ace50dbf9851627debde84e0ac1d140dda38dde97ff67b1580ce1f79d4cfc
Opcode Fuzzy Hash: 0e78143fd4bf0cf4f7e35b4cef580d648fe59bf8f4dca9a046ea4253f2a1a41b
Instruction Fuzzy Hash: C5F04F34A60309BFDB169F91DC49BEEBBB9EF44756F4040A4F905A2260CB709E50CB90

Function 002C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,002C4EDD,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002C4EAE
FreeLibrary.KERNEL32(00000000,?,?,002C4EDD,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4EC0

Strings

kernel32.dll, xrefs: 002C4E94
Wow64DisableWow64FsRedirection, xrefs: 002C4EA8

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 70b86ca46675ca5aa249eb3609d63ceaa48a123ed8cf9842309047b44913142a
Instruction ID: c8b507a3311756c0ed1b0ef5a14b07346500f28d4045bbf4a4e705dd6370c112
Opcode Fuzzy Hash: 70b86ca46675ca5aa249eb3609d63ceaa48a123ed8cf9842309047b44913142a
Instruction Fuzzy Hash: 66E08635A21F235F92232B256C28F5BA668AF81F67B060219FC01E2220DB60CE0181A0

Function 002C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00303CDE,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002C4E74
FreeLibrary.KERNEL32(00000000,?,?,00303CDE,?,00391418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002C4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 002C4E6E
kernel32.dll, xrefs: 002C4E5B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 89b3c2b52887ce8046f5003b4f477083881d420f40c9b228533f936493b23cd2
Instruction ID: c0bb7c2a42cf1f58332c862d174a19ed25b6b276e88a220487708653b2837b8e
Opcode Fuzzy Hash: 89b3c2b52887ce8046f5003b4f477083881d420f40c9b228533f936493b23cd2
Instruction Fuzzy Hash: F1D01235522B225B56232F297C28ECB6A2CAF85F5A7061619FD05A2125CF60CE11C5D0

Function 0034A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0034A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0034A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0034A468
CloseHandle.KERNEL32(?), ref: 0034A63D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: dc2b1f8fb59df3d22e1c7234ad42772ddf070bbabe914588cee11c2338a2b3d3
Instruction ID: 6a2252e8704ad00536a9fc6ea6d1843b0358b7d6077e6ee2f9de722ff2151f85
Opcode Fuzzy Hash: dc2b1f8fb59df3d22e1c7234ad42772ddf070bbabe914588cee11c2338a2b3d3
Instruction Fuzzy Hash: 1DA1CD716447009FD720DF24C886F2AB7E5AF84714F15895DF99A9B3E2D7B0EC018B82

Function 002FBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00363700), ref: 002FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0039121C,000000FF,00000000,0000003F,00000000,?,?), ref: 002FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00391270,000000FF,?,0000003F,00000000,?), ref: 002FBC36
_free.LIBCMT ref: 002FBB7F

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

_free.LIBCMT ref: 002FBD4B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 38a740c1eccc53bcaa38441ac62a40b1e8125355eff7af558c96809b1363c264
Instruction ID: c3e346f47b6f28ef67987cfb3ab2197c6e18463115d018f60b4dc1796a9801c9
Opcode Fuzzy Hash: 38a740c1eccc53bcaa38441ac62a40b1e8125355eff7af558c96809b1363c264
Instruction Fuzzy Hash: F851D87191020EDFCB12EF65DC819BAF7BCAB41390F1046BBE654E7291DB709E518B50

Function 0032E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0032DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0032CF22,?), ref: 0032DDFD

Part of subcall function 0032DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0032CF22,?), ref: 0032DE16

Part of subcall function 0032E199: GetFileAttributesW.KERNEL32(?,0032CF95), ref: 0032E19A

lstrcmpiW.KERNEL32(?,?), ref: 0032E473
MoveFileW.KERNEL32(?,?), ref: 0032E4AC
_wcslen.LIBCMT ref: 0032E5EB
_wcslen.LIBCMT ref: 0032E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0032E650

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: d56d60467bb1df4bfcc2f92cf8787555d0a3debe4ee7cbf868c387a523df33ff
Instruction ID: a3f444091caef4b0d56b644272da0ebc613cb6f65ba8995ba67205c18a1fdd9d
Opcode Fuzzy Hash: d56d60467bb1df4bfcc2f92cf8787555d0a3debe4ee7cbf868c387a523df33ff
Instruction Fuzzy Hash: 735194B24083955BC725EB90DC81DDF73ECAF85340F40492EF689D3191EF74A6888B66

Function 0034B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Part of subcall function 0034C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0034B6AE,?,?), ref: 0034C9B5
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034C9F1
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034CA68
Part of subcall function 0034C998: _wcslen.LIBCMT ref: 0034CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0034BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0034BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0034BB63
RegCloseKey.ADVAPI32(?,?), ref: 0034BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0034BBB3

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 8dee1dd1d8de0ea92b54fe9c37dd184c3061f8be33275443b935e712518a881d
Instruction ID: 3e607f6e1983234fcb26c268a0b34eb2c4aee7591485a2f2415bdad9b5a6e3d7
Opcode Fuzzy Hash: 8dee1dd1d8de0ea92b54fe9c37dd184c3061f8be33275443b935e712518a881d
Instruction Fuzzy Hash: DA619F31218241AFD715DF24C895E2ABBE9FF84308F54895CF4998B2A2DB31ED45CF92

Function 00328BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00328BCD
VariantClear.OLEAUT32 ref: 00328C3E
VariantClear.OLEAUT32 ref: 00328C9D
VariantClear.OLEAUT32(?), ref: 00328D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00328D3B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: ee23dd1f32da9c0cc624337879fd419b7ba0baae428baca5284880064630de2f
Instruction ID: 52d0cf96f79cf288897b28df4055c998299e003416592e1046c4f544012b0695
Opcode Fuzzy Hash: ee23dd1f32da9c0cc624337879fd419b7ba0baae428baca5284880064630de2f
Instruction Fuzzy Hash: 655169B5A01229EFDB11CF68D884AAAB7F8FF89314F158559E909DB350E730E911CF90

Function 00338AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00338BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00338BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00338C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00338C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00338C5F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 5b5b6bbefc63f85b537c9c1968366712e82ce71dc0a5765216b8ad606336a852
Instruction ID: 44acb8794288cbe70d06131c6f14a0d72fa68258e07d08b38a91956fa92d279a
Opcode Fuzzy Hash: 5b5b6bbefc63f85b537c9c1968366712e82ce71dc0a5765216b8ad606336a852
Instruction Fuzzy Hash: 2D512735A10215AFCB05DF64C881E6ABBF5FF48314F088459E84AAB362DB31ED51DF90

Function 00348EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00348F40
GetProcAddress.KERNEL32(00000000,?), ref: 00348FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00348FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00349032
FreeLibrary.KERNEL32(00000000), ref: 00349052

Part of subcall function 002DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00331043,?,7735E610), ref: 002DF6E6
Part of subcall function 002DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0031FA64,00000000,00000000,?,?,00331043,?,7735E610,?,0031FA64), ref: 002DF70D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 448f908cedaa246fb97209048d4c6ab3ff09223a3974f23349383f1792577591
Instruction ID: f2ac9f2ba7d97bbad154fa768c8dae52791963848de84fc1b78db4d3ba78a9f9
Opcode Fuzzy Hash: 448f908cedaa246fb97209048d4c6ab3ff09223a3974f23349383f1792577591
Instruction Fuzzy Hash: 005115356002059FCB12DF68C484DADBBF5FF49314B0581A9E80A9B762DB31ED85CF90

Function 002F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002F20C3
_free.LIBCMT ref: 002F20E3

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7c11a5dd763e766baee076a9558b73279e76f849f1c97ac5169f001aa0848301
Instruction ID: bc74103d5ecafccca331b210dae958977a9e320e9d1624b818ccb26f9d3d287e
Opcode Fuzzy Hash: 7c11a5dd763e766baee076a9558b73279e76f849f1c97ac5169f001aa0848301
Instruction Fuzzy Hash: C5410732A10204DFCB24DF78C980A6EF3A5EF86354F154179E605EB352DA31ED15CB90

Function 002D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002D9141
ScreenToClient.USER32(00000000,?), ref: 002D915E
GetAsyncKeyState.USER32(00000001), ref: 002D9183
GetAsyncKeyState.USER32(00000002), ref: 002D919D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a43048b70934aa039f0c8f4ec353c4f7c0264cc991c447ce89aabe47913bbe79
Instruction ID: 166608393573ba823bc44b52afd5e045415ef990eb854a567d5a73182e290a3e
Opcode Fuzzy Hash: a43048b70934aa039f0c8f4ec353c4f7c0264cc991c447ce89aabe47913bbe79
Instruction Fuzzy Hash: 5841713190860BFBDF1A9F64C844BEEB774FB09324F244226F429A62E0C770AD94CB51

Function 00333874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00333922
TranslateMessage.USER32(?), ref: 0033394B
DispatchMessageW.USER32(?), ref: 00333955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00333966

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 0bcf8e78cb41f43f554d404f4cc21d1c390edb17fddb35ec6a3693c5716d27b6
Instruction ID: 35bd1735c0b08aeacd6c16c7256b5c525bbfbc833fda549aab902fa2f202d9d0
Opcode Fuzzy Hash: 0bcf8e78cb41f43f554d404f4cc21d1c390edb17fddb35ec6a3693c5716d27b6
Instruction Fuzzy Hash: 4931F270908342DEEB37CB35D8C9BB637ACEB06305F05846AE462D64A0E3B59A85CB11

Function 0033CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0033CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0033CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0033C21E,00000000), ref: 0033CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0033C21E,00000000), ref: 0033CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0033C21E,00000000), ref: 0033CFF2

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: de225299318a622dc3c7159f1f51d7af9aa1bc7d423f0238936db53994a20a8f
Instruction ID: df4305f98feb9bbeb7ea3fa418a08d3f29b1e870b2a8fcfd7551963afec86836
Opcode Fuzzy Hash: de225299318a622dc3c7159f1f51d7af9aa1bc7d423f0238936db53994a20a8f
Instruction Fuzzy Hash: 82316971620305AFDB22DFA5C8C4AABBBFDEB04315F10542EF506E2611DB30AE41DB60

Function 00321901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00321915
PostMessageW.USER32(00000001,00000201,00000001), ref: 003219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 003219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 003219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 003219E2

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f6b985e9e529c827e4918bb77b3afdf82f7699c9b798b51d2891447a36a02158
Instruction ID: d511f6ce6468b68dd52d043fd2b7cadda7727e9065e63a00886ecd87503e8f71
Opcode Fuzzy Hash: f6b985e9e529c827e4918bb77b3afdf82f7699c9b798b51d2891447a36a02158
Instruction Fuzzy Hash: EA31D471A00329EFCB01CFA8DE99ADE7BB9EB14315F104225F921A72D1C7709E84CB90

Function 00355706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00355745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0035579D
_wcslen.LIBCMT ref: 003557AF
_wcslen.LIBCMT ref: 003557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00355816

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 7f645a524933dc177a8e813af64db240ebb28cd3b3813fd8510cb42dacfde3f5
Instruction ID: b4502ebe6cc76d0b77a039c2aa056aad3c332c6a98b9102c68924bf7a0000c41
Opcode Fuzzy Hash: 7f645a524933dc177a8e813af64db240ebb28cd3b3813fd8510cb42dacfde3f5
Instruction Fuzzy Hash: 2021A771904618DADB229FA1CC44EEDB7BCFF04326F104156ED19EA1A0D7709989CF50

Function 00340930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00340951
GetForegroundWindow.USER32 ref: 00340968
GetDC.USER32(00000000), ref: 003409A4
GetPixel.GDI32(00000000,?,00000003), ref: 003409B0
ReleaseDC.USER32(00000000,00000003), ref: 003409E8

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2a346a231213c65e4c93da4c502c02c030790adf979310ee7e79febe83e80df9
Instruction ID: d7d90ee511ab785478a9812ff675e30814b3b68321d1ef8059662a97b90cd1a7
Opcode Fuzzy Hash: 2a346a231213c65e4c93da4c502c02c030790adf979310ee7e79febe83e80df9
Instruction Fuzzy Hash: 38218E35610214AFD705EF65C885AAEBBE9EF48745F04846DE84A9B772CB30AD04CB50

Function 002FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 002FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002FCDE9

Part of subcall function 002F3820: RtlAllocateHeap.NTDLL(00000000,?,00391444,?,002DFDF5,?,?,002CA976,00000010,00391440,002C13FC,?,002C13C6,?,002C1129), ref: 002F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002FCE0F
_free.LIBCMT ref: 002FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002FCE31

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f1d570278dfd543d95496ca42d0048b16937556729bd0292ad2bfa0bb83e6f78
Instruction ID: 538269f02d1be16cd651bee90357a54f6cf144294b979163c29d20c86854327c
Opcode Fuzzy Hash: f1d570278dfd543d95496ca42d0048b16937556729bd0292ad2bfa0bb83e6f78
Instruction Fuzzy Hash: A101D872A2171E7F23211A766D48CBBE96DDEC6BE13250139FE05C7210DA658D2181F0

Function 002D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D9693
SelectObject.GDI32(?,00000000), ref: 002D96A2
BeginPath.GDI32(?), ref: 002D96B9
SelectObject.GDI32(?,00000000), ref: 002D96E2

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 74c646b7972259515a9f45616b1ff2b54704b0aebb6a11763b8d1eb683f27ecb
Instruction ID: 9a38254d746f7ad514c2f6547c30d37ebe55ed068f3a6c4e88e4cec2670e975d
Opcode Fuzzy Hash: 74c646b7972259515a9f45616b1ff2b54704b0aebb6a11763b8d1eb683f27ecb
Instruction Fuzzy Hash: C7213A71822306EFDB139F69EC187A97BACBB50356F104217F411A62B0D3729DA1CBD4

Function 00325711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00325726
_memcmp.LIBVCRUNTIME ref: 00325744
_memcmp.LIBVCRUNTIME ref: 00325757
_memcmp.LIBVCRUNTIME ref: 0032576F
_memcmp.LIBVCRUNTIME ref: 00325787

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 32f2f61cc4c782f99f5ad0085b2ed60e3fb3e9a1da6660ac02c21e0a0832ad54
Instruction ID: 83cfc65c2b68fa339040c3155fecbf81123aa6b04ec549b77c830a761513923b
Opcode Fuzzy Hash: 32f2f61cc4c782f99f5ad0085b2ed60e3fb3e9a1da6660ac02c21e0a0832ad54
Instruction Fuzzy Hash: 4601B5716C1A69FFD20A9519AE82FFB735C9B313A5F404030FD049A645F770EE2486A0

Function 002F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,002EF2DE,002F3863,00391444,?,002DFDF5,?,?,002CA976,00000010,00391440,002C13FC,?,002C13C6), ref: 002F2DFD
_free.LIBCMT ref: 002F2E32
_free.LIBCMT ref: 002F2E59
SetLastError.KERNEL32(00000000,002C1129), ref: 002F2E66
SetLastError.KERNEL32(00000000,002C1129), ref: 002F2E6F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1f86a95900f405fbb90a5adb04b91e392d0e9cc7a0c218412c3fdfc592b2d231
Instruction ID: f0feb976f06f844348ab9f80b28085045337fdf2a980c1fcce04dfac61907e8e
Opcode Fuzzy Hash: 1f86a95900f405fbb90a5adb04b91e392d0e9cc7a0c218412c3fdfc592b2d231
Instruction Fuzzy Hash: 8301493627070DEBC6136B746C45D3BA95DABC37E5B301035FB20921A3EAB49C384920

Function 0032000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?,?,0032035E), ref: 0032002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?), ref: 00320046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?), ref: 00320054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?), ref: 00320064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0031FF41,80070057,?,?), ref: 00320070

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0ae5b91e2f3e0ab009cb6bf5a463ed62740d84558a3d411666284d66e469d36f
Instruction ID: 57b8a9a9534c721492de1a318706a355b1497c54471e4781f4d2db826f78626b
Opcode Fuzzy Hash: 0ae5b91e2f3e0ab009cb6bf5a463ed62740d84558a3d411666284d66e469d36f
Instruction Fuzzy Hash: F201FD72610324BFEB124F68EC44BAE7AEDEF44796F108024F805D2221E770CD048BA0

Function 0032E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0032E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0032E9A5
Sleep.KERNEL32(00000000), ref: 0032E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0032E9B7
Sleep.KERNEL32 ref: 0032E9F3

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4ae43e14107f6885ddddac483b067f394c2385a689ee175ada1e4a9093fb9ac2
Instruction ID: e3a9664420be963360da37143f68a10969aadede49f5a114ad56ce4a34d13c6b
Opcode Fuzzy Hash: 4ae43e14107f6885ddddac483b067f394c2385a689ee175ada1e4a9093fb9ac2
Instruction Fuzzy Hash: 46011B31C11639DBCF02ABE5E85A6DDBB7CBB09705F010556E502B2251CB389694C7A1

Function 003210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00321114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 00321120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 0032112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00320B9B,?,?,?), ref: 00321136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0032114D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: be013646470b4e19077be6af1d54aa4d8aee7b49652a89d26ffdbbc613f0a362
Instruction ID: f357d30017fd0d2f779fd146f8fe14396f85dba8aed8ad5f7ca6e9d287e5254c
Opcode Fuzzy Hash: be013646470b4e19077be6af1d54aa4d8aee7b49652a89d26ffdbbc613f0a362
Instruction Fuzzy Hash: 3E016979200315BFDB124FA4EC49A6A3FAEEF893A5F210418FA41D3360EA31DD10CA60

Function 00320FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00320FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00320FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00320FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00320FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00321002

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b0543811f62dcff27469826b55800a1de7fc2331005f88b04af6ad1f000a8e14
Instruction ID: 8a4791bab688deb572e66561d86bc975def5eaf93e71e8b6b3baab41f7afe9f5
Opcode Fuzzy Hash: b0543811f62dcff27469826b55800a1de7fc2331005f88b04af6ad1f000a8e14
Instruction Fuzzy Hash: 55F06D39210315EFDB224FA5ED4DF5A3BADEF89766F114414FA46C72A1CA70DC80CA60

Function 00321014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0032102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00321036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00321045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0032104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00321062

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0fefbacc9add4353166a4d2d46fc643b347c29eb6dec777b7688b87fc6c7b82e
Instruction ID: a2fd0eeebe5367e893e359b2da478df91eabf9a50afee4705e7bb3cd46bff43a
Opcode Fuzzy Hash: 0fefbacc9add4353166a4d2d46fc643b347c29eb6dec777b7688b87fc6c7b82e
Instruction Fuzzy Hash: CEF0CD39210315EFDB231FA5EC48F5A3BADEF89766F114414FA06C72A0CA30D980CA60

Function 0033030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0033017D,?,003332FC,?,00000001,00302592,?), ref: 00330324
CloseHandle.KERNEL32(?,?,?,?,0033017D,?,003332FC,?,00000001,00302592,?), ref: 00330331
CloseHandle.KERNEL32(?,?,?,?,0033017D,?,003332FC,?,00000001,00302592,?), ref: 0033033E
CloseHandle.KERNEL32(?,?,?,?,0033017D,?,003332FC,?,00000001,00302592,?), ref: 0033034B
CloseHandle.KERNEL32(?,?,?,?,0033017D,?,003332FC,?,00000001,00302592,?), ref: 00330358
CloseHandle.KERNEL32(?,?,?,?,0033017D,?,003332FC,?,00000001,00302592,?), ref: 00330365

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 49c94f9469d55536507af2809f58540f23cb034ccb258f3ecdced73210f33c4c
Instruction ID: 4051666ad58d3dc613d666ab124a015953bca42a83a1039643d2c22612242d3e
Opcode Fuzzy Hash: 49c94f9469d55536507af2809f58540f23cb034ccb258f3ecdced73210f33c4c
Instruction Fuzzy Hash: 02019076800B159FC7369F66D8D0416F7F9BF503257168A3ED19652931C371A994CE80

Function 002FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002FD752

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

_free.LIBCMT ref: 002FD764
_free.LIBCMT ref: 002FD776
_free.LIBCMT ref: 002FD788
_free.LIBCMT ref: 002FD79A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 53278b61bd6de36e61f776fde6fac8950e8598fb9b6b2c3cd28ea17ed08aa49f
Instruction ID: befde5d80caf94ce34cf531c97f60861fadbd3cba041aff3e03c73eed37cb67e
Opcode Fuzzy Hash: 53278b61bd6de36e61f776fde6fac8950e8598fb9b6b2c3cd28ea17ed08aa49f
Instruction Fuzzy Hash: C8F01D325B020EEB8611BB64F981C26F7DEBB05390BA41865F244DB511C730F8508A70

Function 002F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002F22BE

Part of subcall function 002F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000), ref: 002F29DE
Part of subcall function 002F29C8: GetLastError.KERNEL32(00000000,?,002FD7D1,00000000,00000000,00000000,00000000,?,002FD7F8,00000000,00000007,00000000,?,002FDBF5,00000000,00000000), ref: 002F29F0

_free.LIBCMT ref: 002F22D0
_free.LIBCMT ref: 002F22E3
_free.LIBCMT ref: 002F22F4
_free.LIBCMT ref: 002F2305

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7614e4017b58eb7f5d438a8ba74f5a133c9c59259f5b8a6dd2478925315a3b69
Instruction ID: 034995a502476f1e67a3911450d2d439880138d101aca44b28d3c6484f296574
Opcode Fuzzy Hash: 7614e4017b58eb7f5d438a8ba74f5a133c9c59259f5b8a6dd2478925315a3b69
Instruction Fuzzy Hash: 67F090714A0216CB8B13BF54BC018287B6CB7197A0F102567F511D7271C73209219FA5

Function 002D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002D95D4
StrokeAndFillPath.GDI32(?,?,003171F7,00000000,?,?,?), ref: 002D95F0
SelectObject.GDI32(?,00000000), ref: 002D9603
DeleteObject.GDI32 ref: 002D9616
StrokePath.GDI32(?), ref: 002D9631

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 191fc493a7813d993a78e29812047ab028e3e7cc1d002fd39627f07e8405a9f3
Instruction ID: c1dd01239cd616a9b51712250c50448405b0e7def4af930a33dfd45701d6acc9
Opcode Fuzzy Hash: 191fc493a7813d993a78e29812047ab028e3e7cc1d002fd39627f07e8405a9f3
Instruction Fuzzy Hash: 36F03C31025706EFDB136F69ED1C7643B6DEB00366F048216F425661F0C73289A1DFA0

Function 002F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002F10F9
__freea.LIBCMT ref: 002F1117

Part of subcall function 002F1537: _free.LIBCMT ref: 002F154F

Strings

a/p, xrefs: 002F11DE
am/pm, xrefs: 002F117A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a4212cb9be1f5527f8b2d599d9c0134bc7b73770de8f9f232a53fc249e1cc863
Instruction ID: d489973c60c5467d49810a5f0f421482150359257efeecc9536f435dedd7d9d4
Opcode Fuzzy Hash: a4212cb9be1f5527f8b2d599d9c0134bc7b73770de8f9f232a53fc249e1cc863
Instruction Fuzzy Hash: C2D1E13193020FCADB289F68C855ABAF7B1EF05380FA401B9EB059B654D7759DB0CB91

Function 003461D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 002E0242: EnterCriticalSection.KERNEL32(0039070C,00391884,?,?,002D198B,00392518,?,?,?,002C12F9,00000000), ref: 002E024D
Part of subcall function 002E0242: LeaveCriticalSection.KERNEL32(0039070C,?,002D198B,00392518,?,?,?,002C12F9,00000000), ref: 002E028A

Part of subcall function 002E00A3: __onexit.LIBCMT ref: 002E00A9

__Init_thread_footer.LIBCMT ref: 00346238

Part of subcall function 002E01F8: EnterCriticalSection.KERNEL32(0039070C,?,?,002D8747,00392514), ref: 002E0202
Part of subcall function 002E01F8: LeaveCriticalSection.KERNEL32(0039070C,?,002D8747,00392514), ref: 002E0235

Part of subcall function 0033359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003335E4
Part of subcall function 0033359C: LoadStringW.USER32(00392390,?,00000FFF,?), ref: 0033360A

Strings

x#9, xrefs: 0034633A
x#9, xrefs: 00346353
x#9, xrefs: 0034636F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#9$x#9$x#9
API String ID: 1072379062-305294695
Opcode ID: c98e73a22acc473c93c7b5c125d34823302a49990e1708c59eb6fc20c5303918
Instruction ID: 0bc70814ace2ad0b616de72383c3801fb184a59e6ddba0052518b4a6dccf5af5
Opcode Fuzzy Hash: c98e73a22acc473c93c7b5c125d34823302a49990e1708c59eb6fc20c5303918
Instruction Fuzzy Hash: 18C18D71A00105AFCB16EF98C891EBEB7F9EF4A300F11816AF9059B291DB70ED55CB91

Function 002F8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 002F8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 002F8B7A
__dosmaperr.LIBCMT ref: 002F8B81

Strings

.., xrefs: 002F8A63

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: ..
API String ID: 2434981716-1970295553
Opcode ID: e9f4ba3c9f02f539d5c6de5cc9acfb9b2e4203fa3c04ad4e443195a991ec28a2
Instruction ID: fb0680e1c2ed27a952625531dd96f6656985d54a71f211744ac7ba8072be0027
Opcode Fuzzy Hash: e9f4ba3c9f02f539d5c6de5cc9acfb9b2e4203fa3c04ad4e443195a991ec28a2
Instruction Fuzzy Hash: 69419C7162414DAFDB259F24D881A79FFA5DB45388F2841BAFA85C7242DE31CD228750

Function 00322716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0032B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003221D0,?,?,00000034,00000800,?,00000034), ref: 0032B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00322760

Part of subcall function 0032B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0032B3F8

Part of subcall function 0032B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0032B355
Part of subcall function 0032B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00322194,00000034,?,?,00001004,00000000,00000000), ref: 0032B365
Part of subcall function 0032B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00322194,00000034,?,?,00001004,00000000,00000000), ref: 0032B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0032281A

Strings

@, xrefs: 00322832

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: aa9fd9178458ae900e24af1ae33b93da20f8beda12c2ddb1ab8d420d9b6ec1b0
Instruction ID: c2f931fc80a6fac972fbe09f54fb6229d3497550a33a77ee74cb46bc3072b403
Opcode Fuzzy Hash: aa9fd9178458ae900e24af1ae33b93da20f8beda12c2ddb1ab8d420d9b6ec1b0
Instruction Fuzzy Hash: 4E413D76900228BFDB11DBA4DD81ADEBBB8EF05300F004055FA55B7191DB706E45CB60

Function 002F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Deye Union - PO # 23081377.exe,00000104), ref: 002F1769
_free.LIBCMT ref: 002F1834
_free.LIBCMT ref: 002F183E

Strings

C:\Users\user\Desktop\Deye Union - PO # 23081377.exe, xrefs: 002F1760, 002F1767, 002F1796, 002F17CE

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Deye Union - PO # 23081377.exe
API String ID: 2506810119-2999299558
Opcode ID: 24d28949aadc741991b154614013731e0bf4ab89741bed8ecb9f60ffc0237c34
Instruction ID: 9c93ed5fbd7af01d977f8611167f114aeab7b59bc103eab853af72261f180549
Opcode Fuzzy Hash: 24d28949aadc741991b154614013731e0bf4ab89741bed8ecb9f60ffc0237c34
Instruction Fuzzy Hash: E9319371A1020DEFDB22EF999981DAEFBBCEB85390F504176EA0597211D7B04E60CB90

Function 00354416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0035CC08,00000000,?,?,?,?), ref: 003544AA
GetWindowLongW.USER32 ref: 003544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003544D7

Strings

SysTreeView32, xrefs: 0035447C

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 668cc426d00f6824969efdfa4a6727251ad48e798fe41687b8c283db746b79c8
Instruction ID: 1d9aa2fd142266b2755d64e425e416b6d5d216560acc899e1b3944ff2a83ab4d
Opcode Fuzzy Hash: 668cc426d00f6824969efdfa4a6727251ad48e798fe41687b8c283db746b79c8
Instruction Fuzzy Hash: 1C31DA71250205AFDF268E38DC45FEA3BA9EB09329F214715FD39A21E0E730EC949B50

Function 00354537 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0035461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00354634

Strings

', xrefs: 0035458E
Ph, xrefs: 003545D7

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend
String ID: '$Ph
API String ID: 3850602802-3120129456
Opcode ID: 22f907ef8b152f8cda56366cd58efe315e59715dd88e5b51d6ec9aeaf68705f9
Instruction ID: d49b896b25990842fece7f64982a869db2c8bccf06fa4454086b0a36089f4553
Opcode Fuzzy Hash: 22f907ef8b152f8cda56366cd58efe315e59715dd88e5b51d6ec9aeaf68705f9
Instruction Fuzzy Hash: D6313774A0030A9FDB19CF69C980FDABBB9FB09305F10446AED04AB351E730A985CF90

Function 00326E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00326EED
VariantCopyInd.OLEAUT32(?,?), ref: 00326F08
VariantClear.OLEAUT32(?), ref: 00326F12

Strings

*j2, xrefs: 00326E8B, 00326E90, 00326EF8

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j2
API String ID: 2173805711-2640234633
Opcode ID: 92e794769fa3bbb10d5ef351e08a297f81a973485439f057e600d62556476b71
Instruction ID: 05f39b10ba1e75e97474b509486161e111c37c20d13f56e99f6bb79b84f7ccf8
Opcode Fuzzy Hash: 92e794769fa3bbb10d5ef351e08a297f81a973485439f057e600d62556476b71
Instruction Fuzzy Hash: A9317E71614265EFCF07AFA4F952DBD37B9EF85304F100599F8024B2A1C7349922DB90

Function 0034304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0034335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00343077,?,?), ref: 00343378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0034307A
_wcslen.LIBCMT ref: 0034309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00343106

Strings

255.255.255.255, xrefs: 00343095, 0034309A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 74796392ba597771c49822acc6f8ad2f34f120d838f7dea6a17d165c61c444ae
Instruction ID: 56693e0bd355133cda30be22ab2f8aa944edf979adf61e8ac01e1fc72da12f0e
Opcode Fuzzy Hash: 74796392ba597771c49822acc6f8ad2f34f120d838f7dea6a17d165c61c444ae
Instruction Fuzzy Hash: EE31F539204201DFCB12DF28C485E6977E0EF14318F258199E8168F792DB31FE41CB60

Function 003295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0032961D

Strings

#OnAutoItStartRegister, xrefs: 003295F3
#notrayicon, xrefs: 003295B7
#requireadmin, xrefs: 003295D9

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 3a88f2dc0f6c9ecccf92c17ce175b414065c1fdf2a0f9d10f1b0dc578b81349a
Instruction ID: a1ff3a40c1c1bd28f65ff55978ed1bbe78ba59e6ff98a7e95116ca076a632036
Opcode Fuzzy Hash: 3a88f2dc0f6c9ecccf92c17ce175b414065c1fdf2a0f9d10f1b0dc578b81349a
Instruction Fuzzy Hash: 622165322142206AC333AA25AC02FBB73DC9F92320F64402BF98997081EB50AD55C6A5

Function 003537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00353840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00353850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00353876

Strings

Listbox, xrefs: 0035380F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a4f32c50859c6215e741e4f827a92237edd725e079a29b137e7f1659f32d7b05
Instruction ID: da703f1f7809b7453d8647492fa5e52bca2dc37530e89a748846c4e95a93680f
Opcode Fuzzy Hash: a4f32c50859c6215e741e4f827a92237edd725e079a29b137e7f1659f32d7b05
Instruction Fuzzy Hash: A821C272610218BFEF128F64CC45FBB376EEF89795F118114F910AB1A0C671DC568BA0

Function 003349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00334A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00334A5C
SetErrorMode.KERNEL32(00000000,?,?,0035CC08), ref: 00334AD0

Strings

%lu, xrefs: 00334A6F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: ca12bae434256a4ab9e68f3209b066376247f6ee9f4e6fc23d5e390698c879b9
Instruction ID: 7dcf68dba8f1278acf7979fa9f5774d64d57ff8ceddaf51bf306166ac81a6a88
Opcode Fuzzy Hash: ca12bae434256a4ab9e68f3209b066376247f6ee9f4e6fc23d5e390698c879b9
Instruction Fuzzy Hash: 58314175A00209AFDB11DF54C985EAA7BF8EF08308F148099F905DB262D771EE45CF61

Function 003541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0035424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00354264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00354271

Strings

msctls_trackbar32, xrefs: 00354226

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5858358acef230d52d31809ac0a7e69fcbc8f7b518551a2e58a0d1785c572b4c
Instruction ID: a0fba1367efb367f8a4b0a99fb73d7a8f501f9debbb86e975d356df556d8ceea
Opcode Fuzzy Hash: 5858358acef230d52d31809ac0a7e69fcbc8f7b518551a2e58a0d1785c572b4c
Instruction Fuzzy Hash: 80110631240308BEEF225F29CC06FAB7BACEF85B59F120514FE55E60A0D271DC519B20

Function 00322F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

Part of subcall function 00322DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00322DC5
Part of subcall function 00322DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00322DD6
Part of subcall function 00322DA7: GetCurrentThreadId.KERNEL32 ref: 00322DDD
Part of subcall function 00322DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00322DE4

GetFocus.USER32 ref: 00322F78

Part of subcall function 00322DEE: GetParent.USER32(00000000), ref: 00322DF9

GetClassNameW.USER32(?,?,00000100), ref: 00322FC3
EnumChildWindows.USER32(?,0032303B), ref: 00322FEB

Strings

%s%d, xrefs: 00322FFF

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 679b49605441f376b6ca20ec00e31c3d8f35d57ad53a46a9a1ec617b836b389b
Instruction ID: 972cb960d087ca4d873a87e53981a15f5ac7abbf3b7387e2666df7998689bef7
Opcode Fuzzy Hash: 679b49605441f376b6ca20ec00e31c3d8f35d57ad53a46a9a1ec617b836b389b
Instruction Fuzzy Hash: C811E4712003156BCF02BF749C95FEE37AAAF84308F048079F909AB252DE349A498B70

Function 00355882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003558EE
DrawMenuBar.USER32(?), ref: 003558FD

Strings

0, xrefs: 0035588F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 02f40ff5056893a58018743d20c90ce068b67b116fab2f6b58df09f5e26c9809
Instruction ID: 1bd2148da1e388c7243a0498f5856e66f2c2364fa3e2b3ccc6fbb42d0da9d3c2
Opcode Fuzzy Hash: 02f40ff5056893a58018743d20c90ce068b67b116fab2f6b58df09f5e26c9809
Instruction Fuzzy Hash: 1701A131510208EFDB129F51DC44FAEBBB8FB45362F108099E849D6271DB309A94DF60

Function 00357803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,003918B0,0035A364,000000FC,?,00000000,00000000,?,?,?,003176CF,?,?,?,?,?), ref: 00357805
GetFocus.USER32 ref: 0035780D

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

Part of subcall function 002D9944: GetWindowLongW.USER32(?,000000EB), ref: 002D9952

SendMessageW.USER32(00E6DF50,000000B0,000001BC,000001C0), ref: 0035787A

Strings

Ph, xrefs: 00357841, 00357852

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: Ph
API String ID: 3601265619-1955597793
Opcode ID: 991cc6d6ee85d8c1989edaa94c02ecde9ba00ddff5956a2e76d7adfa2b233f00
Instruction ID: 695f63bdfbb0b657e7f816a34f7c4f50ca72f4662cc7048e210071f928f80ee5
Opcode Fuzzy Hash: 991cc6d6ee85d8c1989edaa94c02ecde9ba00ddff5956a2e76d7adfa2b233f00
Instruction Fuzzy Hash: F50184315052008FC727DB28E859EB677E9EF8A325F19066EE415872B0CB316C46CF80

Function 0031D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0031D3BF
FreeLibrary.KERNEL32 ref: 0031D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0031D3B9
X64, xrefs: 0031D2A8

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 13ed185421ee87c6e467b23ad16c47809d0076f7d44fc052f883df4316aeccbc
Instruction ID: 9c1a66cdf08f6878d5c47f33aee2264a64c8451590cba47fa4e670fead3eab9d
Opcode Fuzzy Hash: 13ed185421ee87c6e467b23ad16c47809d0076f7d44fc052f883df4316aeccbc
Instruction Fuzzy Hash: 58F05C7D024B118BD77F22104C889EA332CAF1B306F515956E033E10A0DB70CDC2C642

Function 0032007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc373f0fcc7a264fe6a7f835c58a34811b26446410b0a9ac6b3f878725da530
Instruction ID: 858079b0f1a0e5e70c369ec608f5b9f5e4e3c13fd950a93b9fe37328869803a1
Opcode Fuzzy Hash: adc373f0fcc7a264fe6a7f835c58a34811b26446410b0a9ac6b3f878725da530
Instruction Fuzzy Hash: 79C18D75A0022AEFDB09CFA4D894EAEB7B5FF48704F218598E505EB252C731ED45CB90

Function 0034342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00343459
CoUninitialize.OLE32 ref: 00343463
VariantInit.OLEAUT32(?), ref: 0034346E
VariantClear.OLEAUT32(?), ref: 0034371B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 15646aa68f51a6d36bda4c7f009be70d0dd37ea6fe2f3cbc131239811f9293e8
Instruction ID: 7d498a900f3424a386e40cdb4dd5197e4db3c725a6ddcefbd86a3cf95fad8e77
Opcode Fuzzy Hash: 15646aa68f51a6d36bda4c7f009be70d0dd37ea6fe2f3cbc131239811f9293e8
Instruction Fuzzy Hash: A9A126752142009FC701DF28C985A2AB7E9FF89714F05895DF98A9B362DB30EE01CF91

Function 00320436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0035FC08,?), ref: 003205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0035FC08,?), ref: 00320608
CLSIDFromProgID.OLE32(?,?,00000000,0035CC40,000000FF,?,00000000,00000800,00000000,?,0035FC08,?), ref: 0032062D
_memcmp.LIBVCRUNTIME ref: 0032064E

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 69740b0902f0f97c8389962a297aed727e540cc494434e8c90d9b6a47b5afe30
Instruction ID: 2b3dbc712796b20760f8644c1736febb0dcd8b182c556d633afc672d8f814da4
Opcode Fuzzy Hash: 69740b0902f0f97c8389962a297aed727e540cc494434e8c90d9b6a47b5afe30
Instruction Fuzzy Hash: 46811C71A00219EFCB05DF94C984EEEB7B9FF89315F204558E506AB251DB71AE0ACF60

Function 00301391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003014C0

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9e76c349b7ab0c0a653dfbe1a3a2736ad6c746d76f27c26b72d789e2b8f42fa5
Instruction ID: 62b70203429b1f6dc2c9219ed36e6a13efd595de31faca8c72499371921c3c8a
Opcode Fuzzy Hash: 9e76c349b7ab0c0a653dfbe1a3a2736ad6c746d76f27c26b72d789e2b8f42fa5
Instruction Fuzzy Hash: E9417C31651104ABDB236BBF8C55ABE3AB8EF42370F150225F918C71E1E77448515A61

Function 00341AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00341AFD
WSAGetLastError.WSOCK32 ref: 00341B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00341B8A
WSAGetLastError.WSOCK32 ref: 00341B94

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 1463153dee6d5962f088d11fcdb275eefdb3d82f210e67034cd43a20adcd5741
Instruction ID: f1531cf3d91a9b372087e65b25781539a64e2be82439196fd6cc4004e6314059
Opcode Fuzzy Hash: 1463153dee6d5962f088d11fcdb275eefdb3d82f210e67034cd43a20adcd5741
Instruction Fuzzy Hash: CB41B234640700AFE721AF24C886F2A77E5EB44718F54854CF91A9F7D2D772ED928B90

Function 002FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c1f5b234c973171d79f4f327ed3fdc82dc2aaf9cfac8ffe841018b8378eb36
Instruction ID: 6551d2f1cc4d4b179771ae2e213b98f291f1660902d673483b7a1fc7b48ecae0
Opcode Fuzzy Hash: 61c1f5b234c973171d79f4f327ed3fdc82dc2aaf9cfac8ffe841018b8378eb36
Instruction Fuzzy Hash: 7E412A75A10708AFD726AF38CD51B7AFBE9EB88750F10453AF601DB681D371A9118F80

Function 003356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00335783
GetLastError.KERNEL32(?,00000000), ref: 003357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003357FA

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 86549601594310eb140a18a07e53a254f257c80c1ec344b8ed60daf2d0315a6e
Instruction ID: c43cd8b7a829fee3739418cf945083a7cdff9d4d3846022679023beaca759b9c
Opcode Fuzzy Hash: 86549601594310eb140a18a07e53a254f257c80c1ec344b8ed60daf2d0315a6e
Instruction Fuzzy Hash: 26411939610610DFCB11DF15C485A1ABBE2AF89320F198888EC4AAB362CB34FD11DF91

Function 002FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,002E6D71,00000000,00000000,002E82D9,?,002E82D9,?,00000001,002E6D71,?,00000001,002E82D9,002E82D9), ref: 002FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 002FD9AB
__freea.LIBCMT ref: 002FD9B4

Part of subcall function 002F3820: RtlAllocateHeap.NTDLL(00000000,?,00391444,?,002DFDF5,?,?,002CA976,00000010,00391440,002C13FC,?,002C13C6,?,002C1129), ref: 002F3852

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0d33cefb6f10d0326907c97295cd3efd9edc4f5cc69e7e963e95b8d514de053d
Instruction ID: 02971ee1fa6d1f9b876de2394be1f8fd4f8d861db63e600436ba6945eea99373
Opcode Fuzzy Hash: 0d33cefb6f10d0326907c97295cd3efd9edc4f5cc69e7e963e95b8d514de053d
Instruction Fuzzy Hash: 3D31A072A2020AABDF259FA5DC45EBEBBA6EB40350F054178FD04D6250E775CD60CB90

Function 0032AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 0032ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0032AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0032AC74
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 0032ACC6

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4492266b8547e70e8ebb5f9f5e91558e7ef6378b2d22a56c1f85085116569352
Instruction ID: aa8c473a026f9c3df2dbeb1a6450d00e38d25eabfaf601977314852d157eceae
Opcode Fuzzy Hash: 4492266b8547e70e8ebb5f9f5e91558e7ef6378b2d22a56c1f85085116569352
Instruction Fuzzy Hash: 46312870A04B38AFFF37CB65EC047FE7BA9AB85711F04421AE481D61E1C37489858792

Function 003516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003516EB

Part of subcall function 00323A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00323A57
Part of subcall function 00323A3D: GetCurrentThreadId.KERNEL32 ref: 00323A5E
Part of subcall function 00323A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003225B3), ref: 00323A65

GetCaretPos.USER32(?), ref: 003516FF
ClientToScreen.USER32(00000000,?), ref: 0035174C
GetForegroundWindow.USER32 ref: 00351752

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b5c61cd0fc3a25f60e7c3359f273946bb53e290891448fb70b5fc96b53eec857
Instruction ID: 3b7f1bc1a78ee658eda6267d19f9a724d669dc9c4332d17062920420d42918bb
Opcode Fuzzy Hash: b5c61cd0fc3a25f60e7c3359f273946bb53e290891448fb70b5fc96b53eec857
Instruction Fuzzy Hash: BC313D71D10249AFC701EFAAC881DAEBBFDEF48304B5080AAE415E7611E6359E45CFA0

Function 0032D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0032D501
Process32FirstW.KERNEL32(00000000,?), ref: 0032D50F
Process32NextW.KERNEL32(00000000,?), ref: 0032D52F
CloseHandle.KERNEL32(00000000), ref: 0032D5DC

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 819dac8b5b1d710e742cdb98c827af0468266684d8882eb71de8cc0139d51d51
Instruction ID: 875f9a657b50bc1687575afcb0503fe52beafcfdc91068c53c1fe59c1525f0db
Opcode Fuzzy Hash: 819dac8b5b1d710e742cdb98c827af0468266684d8882eb71de8cc0139d51d51
Instruction Fuzzy Hash: 783172711083409FD301EF54D885EAFBBE8EF99354F14052DF581871A1EB719A94CB92

Function 0032D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0035CB68), ref: 0032D2FB
GetLastError.KERNEL32 ref: 0032D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0032D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0035CB68), ref: 0032D376

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 76f165fdc635471e7c257aff6833ea18e6c3c37fc03f3f371c485fc8a817bfcc
Instruction ID: 8cd686ab6b81af2bf611b561b065f5bb2c5eaa1b171eb3a4cd98601721824113
Opcode Fuzzy Hash: 76f165fdc635471e7c257aff6833ea18e6c3c37fc03f3f371c485fc8a817bfcc
Instruction Fuzzy Hash: 9E21A1745183119FC701DF28E8858AEB7E8EE56368F104B1DF499C72A1D731D949CB93

Function 00321571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00321014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0032102A
Part of subcall function 00321014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00321036
Part of subcall function 00321014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00321045
Part of subcall function 00321014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0032104C
Part of subcall function 00321014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00321062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003215BE
_memcmp.LIBVCRUNTIME ref: 003215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00321617
HeapFree.KERNEL32(00000000), ref: 0032161E

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 496f59ae0743805f71cc7eb51f17dc3d3551556dd549a7dc6f6401f3fa63f80e
Instruction ID: 9f07dfd603885b8da699110314306446a5168d7dce7c348d36ed566191de3b73
Opcode Fuzzy Hash: 496f59ae0743805f71cc7eb51f17dc3d3551556dd549a7dc6f6401f3fa63f80e
Instruction Fuzzy Hash: 2E21CC31E00218EFDF01DFA4DA44BEEB7F8EF50345F198499E841AB240E730AA04CBA0

Function 00352782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0035280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00352824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00352832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00352840

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 059086dbea1a880e3e95c4e97003cd7e0309f01f2239d9dbc89b94072ac82b00
Instruction ID: 608d2352e7141903ab4ca2c22d5594e7441a2a7a79d3edbd93a7fa2c22424a63
Opcode Fuzzy Hash: 059086dbea1a880e3e95c4e97003cd7e0309f01f2239d9dbc89b94072ac82b00
Instruction Fuzzy Hash: 7721B231214211AFD716DB24C845F6A7799AF46329F158258F8268B6B2CB71EC46CBD0

Function 003278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00328D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0032790A,?,000000FF,?,00328754,00000000,?,0000001C,?,?), ref: 00328D8C
Part of subcall function 00328D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00328DB2
Part of subcall function 00328D7D: lstrcmpiW.KERNEL32(00000000,?,0032790A,?,000000FF,?,00328754,00000000,?,0000001C,?,?), ref: 00328DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00328754,00000000,?,0000001C,?,?,00000000), ref: 00327923
lstrcpyW.KERNEL32(00000000,?), ref: 00327949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00328754,00000000,?,0000001C,?,?,00000000), ref: 00327984

Strings

cdecl, xrefs: 0032797B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1e80e200a0a8f21346f4f8364ebeae28f051dd5daec3010cbbccafc773c630be
Instruction ID: f863494e94aca166b9cb4dabff33c7c7cab0b77dfed9cb3fb98c2c91dcab84ee
Opcode Fuzzy Hash: 1e80e200a0a8f21346f4f8364ebeae28f051dd5daec3010cbbccafc773c630be
Instruction Fuzzy Hash: A911E63A200312AFCB169F34E845E7A77A9FF85354B50402AF946CB3A4EB319951C7A1

Function 00355660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 003556BB
_wcslen.LIBCMT ref: 003556CD
_wcslen.LIBCMT ref: 003556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00355816

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: f97dedbddb39df6534db2f63ca710696d395fe649e135154268c7b5bb3547639
Instruction ID: 374a6307d8205c3135fe96ed55a822718f35fde2f26a4a28c4ef5d5c755f40db
Opcode Fuzzy Hash: f97dedbddb39df6534db2f63ca710696d395fe649e135154268c7b5bb3547639
Instruction Fuzzy Hash: E011037160464896DF229FA2CC81EEE77BCEF00366F504026FD05E60A1E770EA88CF60

Function 00321A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00321A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00321A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00321A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00321A8A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4b2b7356128b7781a648253461ae77d0e19fa9ad6f129438e1a5008e93eed894
Instruction ID: 33597bdc48b3e10639259284896ff5db548d35371148c863df11fa2d6a624af1
Opcode Fuzzy Hash: 4b2b7356128b7781a648253461ae77d0e19fa9ad6f129438e1a5008e93eed894
Instruction Fuzzy Hash: FB112A3A901229FFEB119BA4C985FADFB78EB18750F200091E600B7290D671AE50DB94

Function 0032E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0032E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0032E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0032E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0032E24D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 3c8bae6ffc62d23c01629c43a129e14cac0f1cf1f3e53a5c18234aa8660c3920
Instruction ID: 2bddf556d4d2f982ecf3648398544d24f4daa05783880cced24289495dde1b7f
Opcode Fuzzy Hash: 3c8bae6ffc62d23c01629c43a129e14cac0f1cf1f3e53a5c18234aa8660c3920
Instruction Fuzzy Hash: 96110876904369FFC7039BA8EC46A9E7FACEB45315F104216F925E3291D271CD0087A0

Function 002ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,002ECFF9,00000000,00000004,00000000), ref: 002ED218
GetLastError.KERNEL32 ref: 002ED224
__dosmaperr.LIBCMT ref: 002ED22B
ResumeThread.KERNEL32(00000000), ref: 002ED249

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: bf6834c8ae8fd0888d05bccab5dd206f7f22142513833921863aff299414e172
Instruction ID: 6b23cc8ffdb6b85bb056a8b002c274d334ebd9f854f7ce78d78dd5454a31a5c3
Opcode Fuzzy Hash: bf6834c8ae8fd0888d05bccab5dd206f7f22142513833921863aff299414e172
Instruction Fuzzy Hash: 0C0126368B5249BFCB115FA7DC05BAE7A6DDF82331F500219FE24960E1CB708921CAA0

Function 002C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002C604C
GetStockObject.GDI32(00000011), ref: 002C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 002C606A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5e2a18b5145d098f6c8e7154cef5c7d9514fbdec395f252a3f8037f737556198
Instruction ID: 55396fb56519085edda54ef252241c5abef21b0279e9d0595277555921fea1ed
Opcode Fuzzy Hash: 5e2a18b5145d098f6c8e7154cef5c7d9514fbdec395f252a3f8037f737556198
Instruction Fuzzy Hash: E2116172511609BFEF124F949C58FEABB6DFF0C359F050215FA1462120D7329C60DB90

Function 002E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 002E3B56

Part of subcall function 002E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 002E3AD2
Part of subcall function 002E3AA3: ___AdjustPointer.LIBCMT ref: 002E3AED

_UnwindNestedFrames.LIBCMT ref: 002E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 002E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 002E3BA4

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: fd0933293a348bf87d55a056e6fe605dadfcf6311371971f9e92ebf4d9a106bc
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: CE012D32150189BBDF12AE96CC46DEB3B69EF48759F444018FE4856121C732D971DFA0

Function 002F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002C13C6,00000000,00000000,?,002F301A,002C13C6,00000000,00000000,00000000,?,002F328B,00000006,FlsSetValue), ref: 002F30A5
GetLastError.KERNEL32(?,002F301A,002C13C6,00000000,00000000,00000000,?,002F328B,00000006,FlsSetValue,00362290,FlsSetValue,00000000,00000364,?,002F2E46), ref: 002F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002F301A,002C13C6,00000000,00000000,00000000,?,002F328B,00000006,FlsSetValue,00362290,FlsSetValue,00000000), ref: 002F30BF

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1d8a0d8d9b71084c78606da015deddce4e23e81f926ee018a1cd647b91934b61
Instruction ID: e178ba88d251a4bff5b07fdcde107928722b7e0005f8ab6ff8b31a27ef26988d
Opcode Fuzzy Hash: 1d8a0d8d9b71084c78606da015deddce4e23e81f926ee018a1cd647b91934b61
Instruction Fuzzy Hash: 0F01B53233132AABCB228A699C44966B79C9F05BE1F100639EA06D3250CF21D951C6D0

Function 00327464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0032747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00327497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003274CA

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: a4c01b6da5f8817795582f2074e29ac4a82d37239ad54bd4760b32d2f18ddbd5
Instruction ID: 43c1ed43254dfc7e1957861c7e8556ef5e1ce9bcc06cce20c6acbe12e5fa8317
Opcode Fuzzy Hash: a4c01b6da5f8817795582f2074e29ac4a82d37239ad54bd4760b32d2f18ddbd5
Instruction Fuzzy Hash: 9611C4B12153209FE7229F16EC08FA27FFCFB00B04F508569A616D6551D770E904DB91

Function 0032B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0032ACD3,?,00008000), ref: 0032B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0032ACD3,?,00008000), ref: 0032B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0032ACD3,?,00008000), ref: 0032B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0032ACD3,?,00008000), ref: 0032B126

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ee852b30ad94f38bc323172de1a1e3d0ca57fd1651b2852a13b6f4c5e4dfde7e
Instruction ID: 6fc0af3f4d7f604792bd5d39733c76cb54eb0a30c2a77d3f5c6631bc7443de95
Opcode Fuzzy Hash: ee852b30ad94f38bc323172de1a1e3d0ca57fd1651b2852a13b6f4c5e4dfde7e
Instruction Fuzzy Hash: B1115E31C11A3DDBCF02AFE4E9696EEFB78FF09711F114085D981B2151CB3056608B51

Function 00322DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00322DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00322DD6
GetCurrentThreadId.KERNEL32 ref: 00322DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00322DE4

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 46e7efe91532bd3aeded4cd5975f4d69892915c33f425cc2509abbcbd56d6bb1
Instruction ID: 576a4ca17e55085e69b80fe280d60ba0c3fb72ebc2cb25b1ced575f54b4bf498
Opcode Fuzzy Hash: 46e7efe91532bd3aeded4cd5975f4d69892915c33f425cc2509abbcbd56d6bb1
Instruction Fuzzy Hash: 3AE06D72111334BBD7221B72AC0DEEB3E6CEB42BA6F041015B105D10A09AA48A40C6B0

Function 00358863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D9693
Part of subcall function 002D9639: SelectObject.GDI32(?,00000000), ref: 002D96A2
Part of subcall function 002D9639: BeginPath.GDI32(?), ref: 002D96B9
Part of subcall function 002D9639: SelectObject.GDI32(?,00000000), ref: 002D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00358887
LineTo.GDI32(?,?,?), ref: 00358894
EndPath.GDI32(?), ref: 003588A4
StrokePath.GDI32(?), ref: 003588B2

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3e4ee247cc7f7d2f97bf8e5ddcec03b310c14ccda48629a30ce0db2b7d43f7ba
Instruction ID: 540c88f2619e846e6b2b7ce4932c6f44185a2ce8b34c32be86d999784421e452
Opcode Fuzzy Hash: 3e4ee247cc7f7d2f97bf8e5ddcec03b310c14ccda48629a30ce0db2b7d43f7ba
Instruction Fuzzy Hash: 4DF03A36051359BADB136F94AC09FCA3B5DAF06316F048001FA21760F1C7769561CFE5

Function 002D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002D98CC
SetTextColor.GDI32(?,?), ref: 002D98D6
SetBkMode.GDI32(?,00000001), ref: 002D98E9
GetStockObject.GDI32(00000005), ref: 002D98F1

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 8939f0ddf10b9b50732d1c82c7ecedef1d0e960ace10e7be53b8dd261127abd4
Instruction ID: 27a958f03fc62b28b10356d592cd21c73d93aa4f190e8b472ffed42d5db83b8c
Opcode Fuzzy Hash: 8939f0ddf10b9b50732d1c82c7ecedef1d0e960ace10e7be53b8dd261127abd4
Instruction Fuzzy Hash: 80E06D31254780AEDB225B79AC09BE83F25AB1633AF18821AF6FA580F1C7714690DB10

Function 0032162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00321634
OpenThreadToken.ADVAPI32(00000000,?,?,?,003211D9), ref: 0032163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003211D9), ref: 00321648
OpenProcessToken.ADVAPI32(00000000,?,?,?,003211D9), ref: 0032164F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 01797758be750c59e3798378203db727b46477b9dd77629ca5293e50b7300a6a
Instruction ID: cb61ab7d43504421550c51d0bdc47592a353d4eb197667baba2b3e2b0dd1853f
Opcode Fuzzy Hash: 01797758be750c59e3798378203db727b46477b9dd77629ca5293e50b7300a6a
Instruction Fuzzy Hash: C5E08671612321EFD7711FA0AE0DB4A3B7CFF54B97F154808F645CA0A0D6348440C750

Function 0031D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0031D858
GetDC.USER32(00000000), ref: 0031D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0031D882
ReleaseDC.USER32(?), ref: 0031D8A3

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cb0b5a19aa6687f2109ba835cb301aac42be018672e50666515e776062e57f7e
Instruction ID: 7ab07a5f08e80028e4b67b1947077e770f3204555ad626e0284ed2ea7bb86365
Opcode Fuzzy Hash: cb0b5a19aa6687f2109ba835cb301aac42be018672e50666515e776062e57f7e
Instruction Fuzzy Hash: FAE01AB0820304DFCF429FA0D808A6DBBB9FB08316F249009E80AE7260C7388A51EF40

Function 0031D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0031D86C
GetDC.USER32(00000000), ref: 0031D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0031D882
ReleaseDC.USER32(?), ref: 0031D8A3

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5d6e12cbde9c48eebdcba80061020467a308a2e89fb13c67e0ae4c7f029ed862
Instruction ID: 692638bb13ffe735e76c1bc351704d042edd7fdc8400e7a867814739540cdf91
Opcode Fuzzy Hash: 5d6e12cbde9c48eebdcba80061020467a308a2e89fb13c67e0ae4c7f029ed862
Instruction Fuzzy Hash: 65E09A75820304DFCF529FA0D80866DBBB9FB48716F149449E94AE7260C7785A11DF50

Function 00334D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 002C7620: _wcslen.LIBCMT ref: 002C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00334ED4

Strings

*, xrefs: 00334E10
LPT, xrefs: 00334DFB

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 85358ec6ef211b06f0a1a1d5210f3f6ee6a9c518b8dc7bcf0a47178005ad581f
Instruction ID: e2221f8c5bd9be5dfd99426baa96460d859a97c0f8ecc4712406453f8ad9febd
Opcode Fuzzy Hash: 85358ec6ef211b06f0a1a1d5210f3f6ee6a9c518b8dc7bcf0a47178005ad581f
Instruction Fuzzy Hash: 91915C75A002049FCB15DF58C4C4EAABBF5AF48304F198099E84A9F7A2D735EE85CF91

Function 002EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002EE30D

Strings

pow, xrefs: 002EE2E5, 002EE302

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8741427a82231bc309fc9b9bab8cd5c810d24702f330dd67506fc739f13a2921
Instruction ID: 0303948c1875f55abdae2038098b535ecf837fe585590973bbdf658e6c4da247
Opcode Fuzzy Hash: 8741427a82231bc309fc9b9bab8cd5c810d24702f330dd67506fc739f13a2921
Instruction Fuzzy Hash: 2251906197C14B96CF127F15CD0137ABB98EB40780FB189B9E1D6422E9DB714CB19E42

Function 00347771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0031569E,00000000,?,0035CC08,?,00000000,00000000), ref: 003478DD

Part of subcall function 002C6B57: _wcslen.LIBCMT ref: 002C6B6A

CharUpperBuffW.USER32(0031569E,00000000,?,0035CC08,00000000,?,00000000,00000000), ref: 0034783B

Strings

<s8, xrefs: 003477C8

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s8
API String ID: 3544283678-4263532365
Opcode ID: 7529f51e9b1fc285124c6098ba594c9b690e253c61a85b1270fdd59afca2247a
Instruction ID: 7c966a9b16139bc6cfe72053a6aff0ab2a06b53b4814814dbfb8bb5f61b6642d
Opcode Fuzzy Hash: 7529f51e9b1fc285124c6098ba594c9b690e253c61a85b1270fdd59afca2247a
Instruction Fuzzy Hash: D7616F36924218AACF06FBA4CC91EFDB3B8BF14304B544629E542B7091EF306A55CFA0

Function 002DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 002DE1B1

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: c21180b898522610dd6604b31d4c0c41b45538199bc29913e01d01a501562191
Instruction ID: 8a5f01687fbecceae36840fd526d930dac4e6a7c9bab60444d96a6c4f194a427
Opcode Fuzzy Hash: c21180b898522610dd6604b31d4c0c41b45538199bc29913e01d01a501562191
Instruction Fuzzy Hash: 45512635900346DFEF1AEF68C485AFA7BA8EF29310F25405AEC519B2D0D7319D92CB90

Function 002DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 002DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 002DF2BB

Strings

@, xrefs: 002DF2AF

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9d0dd8dc5090db97cce9c6fc0e23696b7e6cc1ce3b6af0459fbc314833565681
Instruction ID: f2777accd53e9df49084140b40c60ac7433a20b9a4ef892d80f46791e749a26e
Opcode Fuzzy Hash: 9d0dd8dc5090db97cce9c6fc0e23696b7e6cc1ce3b6af0459fbc314833565681
Instruction Fuzzy Hash: AA5134724287449BD320AF14DC86BABBBFCFB84304F81895DF1D9411A5EB708979CB66

Function 00345745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003457E0
_wcslen.LIBCMT ref: 003457EC

Strings

CALLARGARRAY, xrefs: 003457E6, 003457EB

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 914cdf5a67c09beef0aca48091c01a3162fe5c9feaa3bd81e3c4091584efd3e5
Instruction ID: fb2837700a0fc9b18e977ac707272dc97629d50f43c128a2df2067cde6f3d2bb
Opcode Fuzzy Hash: 914cdf5a67c09beef0aca48091c01a3162fe5c9feaa3bd81e3c4091584efd3e5
Instruction Fuzzy Hash: 7341A231E102199FCB05EFA9C881DAEBBF5FF59314F114169E405AB252EB30AD81CF90

Function 0033D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0033D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0033D13A

Strings

|, xrefs: 0033D10B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 4125aeeac889a72da8963a1bf1f239d6181a89fcaada6c20bcb453276d341f0a
Instruction ID: d9ffa5b1a16742ff7e7c578063ba8d2f7fc4b4622e9486c7e88490896dfe51a3
Opcode Fuzzy Hash: 4125aeeac889a72da8963a1bf1f239d6181a89fcaada6c20bcb453276d341f0a
Instruction Fuzzy Hash: AE311871D10209ABCF15EFA5DC85EEEBFB9FF04300F000119E815A6162E731AA56CF60

Function 0035356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00353621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0035365C

Strings

static, xrefs: 003535BC

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a921fe1b51954421af4d58102de19f332ea7accd01dfedcc21b21f7bdd9abfff
Instruction ID: 456903c2bf7f0dda46140556abc2bf5ed6ba1660c8f8ce91ddbcaa19da3b2e55
Opcode Fuzzy Hash: a921fe1b51954421af4d58102de19f332ea7accd01dfedcc21b21f7bdd9abfff
Instruction Fuzzy Hash: E131BC71110204AEDB119F28CC80FFB73A9FF88765F11961DFCA5972A0DA30AD96CB60

Function 002D97C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

Part of subcall function 002D9944: GetWindowLongW.USER32(?,000000EB), ref: 002D9952

GetParent.USER32(?), ref: 003173A3
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 0031742D

Strings

Ph, xrefs: 002D980F, 003173D2, 003173F9

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: Ph
API String ID: 2181805148-1955597793
Opcode ID: 2fa6a065840c6ea22bea5fe8e430b214a23d5b485bff1bd941b10f0643fefc00
Instruction ID: f96352238a46b765b2dcc9e872bb0af56c7bf9ad352e43196e8304aa78006bba
Opcode Fuzzy Hash: 2fa6a065840c6ea22bea5fe8e430b214a23d5b485bff1bd941b10f0643fefc00
Instruction Fuzzy Hash: 6F21F634614105AFCB279F29CC58DE93BA5EF0A370F094256F9268B3B1C7319DA1EB80

Function 003531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0035327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00353287

Strings

Combobox, xrefs: 00353249

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 57a8fcdaf3477459775e90aab0305bd02a27fa84e767faaad3e57d3f4d5ca4a9
Instruction ID: 4ccfb6278681b17c833ec7334bf33c267c3510e233bd6214585eb93fae5bfcbc
Opcode Fuzzy Hash: 57a8fcdaf3477459775e90aab0305bd02a27fa84e767faaad3e57d3f4d5ca4a9
Instruction Fuzzy Hash: D011E2713046087FEF229F54DC80EBB776EEB943A5F114528F918A72A0D631DD5587A0

Function 003532A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 003532C7
CreatePopupMenu.USER32 ref: 00353339

Strings

Ph, xrefs: 00353313, 0035334B

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CreateMenuPopup
String ID: Ph
API String ID: 3826294624-1955597793
Opcode ID: b7cb395243689750ea00720bb5f78d2e0c802adb0c671daaf10209905ea7f04a
Instruction ID: c76870794f4bcf39dcfbb649abd03fb4b3ab39388edf840a7f92fb3086753760
Opcode Fuzzy Hash: b7cb395243689750ea00720bb5f78d2e0c802adb0c671daaf10209905ea7f04a
Instruction Fuzzy Hash: C3215E346056049FCB12CF28C445FA6B7E5FB0E3A5F05845AEC599B361D331AD06DF51

Function 00353710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 002C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002C604C
Part of subcall function 002C600E: GetStockObject.GDI32(00000011), ref: 002C6060
Part of subcall function 002C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 002C606A

GetWindowRect.USER32(00000000,?), ref: 0035377A
GetSysColor.USER32(00000012), ref: 00353794

Strings

static, xrefs: 00353757

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 73568ae74ac3a15894f55b6b0980f01b20b3957d06b00b3144288df47ad14b93
Instruction ID: 6e5fcf7063b4b04c4461ece47c13e6080af4cb596abef58e68a48aa39023e09d
Opcode Fuzzy Hash: 73568ae74ac3a15894f55b6b0980f01b20b3957d06b00b3144288df47ad14b93
Instruction Fuzzy Hash: 06116AB2A1020AAFDF02DFA8CC45EEA7BB8FB08345F014914FD55E2260E735E955DB50

Function 00356181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 003561FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00356225

Strings

Ph, xrefs: 003561A2

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend
String ID: Ph
API String ID: 3850602802-1955597793
Opcode ID: 2afe1a25dd45e37ce75534f0345e2b38679df8dcdaf4c54f717e9c0842b0c274
Instruction ID: e13dbc1ddb79643cb517c5d8090f98ec444d0735dfe406f31841797fa7489548
Opcode Fuzzy Hash: 2afe1a25dd45e37ce75534f0345e2b38679df8dcdaf4c54f717e9c0842b0c274
Instruction Fuzzy Hash: C111B231240218BEEF128F68CD17FB93BA8EB05316F814615FE16AB1F1D2B1DA14DB50

Function 0033CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0033CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0033CDA6

Strings

<local>, xrefs: 0033CD66

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: eccd08de5334ce70798403fba95abfd906719545e18fbcb6961844cb2d227242
Instruction ID: 170a53b62e6a02f4991fcd4492df5c10a2a1dd51c69f7f21c1976dd4b12c621a
Opcode Fuzzy Hash: eccd08de5334ce70798403fba95abfd906719545e18fbcb6961844cb2d227242
Instruction Fuzzy Hash: B411C275225731BED73A4B668C89EE7BEACEF127A4F00522AB109A3490D7709840D7F0

Function 00353429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003534BA

Strings

edit, xrefs: 0035348F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 505191ed9d8a5dc77f0d93ab74609a79e682768bc2b6a93faaecd2b225cb14f7
Instruction ID: ef6eb19581f0ea91d02354ee88362e88030487ff489cc7dd9acef3da3e75fc3f
Opcode Fuzzy Hash: 505191ed9d8a5dc77f0d93ab74609a79e682768bc2b6a93faaecd2b225cb14f7
Instruction Fuzzy Hash: 88118BB1100208AFEB134E659C44EBB376AEB053B9F514724FD61931E0C731DD999B50

Function 00354F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00354FCC

Strings

Ph, xrefs: 00354FA1

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: MessageSend
String ID: Ph
API String ID: 3850602802-1955597793
Opcode ID: 0f92a2b8bf5f6041273c5e28a1a59ee8fad84069d0c11aad217fd5b3aa7d0ca4
Instruction ID: ecd968eca0ed99403aa9f5c92c36ae358fa981a59e6e077c3d558c2b2a4837c1
Opcode Fuzzy Hash: 0f92a2b8bf5f6041273c5e28a1a59ee8fad84069d0c11aad217fd5b3aa7d0ca4
Instruction Fuzzy Hash: 9E21F276A1020AAF8B16CFA8C950CAABBB9EB4C304B000154FD05A3360C631EA61DB90

Function 00326C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00326CB6
_wcslen.LIBCMT ref: 00326CC2

Strings

STOP, xrefs: 00326CBC, 00326CC1

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 8608bc9a5b7afe96f9af0fc4ccb4f3511680dd7cd8a3fdcc3ac5e44e130df957
Instruction ID: 21770a641c2034bd018ae738ce99fdd6664f4c1fb39307d4fe4556cc67384f3a
Opcode Fuzzy Hash: 8608bc9a5b7afe96f9af0fc4ccb4f3511680dd7cd8a3fdcc3ac5e44e130df957
Instruction Fuzzy Hash: 15012B3261053A8BCB22AFFDEC429BF33B8FF607147410539E45293195EB31D950C650

Function 002D90DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

Ph, xrefs: 00317077, 0031709D

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID:
String ID: Ph
API String ID: 0-1955597793
Opcode ID: 9c5bda7b05c41acb3d75da70d025c5567446c7b99ce2ca47bdcf308d9415eac2
Instruction ID: 0c89091cffdd6240006cec9430d90aeb050a7403b1689d5213c94aa0b70c7bb9
Opcode Fuzzy Hash: 9c5bda7b05c41acb3d75da70d025c5567446c7b99ce2ca47bdcf308d9415eac2
Instruction Fuzzy Hash: AA115B34604705AFCB26CF18D850EA5B7F6EB8D320F15821AF9259B3A0C771ED808F80

Function 002DA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002DA529

Part of subcall function 002C9CB3: _wcslen.LIBCMT ref: 002C9CBD

Strings

,%9, xrefs: 002DA509
3y1, xrefs: 002DA545, 002DA54D, 002DA552

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%9$3y1
API String ID: 2551934079-3363791809
Opcode ID: 500de4629994c8c58355e9508c4617790428124c59fdc4b9187dc856c9bf8d44
Instruction ID: 6a120ca9e2d6e605fb607a884194e71591fbc656da0e2156011b078d25270a9d
Opcode Fuzzy Hash: 500de4629994c8c58355e9508c4617790428124c59fdc4b9187dc856c9bf8d44
Instruction Fuzzy Hash: BB014E31B606105BC905F769EC5BF9D7354DB06710FD0011AF5111B3C2DE509D628E9B

Function 003590A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D9BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0031769C,?,?,?), ref: 00359111

Part of subcall function 002D9944: GetWindowLongW.USER32(?,000000EB), ref: 002D9952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 003590F7

Strings

Ph, xrefs: 003590D6

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: Ph
API String ID: 982171247-1955597793
Opcode ID: f09abd90fda0c4f7489169a05d6529d5dcc9e20aba4499408a5a7b664854a38f
Instruction ID: 0cd5f9baeca2a8ff111e0b821c6aa9d3925954fb930764534eaba327d894d921
Opcode Fuzzy Hash: f09abd90fda0c4f7489169a05d6529d5dcc9e20aba4499408a5a7b664854a38f
Instruction Fuzzy Hash: AF01FC30104215EBDB229F14DC49FA67BAAEB86366F04042AFD111B2F0CB326D55DB50

Function 00358172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00393018,0039305C), ref: 003581BF
CloseHandle.KERNEL32 ref: 003581D1

Strings

\09, xrefs: 0035818A

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \09
API String ID: 3712363035-447000637
Opcode ID: 4b169f04cbed8847eeaf3a0ec402c2103442b42aee93a7658c72eda4598545d9
Instruction ID: 4906827e95abbce9b75463f7c11f0a56662bcabd869415c586c53de843c1bbbf
Opcode Fuzzy Hash: 4b169f04cbed8847eeaf3a0ec402c2103442b42aee93a7658c72eda4598545d9
Instruction Fuzzy Hash: E2F082F5650304BEE7226762AC4AFB73A5CDB04755F000461BB0AD52A2D67A8E1487F8

Function 0034747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00347493
_wcslen.LIBCMT ref: 003474B9

Strings

3, 3, 16, 1, xrefs: 00347483

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 79797c82b6096a2042a1cce11c340273b770de568911ac9b3b501fb7b4631951
Instruction ID: dcc235febf81ea95aedee7fa355c4a5ec91c527b13fe5776f0340924717bb99c
Opcode Fuzzy Hash: 79797c82b6096a2042a1cce11c340273b770de568911ac9b3b501fb7b4631951
Instruction Fuzzy Hash: 38E02B062543A0109232327B9CC597F57C9CFC9750751182BF981D6367EB94DDA193F1

Function 00320B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00320B23

Strings

Error allocating memory., xrefs: 00320B1C
AutoIt, xrefs: 00320B17

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: abdb341e984de2b8a8567f5b66d03975d841416ebadad3cc48fbad2193544fc3
Instruction ID: 167d167fe127da27d2ee8696363f8ee172b24314ddfb16967a3902e8f79f6d9d
Opcode Fuzzy Hash: abdb341e984de2b8a8567f5b66d03975d841416ebadad3cc48fbad2193544fc3
Instruction Fuzzy Hash: 04E0D8312A43182ED21536957C07FC97B84CF09F55F10046BFB48555D38BD168644AAD

Function 002E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002E0D71,?,?,?,002C100A), ref: 002DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,002C100A), ref: 002E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002C100A), ref: 002E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002E0D7F

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ff2d1914b9202f1fb76591b9677c272f3ba0edd47c81d7f283b9cb6f09a31412
Instruction ID: 66c02cf0611d4157f6e13918447a54626eaa1f21b5c7870a75dd2b5f5455d2b5
Opcode Fuzzy Hash: ff2d1914b9202f1fb76591b9677c272f3ba0edd47c81d7f283b9cb6f09a31412
Instruction Fuzzy Hash: 1DE06D742103818FE7629FB9D884B967BE4EB00749F40492DE882C6665DBF1E4898BA1

Function 002DE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002DE3D5

Strings

0%9, xrefs: 002DE3B5
8%9, xrefs: 002DE3CA

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%9$8%9
API String ID: 1385522511-2088886512
Opcode ID: ac4b0ec4080414e84c9f845f40b4338b834ec001a2371ab2810839c040bee0ac
Instruction ID: 0a35a9359f491a5a2863771043289909fca60c3a12d410c09ec5a87068813841
Opcode Fuzzy Hash: ac4b0ec4080414e84c9f845f40b4338b834ec001a2371ab2810839c040bee0ac
Instruction Fuzzy Hash: 49E02631475D10EBCE06BB18F894EBEB359AB06320F5301E7F1028F2D19B712C928A84

Function 0031D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0031D220

Strings

%.3d, xrefs: 0031D22B
X64, xrefs: 0031D2A8

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 19d63f439766c3c2f3d55fbb6c01a51e02099196cd16be422acc007be8a710af
Instruction ID: 07b84b35f241c7689d1911bcf88bad4e7feb02c3538c96d98700a4854377e7ca
Opcode Fuzzy Hash: 19d63f439766c3c2f3d55fbb6c01a51e02099196cd16be422acc007be8a710af
Instruction Fuzzy Hash: 9CD01261818218EACF9596D0CC459F9B37CEB1E301F608853F81791440D774D9996B61

Function 00352322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0035232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0035233F

Part of subcall function 0032E97B: Sleep.KERNEL32 ref: 0032E9F3

Strings

Shell_TrayWnd, xrefs: 00352325

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5070697b854699da6578255d85b4d1308f1e882cf8dbcf0940591f720929a00e
Instruction ID: 494234a4483af6a350405606b29126052102d78feebfd7251c6eaadabd62719b
Opcode Fuzzy Hash: 5070697b854699da6578255d85b4d1308f1e882cf8dbcf0940591f720929a00e
Instruction Fuzzy Hash: DCD022323A0310BBE265B370EC1FFC6BA189B40B05F000902B305AA0E0C9F0A800CB44

Function 00352356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0035236C
PostMessageW.USER32(00000000), ref: 00352373

Part of subcall function 0032E97B: Sleep.KERNEL32 ref: 0032E9F3

Strings

Shell_TrayWnd, xrefs: 00352365

Memory Dump Source

Source File: 00000000.00000002.1457046275.00000000002C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000000.00000002.1457026942.00000000002C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.000000000035C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457116938.0000000000382000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457188127.000000000038C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1457205492.0000000000394000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c0000_Deye Union - PO # 23081377.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 11bb5903baffb4e78ff206c6fde4083fa1e4fb111b09ee010ee49a80de6df4ca
Instruction ID: 278eaf2403d86e3d33b1b2a2f49038581d25212ea0e3f47fce3a6a8de25c2180
Opcode Fuzzy Hash: 11bb5903baffb4e78ff206c6fde4083fa1e4fb111b09ee010ee49a80de6df4ca
Instruction Fuzzy Hash: E0D0A9323903107AE266B370AC0FFC6A6189B40B05F000902B201AA0E0C9B0A8008A48

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Deye Union - PO # 23081377.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autD352.tmp

C:\Users\user\AppData\Local\Temp\autD382.tmp

C:\Users\user\AppData\Local\Temp\demonetising

C:\Users\user\AppData\Local\Temp\teer

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Deye Union - PO # 23081377.exe

Function 002C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 002C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 002C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 002F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 0030065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 002C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 002C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 002C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 032125A0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 032123B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130
fileCOMMON

Function 00332947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 002F5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Function 002C10F3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
comCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre